1. 05 Jul, 2017 8 commits
    • Sean McGivern's avatar
      Merge branch 'jej-fix-spec-failure-with-squashing' into 'master' · 2570140b
      Sean McGivern authored
      Fix spec failure for squash in progress error handling
      
      See merge request !2343
      2570140b
    • Annabel Dunstone Gray's avatar
      Merge branch 'new-admin-sidebar-missing-links' into 'master' · 65b23cb4
      Annabel Dunstone Gray authored
      Fixed admin sidebar not showing all options in new navigation
      
      See merge request !2334
      65b23cb4
    • Annabel Dunstone Gray's avatar
      Merge branch 'ee-32838-admin-panel-spacing' into 'master' · 8b9ca74c
      Annabel Dunstone Gray authored
      Port of 32838-admin-panel-spacing to EE
      
      See merge request !2264
      8b9ca74c
    • Annabel Dunstone Gray's avatar
      Merge branch 'sh-geo-node-show-loading-try2' into 'master' · 53d3f8bd
      Annabel Dunstone Gray authored
      Show loading icon when retrieving Geo node status
      
      Closes #1977
      
      See merge request !2309
      53d3f8bd
    • Douwe Maan's avatar
      Merge branch '33580-fix-api-scoping-ee' into 'master' · 4abaf43a
      Douwe Maan authored
      Resolve EE conflicts for "Fix API Scoping"
      
      See merge request !2338
      4abaf43a
    • Sean McGivern's avatar
      Merge branch '18000-remember-me-for-oauth-login-ee' into 'master' · eb2681a6
      Sean McGivern authored
      EE Port: Honor the "Remember me" parameter for OAuth-based login
      
      See merge request !2175
      eb2681a6
    • James Edwards-Jones's avatar
    • Timothy Andrew's avatar
      Squashed commit representing changes in gitlab-ce!12300. · 6d0dad64
      Timothy Andrew authored
      - There were conflicting changes in `master` that were fixed in
        94258a65. This made rebasing the commits from gitlab-ce!12300
        problematic, due to conflicts.
      
      - Instead, I squashed all !12300 commits into a single commit, and
        cherry-picked that onto 33580-fix-api-scoping-ee, which resulted
        in this commit.
      
      Original commit messages below
      ==============================
      
      Initial attempt at refactoring API scope declarations.
      
      - Declaring an endpoint's scopes in a `before` block has proved to be
        unreliable. For example, if we're accessing the `API::Users` endpoint - code
        in a `before` block in `API::API` wouldn't be able to see the scopes set in
        `API::Users` since the `API::API` `before` block runs first.
      
      - This commit moves these declarations to the class level, since they don't need
        to change once set.
      
      Allow API scope declarations to be applied conditionally.
      
      - Scope declarations of the form:
      
          allow_access_with_scope :read_user, if: -> (request) { request.get? }
      
        will only apply for `GET` requests
      
      - Add a negative test to a `POST` endpoint in the `users` API to test this. Also
        test for this case in the `AccessTokenValidationService` unit tests.
      
      Test `/users` endpoints for the `read_user` scope.
      
      - Test `GET` endpoints to check that the scope is allowed.
      - Test `POST` endpoints to check that the scope is disallowed.
      - Test both `v3` and `v4` endpoints.
      
      When verifying scopes, manually include scopes from `API::API`.
      
      - They are not included automatically since `API::Users` does not inherit from
        `API::API`, as I initially assumed.
      
      - Scopes declared in `API::API` are considered global (to the API), and need to
        be included in all cases.
      
      Test OAuth token scope verification in the `API::Users` endpoint
      
      Add CHANGELOG entry for CE MR 12300
      
      Fix remaining spec failures for !12300.
      
      1. Get the spec for `lib/gitlab/auth.rb` passing.
      
        - Make the `request` argument to `AccessTokenValidationService` optional -
        `auth.rb` doesn't need to pass in a request.
      
        - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
        is what `AccessTokenValidationService` now expects.
      
      2. Get the spec for `API::V3::Users` passing
      
      2. Get the spec for `AccessTokenValidationService` passing
      
      Implement review comments from @dbalexandre for !12300.
      
      Implement review comments from @DouweM for !12300.
      
      - Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`
      
      - Refactor the "remove scopes whose :if condition returns false" logic to use a
        `select` rather than a `reject`.
      
      Extract a `Gitlab::Scope` class.
      
      - To represent an authorization scope, such as `api` or `read_user`
      - This is a better abstraction than the hash we were previously using.
      
      `AccessTokenValidationService` accepts `String` or `API::Scope` scopes.
      
      - There's no need to use `API::Scope` for scopes that don't have `if`
        conditions, such as in `lib/gitlab/auth.rb`.
      
      Fix build for !12300.
      
      - The `/users` and `/users/:id` APIs are now accessible without
        authentication (!12445), and so scopes are not relevant for these endpoints.
      
      - Previously, we were testing our scope declaration against these two methods.
        This commit moves these tests to other `GET` user endpoints which still
        require authentication.
      6d0dad64
  2. 04 Jul, 2017 32 commits