An error occurred fetching the project authors.
  1. 17 Nov, 2016 1 commit
  2. 16 Nov, 2016 2 commits
  3. 07 Nov, 2016 3 commits
  4. 04 Nov, 2016 1 commit
  5. 01 Nov, 2016 1 commit
    • Yar's avatar
      Allow to search for user by secondary email address in the admin interface · f8530580
      Yar authored
      It is not possible to search for a user by his secondary email address in
      the Users search bar in the admin interface(/admin/users). A use-case could
       be that an admin wants to remove a specific secondary email address of an
      user, because it interferes with another user. Issue #23761
      
      This commit adds ability to search not only by main email, but also
      by any secondary email in the admin interface.
      f8530580
  6. 27 Oct, 2016 1 commit
    • Steve Halasz's avatar
      Only show one error message for an invalid email · 36ec5eaf
      Steve Halasz authored
      If notification_email is blank, it's set from email. If an admin
      attempted to create a user with an invalid email, an error would be
      displayed for both fields. Only validate the notification_email if it's
      different from email.
      36ec5eaf
  7. 25 Oct, 2016 1 commit
    • Timothy Andrew's avatar
      Fix `User#to_reference` · fed3f718
      Timothy Andrew authored
      1. Changes in 8.13 require `Referable`s that don't have a project
         reference to accept two arguments - `from_project` and
         `target_project`.
      
      2. `User#to_reference` was not changed to accept the
         `target_project` (even though it is not used). Moving an issue
         containing a user reference would throw a "invalid number of
         arguments" exception.
      
      Fixes #23662
      fed3f718
  8. 24 Oct, 2016 1 commit
  9. 11 Oct, 2016 1 commit
  10. 07 Oct, 2016 1 commit
  11. 05 Oct, 2016 1 commit
    • Yorick Peterse's avatar
      Refactor Gitlab::Identifier · 16ed9b61
      Yorick Peterse authored
      This refactors Gitlab::Identifier so it uses fewer queries and is
      actually tested. Queries are reduced by caching the output as well as
      using 1 query (instead of 2) to find a user using an SSH key.
      16ed9b61
  12. 04 Oct, 2016 1 commit
    • Sean McGivern's avatar
      Restrict failed login attempts for users with 2FA · 194fbc3c
      Sean McGivern authored
      Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
      our custom login flow with two pages doesn't call this method. This will
      increment the failed login counter, and lock the user's account once
      they exceed the number of failed attempts.
      
      Also ensure that users who are locked can't continue to submit 2FA
      codes.
      194fbc3c
  13. 15 Sep, 2016 2 commits
  14. 01 Sep, 2016 1 commit
  15. 30 Aug, 2016 1 commit
  16. 24 Aug, 2016 1 commit
  17. 17 Aug, 2016 1 commit
  18. 12 Aug, 2016 1 commit
  19. 04 Aug, 2016 1 commit
  20. 03 Aug, 2016 1 commit
    • Sean McGivern's avatar
      Store OTP secret key in secrets.yml · 405379bb
      Sean McGivern authored
      .secret stores the secret token used for both encrypting login cookies
      and for encrypting stored OTP secrets. We can't rotate this, because
      that would invalidate all existing OTP secrets.
      
      If the secret token is present in the .secret file or an environment
      variable, save it as otp_key_base in secrets.yml. Now .secret can be
      rotated without invalidating OTP secrets.
      
      If the secret token isn't present (initial setup), then just generate a
      separate otp_key_base and save in secrets.yml.
      
      Update the docs to reflect that secrets.yml needs to be retained past
      upgrades, but .secret doesn't.
      405379bb
  21. 01 Aug, 2016 1 commit
  22. 20 Jul, 2016 1 commit
  23. 19 Jul, 2016 1 commit
  24. 18 Jul, 2016 5 commits
  25. 15 Jul, 2016 1 commit
  26. 12 Jul, 2016 1 commit
  27. 07 Jul, 2016 1 commit
    • Dravere's avatar
      Added setting to set new users by default as external · a0a9494e
      Dravere authored
      As requested by the issue #14508 this adds an option in the application
      settings to set newly registered users by default as external. The
      default setting is set to false to stay backward compatible.
      a0a9494e
  28. 05 Jul, 2016 1 commit
  29. 01 Jul, 2016 1 commit
  30. 29 Jun, 2016 1 commit
  31. 28 Jun, 2016 1 commit
  32. 24 Jun, 2016 1 commit
    • Rémy Coutable's avatar
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      aec3475d