- 28 Sep, 2016 4 commits
-
-
Robert Speicher authored
Escape HTML nodes in builds commands in ci linter This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view. Closes #22541 See merge request !2001 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
API: disable rails session auth for non-GET/HEAD requests Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435 See merge request !1999 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Set a restrictive CORS policy for the API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450 See merge request !1998 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Enforce the fork_project permission in Projects::CreateService Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly. CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028 See merge request !1996 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 19 Sep, 2016 2 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Allow the Rails cookie to be used for API authentication Makes the Rails cookie into a valid authentication token for the Grape API, and uses it instead of token authentication in frontend code that uses the API. Rendering the private token into client-side javascript is a security risk; it may be stolen through XSS or other attacks. In general, re-using API code in the frontend is more desirable than implementing endless actions that return JSON. Closes #18302 See merge request !1995 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 14 Sep, 2016 4 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Exclude some pending or inactivated rows in Member scopes An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything. One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650 See merge request !1994 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 01 Sep, 2016 3 commits
-
-
Ruben Davila authored
-
Ruben Davila authored
-
Stan Hu authored
lib/backup: fix broken permissions when creating repo dir ## What does this MR do? This MR fixes an issue where gitlab:backup:restore will not work because the repositories directory is set up with bad permissions. The bad permissions will prevent access to the repositories by the git user, causing all kinds of troubles (e.g. gitlab-shell won't install hooks). ## Are there points in the code the reviewer needs to double check? ## Why was this MR needed? Rake task gitlab:backup:restore would complete successfully, but gitlab:check will report errors and gitlab cannot access repos. ## Screenshots (if relevant) * repositories.old.1472478726 was created without the fix * repositories was created with the fix ![gitlab-repo-permissions](/uploads/6cf2de57fe4f1be0bd5b5e1a13234889/gitlab-repo-permissions.png) ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [ ] API support added - Tests - [ ] Added for this feature/bug - [ ] All builds are passing - [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? See merge request !6098
-
- 19 Aug, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
-
Robert Speicher authored
Update doorkeeper to 4.2.0 Changelog: https://git.io/v6PnV See merge request !5881 (cherry picked from commit c5aa31c8)
-
Robert Speicher authored
Update Hamlit to 2.6.1 Fixes gitlab-org/gitlab-ce#21025 and gitlab-org/gitlab-ce#21017 See merge request !5873 (cherry picked from commit e26ce27d)
-
- 16 Aug, 2016 5 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Allow to sort by project size on admin projects page Fixes #20317 See merge request !5797 (cherry picked from commit dd2088b0)
-
Douwe Maan authored
Set permissions to admin for importing a project via Import/Export Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20802 In order to import a project, it is now required to be an admin Moved from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5766 See merge request !1983 (cherry picked from commit 966b3038)
-
Douwe Maan authored
Fix attribute inclusion import/export config ignored in some cases In the `import_export.yml` file we define the inclusion of some of the attributes. For some reason, this isn't working in certain cases - very unfortunate this includes `user`. This has been introduced in 8.10.3. Related https://gitlab.com/gitlab-org/gitlab-ce/issues/20802 See merge request !1982
-
Robert Speicher authored
[ci skip]
-
- 15 Aug, 2016 1 commit
-
-
Robert Speicher authored
Upgrade Rails to 4.2.7.1 for security fixes. Upgrades Rails from 4.2.7 to 4.2.7.1 for security fixes. For more information: http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/ This should be backported to all currently-supported releases. See merge request !5781
-
- 10 Aug, 2016 5 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Used cached value of project count to reduce DB load Following !5746, backport a change from https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/637/diffs#diff-2. ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - Tests - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !5754 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Add a method in Project to return a cached value of total count of projects This is in preparation to address the DB load caused by the counting in gitlab-com/infrastructure#303. See merge request !5746
-
Douwe Maan authored
Revert "Defend against 'Host' header injection" We reverted this in omnibus but forgot to do it in the source NGINX template. See merge request !5706 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Add a data migration to fix some missing timestamps in the members table (again) Repeats an earlier migration to fix historic bad data in the members table (missing created_at and updated_at fields) I'm expecting the WHERE clauses to be fast enough, and to return few enough rows, that the migration doesn't need to use batches, but I'm not too familiar with the size of these tables in the wild, so perhaps that's a poor assumption. 8.10 introduced a dependency on the `members.created_at` field in the project and namespace member view. If bad data is present, viewing the list of members now results in an NoMethodError and a 500 response from GitLab. Although the previous migration should have fixed all bad rows, we have evidence that it didn't in at least one case, despite the migration claiming to have run in the past. Closes #20568 See merge request !5670 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 04 Aug, 2016 6 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix Import/Export error checking versions Fixes small bug preventing the correct error message about Import/Export version being displayed. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20536 - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !5638 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix Import/Export not working in HA mode Use a shared path instead of `Tempfile` default `/tmp` so the import file is accessible by any GitLab instance. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20506 See merge request !5618 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Don’t close issues on original project Closes #20527 -> https://gitlab.com/gitlab-org/gitlab-ce/issues/20527 See merge request !1981 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 01 Aug, 2016 6 commits
-
-
Fatih Acet authored
Dropdown enter key fix ## What does this MR do? Fixes issue with dropdowns enter key not working correctly See merge request !5544
-
Rémy Coutable authored
-
Phil Hughes authored
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Trim extra displayed carriage returns in diffs and files with CRLFs ## What does this MR do? This MR strips out extra carriage returns at the end of each tokenized string. ## Are there points in the code the reviewer needs to double check? Does this remove more than we need? ## Why was this MR needed? Windows users would see extra lines in their files. Newline characters are already added with every line in the HTML formatter. ## What are the relevant issue numbers? #20440, gitlab-com/support-forum#892, #20468 ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !5588 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Stan Hu authored
Ignore invalid IPs in X-Forwarded-For when trusted proxies are configured. ## What does this MR do? Catches IPAddr::InvalidAddressError exceptions in `trusted_proxy?` when a) a trusted proxy is set up in the gitlab config and b) an invalid IP address is passed to the method (e.g. one with a port attached). When caught, returns `false` from the method. Prevents a 500 error in this situation. ## What are the relevant issue numbers? Closes gitlab-org/gitlab-ce#20466. ## Does this MR meet the acceptance criteria? - [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [N/A] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [N/A] API support added - Tests - [X] Added for this feature/bug - [X] All builds are passing - [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [X] Branch has no merge conflicts with `master` (if you do - rebase it please) - [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !5584 Signed-off-by: Rémy Coutable <remy@rymai.me>
-