- 02 Dec, 2016 3 commits
-
-
Alejandro Rodríguez authored
[ci skip]
-
Sean McGivern authored
Create tag after running pre-hooks and pass updated SHA to post-hooks Closes #24813 See merge request !7700 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Ensure state param has a valid value when filtering issuables. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 This fix makes sure we only call safe methods on issuable when filtering by state. See merge request !2038
-
- 28 Nov, 2016 2 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
- 25 Nov, 2016 1 commit
-
-
Robert Speicher authored
Update grape-entity to 0.6.0 See merge request !7491 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 24 Nov, 2016 5 commits
-
-
Douwe Maan authored
Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x]🚦 app/finders/notes_finder.rb:15 [`visible_to_user`] - [x]🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x]✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x]✅ lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x]✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x]✅ lib/gitlab/search_results.rb:53 [`visible_to_user`] - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031 Signed-off-by: Rémy Coutable <remy@rymai.me> -
Douwe Maan authored
Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested ### Issue lookup without access check (security) - [x]✅ app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x]🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] - [x]✅ app/controllers/projects/todos_controller.rb:19 ### Code smells - [x] Potential double render in app/controllers/projects/todos_controller.rb ### Previous discussions - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 -
Douwe Maan authored
Fix information disclosure in `Projects::BlobController#update` ## What does this MR do? It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that. ## Does this MR meet the acceptance criteria? - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/22869 See merge request !2023 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Fix label creation non members Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416 See merge request !2006
-
Douwe Maan authored
500 error on project show when user is not logged in and project is still empty ## What does this MR do? Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show ## Screenshots (if relevant) When the project is empty and the user is not logged in we default to the empty project partial instead of readme. ![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png) ## Does this MR meet the acceptance criteria? - [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [x] API support added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? Closes #23990 See merge request !7376
-
- 22 Nov, 2016 2 commits
-
-
Achilleas Pipinellis authored
Backport JIRA api docs to 8-13-stable We need to backport the JIRA API docs that were until recently on master to 8-13-stable also. With 8.14 we simplified the way JIRA is configured and we need a link to point to the old docs. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471 See merge request !7677
-
Achilleas Pipinellis authored
[ci skip]
-
- 17 Nov, 2016 6 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Robert Speicher authored
Allow commit note to be visible if repo is visible ## What does this MR do? It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes. Closes #23824 See merge request !7504
-
Sean McGivern authored
Limit labels returned for a specific project as an administrator Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527 See merge request !7496
-
- 16 Nov, 2016 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 15 Nov, 2016 12 commits
-
-
Douwe Maan authored
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController` ## What does this MR do? Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController` It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only). cc @stanhu @ahanselka ## Why was this MR needed? Errors shown here: gitlab-org/gitlab-ce#24392 Discovered thanks to gitlab-com/infrastructure#302 ## What are the relevant issue numbers? Fixes #24392 Fixes gitlab-com/support-forum#1280 See merge request !7417
-
Sean McGivern authored
Ensure labels are loaded for all "show" methods of MR Controller Closes #24397 See merge request !7416
-
Rémy Coutable authored
Fix cache for commit status in commits list to respect branches Fix cache for commit status in commits list to respect branches Closes #24324 See merge request !7372
-
Robert Speicher authored
Clicking "force remove source branch" label now toggles the checkbox again We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]` in order to fix the checkbox toggling when the associated label is clicked. The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311. See merge request !7356
-
Yorick Peterse authored
Split out markdown cache storage into a separate method See merge request !7277
-
Sean McGivern authored
Fix no "Register" tab if ldap auth is enabled (#24038) Closes #24038 See merge request !7274
-
Robert Speicher authored
Fix project Visibility level selector not using default values closes #20245 See merge request !7264
-
Sean McGivern authored
Fix relative links in Markdown wiki when displayed in "Project" tab Refers to #23806 See merge request !7218
-
Fatih Acet authored
Add test for refs dropdown selection with special chars ## What does this MR do? ## Are there points in the code the reviewer needs to double check? ## Why was this MR needed? ## Screenshots (if relevant) ## Does this MR meet the acceptance criteria? - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [ ] API support added - Tests - [ ] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? See merge request !7175
-
Robert Speicher authored
Milestone dropdown does not stay selected Closes #23713 See merge request !7117 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Fatih Acet authored
Account for fixed position MR when scrolling to elements This MR accounts for the new merge request fixed affix bar when scrolling to an element on the MR page. The fixed MR tabs bar was not being taken into account when shifting permalink scroll targets so that they are unobscured by navigation elements. Closes #23520 See merge request !7051 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Omniauth auto link LDAP user falls back to find by DN when user cannot be found by uid Unfortunately, SAML IDs can be an LDAP UID, DN, or something else entirely. UID and DN are most common, though. This adds a fallback scenario so we first try to find a matching LDAP user by UID, then by DN. This will fix a problem for the customer in https://gitlab.zendesk.com/agent/tickets/43298 See merge request !7002
-
- 09 Nov, 2016 1 commit
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 08 Nov, 2016 2 commits
-
-
Alejandro Rodríguez authored
-
Alejandro Rodriguez authored
Restore unauthenticated access to public container registries Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284 /cc @stanhu @kamil @pablo See merge request !2025
-
- 07 Nov, 2016 5 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Fix for HackerOne XSS vulnerability in markdown This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153 See merge request !2015 Signed-off-by: Rémy Coutable <remy@rymai.me>
-