- 05 2月, 2019 3 次提交
-
-
由 Winnie Hellmann 提交于
-
由 Brett Walker 提交于
-
由 Francisco Javier López 提交于
-
- 04 2月, 2019 6 次提交
-
-
由 Dylan MacKenzie 提交于
-
由 Adriel Santiago 提交于
Resizes metrics graph on window and sidebard width changes
-
由 Nick Thomas 提交于
-
由 Reuben Pereira 提交于
-
由 Felipe Artur 提交于
-
由 Paul Slaughter 提交于
-
- 03 2月, 2019 1 次提交
-
-
由 Stan Hu 提交于
Due to a change in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24245, the Detect Host Key feature in the SSH mirroring stopped working. `SshHostKey#primary_key` was being used instead of the hard-coded `:id`. However, `SshHostKey#find_by` was expecting the symbolized `:id` rather than the string `id`, so it could never find the host key it was supposed to update. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56855
-
- 02 2月, 2019 2 次提交
-
-
由 Mark Chao 提交于
Allow `steal` to handle dead jobs.
-
由 Martin Wortschack 提交于
- Use JS regex for emoji validation - Add test for blocking emojis in full name - Fix existing tests for user status that failed locally
-
- 01 2月, 2019 8 次提交
-
-
由 James Lopez 提交于
-
由 Lin Jen-Shin 提交于
-
由 Annabel Dunstone Gray 提交于
Updates the layout of the admin appearance settings to be consistent with other settings pages across GitLab
-
由 Mark Chao 提交于
The data migration looks for code owner file and errs if repository is missing.
-
由 Jacques Erasmus 提交于
-
由 Semyon Pupkov 提交于
-
由 Adriel Santiago 提交于
-
由 Gabriel Mazetto 提交于
-
- 31 1月, 2019 20 次提交
-
-
Fix a JS race in a spec Closes #56860 See merge request gitlab-org/gitlab-ce!24684
-
由 Kamil Trzciński 提交于
-
由 Francisco Javier López 提交于
-
由 James Lopez 提交于
-
由 Constance Okoghenun 提交于
-
由 James Lopez 提交于
-
由 Steve Azzopardi 提交于
When a user is a guest user, and the "Public Pipeline" is set to false inside of "Settings > CI/CD > General" the commit status in the project dashboard should not be shown.
-
由 Jan Provaznik 提交于
When moving a project, it's possible that some users who had access to the project in old path can not access the project in the new path. Because `project_authorizations` records are updated asynchronously, when we send the notification about moved project the list of project team members contains old project members, we want to notify all these members except the old users who can not access the new location.
-
由 Dennis Tang 提交于
-
由 Stan Hu 提交于
To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
-
由 Nick Thomas 提交于
LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
-
由 Kamil Trzciński 提交于
RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
-
由 Kushal Pandya 提交于
-
由 Heinrich Lee Yu 提交于
This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
-
由 Kushal Pandya 提交于
-
由 Brett Walker 提交于
Such as those with IDN homographs or embedded right-to-left (RTLO) characters. Autolinked hrefs should be escaped
-
由 Francisco Javier López 提交于
-
由 Tiago Botelho 提交于
Group guests will only be displayed merge requests to projects they have a access level to, higher than Reporter. Visible projects will still display the merge requests to Guests
-
由 Francisco Javier López 提交于
When the external wiki is enabled, the internal wiki link is replaced by the external wiki url. But the internal wiki is still accessible. In this change the external wiki will have its own tab in the sidebar and only if the services are disabled the tab (and access rights) will not be displayed.
-
由 Luke Duncalfe 提交于
Fixes #54721
-