- 16 12月, 2016 1 次提交
-
-
由 Timothy Andrew 提交于
-
- 15 12月, 2016 2 次提交
-
-
由 Douwe Maan 提交于
Fix missing Note access checks in by moving Note#search to updated NoteFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested ### Note lookup without access check - [x]✅ app/finders/notes_finder.rb:13 :download_code check - [x]✅ app/finders/notes_finder.rb:19 `SnippetsFinder` - [x]✅ app/models/note.rb:121 [`Issue#visible_to_user`] - [x]✅ lib/gitlab/project_search_results.rb:113 - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`. - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked. ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223 ### Acceptance criteria met? - [x] Tests added for new code - [x] TODO comments removed - [x] Squashed and removed skipped tests - [x] Changelog entry - [ ] State Gitlab versions affected and issue severity in description - [ ] Create technical debt issue for NotesFinder. - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two. - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)` - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes` See merge request !2035 -
由 Nick Thomas 提交于
-
- 13 12月, 2016 1 次提交
-
-
由 Felipe Artur 提交于
-
- 12 12月, 2016 1 次提交
-
-
由 jnoortheen 提交于
test: replaced signed_out message check with check for sign_in button fixes #25294
-
- 10 12月, 2016 3 次提交
-
-
由 Mike Greiling 提交于
-
由 Mike Greiling 提交于
-
由 Mike Greiling 提交于
-
- 09 12月, 2016 3 次提交
-
-
由 Douwe Maan 提交于
Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested - [x]💣 app/finders/notes_finder.rb:17 - [x]⚠ app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x]💣 app/controllers/concerns/creates_commit.rb:84 - [x]🚥 app/controllers/projects/commits_controller.rb:24 - [x]🚥 app/controllers/projects/compare_controller.rb:56 - [x]🚦 app/controllers/projects/discussions_controller.rb:29 - [x]✅ app/controllers/projects/todos_controller.rb:27 - [x]🚦 app/models/commit.rb:268 - [x]✅ lib/gitlab/search_results.rb:71 - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033 -
由 Robert Speicher 提交于
Destroy a user session when they delete their own account via browser This patch destroys a user's session when they delete their own account using a browser. A new session is created as they are redirected to the sign_in page. Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/25015 See merge request !2042
-
由 Rémy Coutable 提交于
Signed-off-by: NRémy Coutable <remy@rymai.me>
-
- 08 12月, 2016 1 次提交
-
-
由 Dmitriy Zaporozhets 提交于
* add parent_id field to namespaces table to store relation with nested groups * create routes table to keep information about full path of every group and project * project/group lookup by full path from routes table Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-
- 07 12月, 2016 2 次提交
-
-
由 jnoortheen 提交于
After this change the sign-in-success flash message will not be shown refactor: set flash message to be nil while signing in test: changed tests to reflect removal of sign-in message refactor: adding signed_in message back See Merge Request !7837 issue#24982
-
由 Rémy Coutable 提交于
When the project has invitees, no group members were returned due to a `user_id NOT IN (42, NULL)` query which always returned [] since a `user_id` would be NULL, thus the condition could never match. Signed-off-by: NRémy Coutable <remy@rymai.me>
-
- 06 12月, 2016 2 次提交
-
-
由 Bob Van Landuyt 提交于
When a merge request can only be merged when all discussions are resolved. This feature allows to easily delegate those discussions to a new issue, while marking them as resolved in the merge request. The user is presented with a new issue, prepared with mentions of all unresolved discussions, including the first unresolved note of the discussion, time and link to the note. When the issue is created, the discussions in the merge request will get a system note directing the user to the newly created issue.
-
由 Jacopo 提交于
counter This is done by: - Extending the IssuableFinder adding the non_archived option to the params - Overriding the #filter_params in the MergeRequestsAction - Passing the non_archived param in the nav/_group.html.haml navbar partial from the groups/merge_requests.html.haml
-
- 03 12月, 2016 2 次提交
-
-
由 Phil Hughes 提交于
Fixed controls not showing in groups which fixes tests
-
由 Phil Hughes 提交于
Closes #24122
-
- 01 12月, 2016 5 次提交
-
-
由 Rémy Coutable 提交于
Signed-off-by: NRémy Coutable <remy@rymai.me>
-
由 Adam Niedzielski 提交于
when we care only about the number of commits We do not have to instantiate all objects in this case.
-
由 Mike Greiling 提交于
-
由 Filipa Lacerda 提交于
Adds tests for the Linked Tabs class Removes event listener Adds builds
-
由 Filipa Lacerda 提交于
-
- 30 11月, 2016 1 次提交
-
- 29 11月, 2016 6 次提交
-
-
由 Grzegorz Bizon 提交于
-
由 James Lopez 提交于
-
由 James Lopez 提交于
-
由 Douwe Maan 提交于
Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠ - Potentially untested💣 - No test coverage🚥 - Test coverage of some sort exists (a test failed when error raised)🚦 - Test coverage of return value (a test failed when nil used)✅ - Permissions check tested - [x]✅ app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x]🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] - [x]✅ app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030 -
由 Douwe Maan 提交于
Fix information disclosure in `Projects::BlobController#update` It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that. - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) https://gitlab.com/gitlab-org/gitlab-ce/issues/22869 See merge request !2023
-
由 Ruben Davila 提交于
This new global setting will allow admins to specify if HTML emails should be sent or not, this is basically useful when system administrators want to save some disk space by avoiding emails in HTML format and using only the Plain Text version.
-
- 28 11月, 2016 2 次提交
-
-
由 Rémy Coutable 提交于
Signed-off-by: NRémy Coutable <remy@rymai.me>
-
由 Adam Niedzielski 提交于
-
- 24 11月, 2016 2 次提交
-
-
由 Douwe Maan 提交于
-
由 Rémy Coutable 提交于
Also create a new WorkhorseRequest concern Signed-off-by: NRémy Coutable <remy@rymai.me>
-
- 23 11月, 2016 3 次提交
-
-
由 Yorick Peterse 提交于
Flushing the events cache worked by updating a recent number of rows in the "events" table. This has the result that on PostgreSQL a lot of dead tuples are produced on a regular basis. This in turn means that PostgreSQL will spend considerable amounts of time vacuuming this table. This in turn can lead to an increase of database load. For GitLab.com we measured the impact of not using events caching and found no measurable increase in response timings. Meanwhile not flushing the events cache lead to the "events" table having no more dead tuples as now rows are only inserted into this table. As a result of this we are hereby removing events caching as it does not appear to help and only increases database load. For more information see the following comment: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6578#note_18864037
-
由 Dmitriy Zaporozhets 提交于
Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-
由 Valery Sizov 提交于
-
- 22 11月, 2016 3 次提交
-
-
由 Rémy Coutable 提交于
Signed-off-by: NRémy Coutable <remy@rymai.me>
-
由 Adam Niedzielski 提交于
MergeRequest#commits requires merge_request_diff to be present. This is not the case when creating a new merge request.
-
由 Alfredo Sumaran 提交于
-