Skip to content

G
gitlab-foss

李少辉-开发者 / gitlab-foss

通知 15
Star 0
Fork 0
G
gitlab-foss

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 25 8月, 2016 1 次提交
  3. 17 8月, 2016 1 次提交
  5. 12 8月, 2016 1 次提交
  7. 09 8月, 2016 1 次提交
  9. 04 8月, 2016 1 次提交
  11. 02 8月, 2016 1 次提交
  13. 20 7月, 2016 1 次提交
  15. 19 7月, 2016 4 次提交
  17. 15 7月, 2016 1 次提交
  19. 12 7月, 2016 1 次提交
  21. 08 7月, 2016 1 次提交
    • D
      Added setting to set new users by default as external · a0a9494e
      Dravere 提交于 
      As requested by the issue #14508 this adds an option in the application
settings to set newly registered users by default as external. The
default setting is set to false to stay backward compatible.
      a0a9494e
  23. 24 6月, 2016 1 次提交
    • R
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable 提交于 
      The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.
Signed-off-by: NRémy Coutable <remy@rymai.me>
      aec3475d
  25. 07 6月, 2016 8 次提交
  27. 06 6月, 2016 1 次提交
    • T
      Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew 提交于 
      - To hold registrations from U2F devices, and to authenticate them.
- Previously, `User#two_factor_enabled` was aliased to the
  `otp_required_for_login` column on `users`.
- This commit changes things a bit:
    - `User#two_factor_enabled` is not a method anymore
    - `User#two_factor_enabled?` checks both the
      `otp_required_for_login` column, as well as `U2fRegistration`s
    - Change all instances of `User#two_factor_enabled` to
      `User#two_factor_enabled?`
- Add the `u2f` gem, and implement registration/authentication at the
  model level.
      791cc913
  29. 03 6月, 2016 2 次提交
  31. 28 5月, 2016 1 次提交
  33. 17 5月, 2016 1 次提交
  35. 11 5月, 2016 2 次提交
    • S
      Tidy up user project specs · acd8930c
      Sean McGivern 提交于
      acd8930c
    • S
      Restrict starred projects to viewable ones · 97424ea5
      Sean McGivern 提交于 
      `User#starred_projects` doesn't perform any visibility checks. This has
a couple of problems:

1. It assumes a user can always view all of their starred projects in
   perpetuity (project not changed to private, access revoked, etc.).
2. It assumes that we'll only ever allow a user to star a project they
   can view. This is currently the case, but bugs happen.

Add `User#viewable_starred_projects` to filter the starred projects by
those the user either has explicit access to, or are public or
internal. Then use that in all places where we list the user's starred
projects.
      97424ea5
  37. 10 5月, 2016 2 次提交
  39. 01 4月, 2016 1 次提交
  41. 15 3月, 2016 1 次提交
  43. 14 3月, 2016 2 次提交
  45. 12 3月, 2016 2 次提交
  47. 01 3月, 2016 2 次提交