diff options
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/admin/application_settings_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/concerns/toggle_award_emoji.rb | 11 | ||||
-rw-r--r-- | app/controllers/jwt_controller.rb | 42 | ||||
-rw-r--r-- | app/controllers/oauth/applications_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/builds_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/projects/commit_controller.rb | 10 | ||||
-rw-r--r-- | app/controllers/projects/git_http_controller.rb | 147 | ||||
-rw-r--r-- | app/controllers/projects/labels_controller.rb | 29 | ||||
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 35 | ||||
-rw-r--r-- | app/controllers/projects/notes_controller.rb | 3 | ||||
-rw-r--r-- | app/controllers/projects/pipelines_controller.rb | 6 | ||||
-rw-r--r-- | app/controllers/projects/wikis_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/sessions_controller.rb | 1 |
13 files changed, 224 insertions, 69 deletions
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb index 0a34a12e2a7..f4eda864aac 100644 --- a/app/controllers/admin/application_settings_controller.rb +++ b/app/controllers/admin/application_settings_controller.rb @@ -74,6 +74,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController :two_factor_grace_period, :gravatar_enabled, :sign_in_text, + :after_sign_up_text, :help_page_text, :home_page_url, :after_sign_out_path, diff --git a/app/controllers/concerns/toggle_award_emoji.rb b/app/controllers/concerns/toggle_award_emoji.rb index 09ff44f291b..036777c80c1 100644 --- a/app/controllers/concerns/toggle_award_emoji.rb +++ b/app/controllers/concerns/toggle_award_emoji.rb @@ -9,13 +9,22 @@ module ToggleAwardEmoji name = params.require(:name) awardable.toggle_award_emoji(name, current_user) - TodoService.new.new_award_emoji(awardable, current_user) + TodoService.new.new_award_emoji(to_todoable(awardable), current_user) render json: { ok: true } end private + def to_todoable(awardable) + case awardable + when Note + awardable.noteable + else + awardable + end + end + def awardable raise NotImplementedError end diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index cee3b6c43e7..131a16dad9b 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -42,46 +42,8 @@ class JwtController < ApplicationController end def authenticate_user(login, password) - # TODO: this is a copy and paste from grack_auth, - # it should be refactored in the future - - user = Gitlab::Auth.new.find(login, password) - - # If the user authenticated successfully, we reset the auth failure count - # from Rack::Attack for that IP. A client may attempt to authenticate - # with a username and blank password first, and only after it receives - # a 401 error does it present a password. Resetting the count prevents - # false positives from occurring. - # - # Otherwise, we let Rack::Attack know there was a failed authentication - # attempt from this IP. This information is stored in the Rails cache - # (Redis) and will be used by the Rack::Attack middleware to decide - # whether to block requests from this IP. - config = Gitlab.config.rack_attack.git_basic_auth - - if config.enabled - if user - # A successful login will reset the auth failure count from this IP - Rack::Attack::Allow2Ban.reset(request.ip, config) - else - banned = Rack::Attack::Allow2Ban.filter(request.ip, config) do - # Unless the IP is whitelisted, return true so that Allow2Ban - # increments the counter (stored in Rails.cache) for the IP - if config.ip_whitelist.include?(request.ip) - false - else - true - end - end - - if banned - Rails.logger.info "IP #{request.ip} failed to login " \ - "as #{login} but has been temporarily banned from Git auth" - return - end - end - end - + user = Gitlab::Auth.find_in_gitlab_or_ldap(login, password) + Gitlab::Auth.rate_limit!(request.ip, success: user.present?, login: login) user end end diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb index c6bdd0602c1..0f54dfa4efc 100644 --- a/app/controllers/oauth/applications_controller.rb +++ b/app/controllers/oauth/applications_controller.rb @@ -32,7 +32,7 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController def verify_user_oauth_applications_enabled return if current_application_settings.user_oauth_applications? - redirect_to applications_profile_url + redirect_to profile_path end def set_index_vars diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb index db3ae586059..9b80efa5f11 100644 --- a/app/controllers/projects/builds_controller.rb +++ b/app/controllers/projects/builds_controller.rb @@ -26,9 +26,9 @@ class Projects::BuildsController < Projects::ApplicationController end def show - @builds = @project.ci_commits.find_by_sha(@build.sha).builds.order('id DESC') + @builds = @project.pipelines.find_by_sha(@build.sha).builds.order('id DESC') @builds = @builds.where("id not in (?)", @build.id) - @commit = @build.commit + @pipeline = @build.pipeline respond_to do |format| format.html diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb index 10b5932affa..20637fa46fe 100644 --- a/app/controllers/projects/commit_controller.rb +++ b/app/controllers/projects/commit_controller.rb @@ -99,12 +99,12 @@ class Projects::CommitController < Projects::ApplicationController @commit ||= @project.commit(params[:id]) end - def ci_commits - @ci_commits ||= project.ci_commits.where(sha: commit.sha) + def pipelines + @pipelines ||= project.pipelines.where(sha: commit.sha) end def ci_builds - @ci_builds ||= Ci::Build.where(commit: ci_commits) + @ci_builds ||= Ci::Build.where(pipeline: pipelines) end def define_show_vars @@ -117,8 +117,8 @@ class Projects::CommitController < Projects::ApplicationController @diff_refs = [commit.parent || commit, commit] @notes_count = commit.notes.count - @statuses = CommitStatus.where(commit: ci_commits) - @builds = Ci::Build.where(commit: ci_commits) + @statuses = CommitStatus.where(pipeline: pipelines) + @builds = Ci::Build.where(pipeline: pipelines) end def assign_change_commit_vars(mr_source_branch) diff --git a/app/controllers/projects/git_http_controller.rb b/app/controllers/projects/git_http_controller.rb new file mode 100644 index 00000000000..348d6cf4d96 --- /dev/null +++ b/app/controllers/projects/git_http_controller.rb @@ -0,0 +1,147 @@ +class Projects::GitHttpController < Projects::ApplicationController + attr_reader :user + + # Git clients will not know what authenticity token to send along + skip_before_action :verify_authenticity_token + skip_before_action :repository + before_action :authenticate_user + before_action :ensure_project_found! + + # GET /foo/bar.git/info/refs?service=git-upload-pack (git pull) + # GET /foo/bar.git/info/refs?service=git-receive-pack (git push) + def info_refs + if upload_pack? && upload_pack_allowed? + render_ok + elsif receive_pack? && receive_pack_allowed? + render_ok + else + render_not_found + end + end + + # POST /foo/bar.git/git-upload-pack (git pull) + def git_upload_pack + if upload_pack? && upload_pack_allowed? + render_ok + else + render_not_found + end + end + + # POST /foo/bar.git/git-receive-pack" (git push) + def git_receive_pack + if receive_pack? && receive_pack_allowed? + render_ok + else + render_not_found + end + end + + private + + def authenticate_user + return if project && project.public? && upload_pack? + + authenticate_or_request_with_http_basic do |login, password| + auth_result = Gitlab::Auth.find(login, password, project: project, ip: request.ip) + + if auth_result.type == :ci && upload_pack? + @ci = true + elsif auth_result.type == :oauth && !upload_pack? + # Not allowed + else + @user = auth_result.user + end + + ci? || user + end + end + + def ensure_project_found! + render_not_found if project.blank? + end + + def project + return @project if defined?(@project) + + project_id, _ = project_id_with_suffix + if project_id.blank? + @project = nil + else + @project = Project.find_with_namespace("#{params[:namespace_id]}/#{project_id}") + end + end + + # This method returns two values so that we can parse + # params[:project_id] (untrusted input!) in exactly one place. + def project_id_with_suffix + id = params[:project_id] || '' + + %w[.wiki.git .git].each do |suffix| + if id.end_with?(suffix) + # Be careful to only remove the suffix from the end of 'id'. + # Accidentally removing it from the middle is how security + # vulnerabilities happen! + return [id.slice(0, id.length - suffix.length), suffix] + end + end + + # Something is wrong with params[:project_id]; do not pass it on. + [nil, nil] + end + + def upload_pack? + git_command == 'git-upload-pack' + end + + def receive_pack? + git_command == 'git-receive-pack' + end + + def git_command + if action_name == 'info_refs' + params[:service] + else + action_name.dasherize + end + end + + def render_ok + render json: Gitlab::Workhorse.git_http_ok(repository, user) + end + + def repository + _, suffix = project_id_with_suffix + if suffix == '.wiki.git' + project.wiki.repository + else + project.repository + end + end + + def render_not_found + render text: 'Not Found', status: :not_found + end + + def ci? + @ci.present? + end + + def upload_pack_allowed? + return false unless Gitlab.config.gitlab_shell.upload_pack + + if user + Gitlab::GitAccess.new(user, project).download_access_check.allowed? + else + ci? || project.public? + end + end + + def receive_pack_allowed? + return false unless Gitlab.config.gitlab_shell.receive_pack + + # Skip user authorization on upload request. + # It will be done by the pre-receive hook in the repository. + user.present? + end +end diff --git a/app/controllers/projects/labels_controller.rb b/app/controllers/projects/labels_controller.rb index ff771ea6d9c..0ca675623e5 100644 --- a/app/controllers/projects/labels_controller.rb +++ b/app/controllers/projects/labels_controller.rb @@ -5,13 +5,14 @@ class Projects::LabelsController < Projects::ApplicationController before_action :label, only: [:edit, :update, :destroy] before_action :authorize_read_label! before_action :authorize_admin_labels!, only: [ - :new, :create, :edit, :update, :generate, :destroy + :new, :create, :edit, :update, :generate, :destroy, :remove_priority, :set_priorities ] respond_to :js, :html def index - @labels = @project.labels.page(params[:page]) + @labels = @project.labels.unprioritized.page(params[:page]) + @prioritized_labels = @project.labels.prioritized respond_to do |format| format.html @@ -71,6 +72,30 @@ class Projects::LabelsController < Projects::ApplicationController end end + def remove_priority + respond_to do |format| + if label.update_attribute(:priority, nil) + format.json { render json: label } + else + message = label.errors.full_messages.uniq.join('. ') + format.json { render json: { message: message }, status: :unprocessable_entity } + end + end + end + + def set_priorities + Label.transaction do + params[:label_ids].each_with_index do |label_id, index| + label = @project.labels.find_by_id(label_id) + label.update_attribute(:priority, index) if label + end + end + + respond_to do |format| + format.json { render json: { message: 'success' } } + end + end + protected def module_enabled diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index f78b429b3e7..06a114dcbe8 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -58,9 +58,16 @@ class Projects::MergeRequestsController < Projects::ApplicationController respond_to do |format| format.html - format.json { render json: @merge_request } - format.diff { render text: @merge_request.to_diff } - format.patch { render text: @merge_request.to_patch } + format.json { render json: @merge_request } + format.patch { render text: @merge_request.to_patch } + format.diff do + headers.store(*Gitlab::Workhorse.send_git_diff(@project.repository, + @merge_request.diff_base_commit.id, + @merge_request.last_commit.id)) + headers['Content-Disposition'] = 'inline' + + head :ok + end end end @@ -120,8 +127,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController @diffs = @merge_request.compare.diffs(diff_options) if @merge_request.compare @diff_notes_disabled = true - @ci_commit = @merge_request.ci_commit - @statuses = @ci_commit.statuses if @ci_commit + @pipeline = @merge_request.pipeline + @statuses = @pipeline.statuses if @pipeline @note_counts = Note.where(commit_id: @commits.map(&:id)). group(:commit_id).count @@ -200,7 +207,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController @merge_request.update(merge_error: nil) - if params[:merge_when_build_succeeds].present? && @merge_request.ci_commit && @merge_request.ci_commit.active? + if params[:merge_when_build_succeeds].present? && @merge_request.pipeline && @merge_request.pipeline.active? MergeRequests::MergeWhenBuildSucceedsService.new(@project, current_user, merge_params) .execute(@merge_request) @status = :merge_when_build_succeeds @@ -231,10 +238,10 @@ class Projects::MergeRequestsController < Projects::ApplicationController end def ci_status - ci_commit = @merge_request.ci_commit - if ci_commit - status = ci_commit.status - coverage = ci_commit.try(:coverage) + pipeline = @merge_request.pipeline + if pipeline + status = pipeline.status + coverage = pipeline.try(:coverage) status ||= "preparing" else @@ -317,8 +324,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController @merge_request_diff = @merge_request.merge_request_diff - @ci_commit = @merge_request.ci_commit - @statuses = @ci_commit.statuses if @ci_commit + @pipeline = @merge_request.pipeline + @statuses = @pipeline.statuses if @pipeline if @merge_request.locked_long_ago? @merge_request.unlock_mr @@ -327,8 +334,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController end def define_widget_vars - @ci_commit = @merge_request.ci_commit - @ci_commits = [@ci_commit].compact + @pipeline = @merge_request.pipeline + @pipelines = [@pipeline].compact closes_issues end diff --git a/app/controllers/projects/notes_controller.rb b/app/controllers/projects/notes_controller.rb index c205474e999..836f79ff080 100644 --- a/app/controllers/projects/notes_controller.rb +++ b/app/controllers/projects/notes_controller.rb @@ -1,4 +1,6 @@ class Projects::NotesController < Projects::ApplicationController + include ToggleAwardEmoji + # Authorize before_action :authorize_read_note! before_action :authorize_create_note!, only: [:create] @@ -61,6 +63,7 @@ class Projects::NotesController < Projects::ApplicationController def note @note ||= @project.notes.find(params[:id]) end + alias_method :awardable, :note def note_to_html(note) render_to_string( diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb index b36081205d8..cac440ae53e 100644 --- a/app/controllers/projects/pipelines_controller.rb +++ b/app/controllers/projects/pipelines_controller.rb @@ -7,7 +7,7 @@ class Projects::PipelinesController < Projects::ApplicationController def index @scope = params[:scope] - all_pipelines = project.ci_commits + all_pipelines = project.pipelines @pipelines_count = all_pipelines.count @running_or_pending_count = all_pipelines.running_or_pending.count @pipelines = PipelinesFinder.new(project).execute(all_pipelines, @scope) @@ -15,7 +15,7 @@ class Projects::PipelinesController < Projects::ApplicationController end def new - @pipeline = project.ci_commits.new(ref: @project.default_branch) + @pipeline = project.pipelines.new(ref: @project.default_branch) end def create @@ -50,7 +50,7 @@ class Projects::PipelinesController < Projects::ApplicationController end def pipeline - @pipeline ||= project.ci_commits.find_by!(id: params[:id]) + @pipeline ||= project.pipelines.find_by!(id: params[:id]) end def commit diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb index 4b404eb03fa..2aa6bed0724 100644 --- a/app/controllers/projects/wikis_controller.rb +++ b/app/controllers/projects/wikis_controller.rb @@ -95,7 +95,7 @@ class Projects::WikisController < Projects::ApplicationController ext.analyze(text, author: current_user) render json: { - body: view_context.markdown(text, pipeline: :wiki, project_wiki: @project_wiki), + body: view_context.markdown(text, pipeline: :wiki, project_wiki: @project_wiki, page_slug: params[:id]), references: { users: ext.users.map(&:username) } diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index f6eedb1773c..dae8f7b1447 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -14,6 +14,7 @@ class SessionsController < Devise::SessionsController before_action :load_recaptcha def new + set_minimum_password_length if Gitlab.config.ldap.enabled @ldap_servers = Gitlab::LDAP::Config.servers else |