Age | Commit message (Collapse) | Author |
|
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
This reverts commit 49bf8674abbbb8626e55cff04c863c03ae5b55d1.
|
|
|
|
relevant spec.
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
API: Share projects only with groups current_user can access
Aims to address the issues here: https://gitlab.com/gitlab-org/gitlab-ce/issues/23004
* Projects can be shared with non-existent groups
* Projects can be shared with groups that the current user does not have access to read
Concerns:
The new implementation of the API endpoint allows projects to be shared with a larger range of groups than can be done via the web UI.
The form for sharing a project with a group uses the following API endpoint to index the available groups: https://gitlab.com/gitlab-org/gitlab-ce/blob/494269fc92f61098ee6bd635a0426129ce2c5456/lib/api/groups.rb#L17. The groups indexed in the web form will only be those groups that the user is currently a member of.
The new implementation allows projects to be shared with any group that the authenticated user has access to view. This widens the range of groups to those that are public and internal.
See merge request !2005
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Don't send Private-Token headers to Sentry
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22537
This bumps 'raven' (the Ruby gem we use to send errors to Sentry) to
version 2.0.2. We need 2.0.0 or newer to be able to sanitize HTTP
headers.
See merge request !2004
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
Escape HTML nodes in builds commands in ci linter
This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.
Closes #22541
See merge request !2001
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
API: disable rails session auth for non-GET/HEAD requests
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435
See merge request !1999
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Set a restrictive CORS policy for the API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450
See merge request !1998
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Enforce the fork_project permission in Projects::CreateService
Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly.
CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028
See merge request !1996
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
Avoid conflict with Admin labels when importing GitHub labels
If the GitHub project have duplicated labels from the Admin labels, the importer will use the Admin label.
Fixes #21319
See merge request !6158
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Restore gl_dropdown.js changes
Restores `fieldName` to allow only string values. `fieldName` was changed to accept function as a value in https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/581 Since the approach changed in https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/687 there's no need to accept function as value.
Backport changes from https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/687
EE Issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/919
See merge request !6234
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Allow the Rails cookie to be used for API authentication
Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.
Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.
Closes #18302
See merge request !1995
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Exclude some pending or inactivated rows in Member scopes
An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.
One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650
See merge request !1994
|
|
|
|
Fix merge conflict size limit
## What does this MR do?
The merge conflict size limit was set to 100 KB, but the docs (and the test repo, which the feature specs use) say 200 KB!
## Are there points in the code the reviewer needs to double check?
Don't think so.
## Why was this MR needed?
Derp.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !6052
|
|
Fix GitLab import button
cc @MrChrisW
Closes gitlab-org/gitlab-ce#21795
See merge request !6167
|
|
Fix DB schema to match latest migration
See merge request !6256
|
|
'21109-discussion-resolve-runs-a-single-update-query-per-note-but-should-run-a-single-update-query-for-all-notes-instead' into 'master'
Optimize discussion notes resolving and unresolving
## What does this MR do?
Optimize discussion notes resolving and unresolving
## Are there points in the code the reviewer needs to double check?
Some changes had to be made to the discussion spec to account for the fact that notes are not individually updated now. I only focused on adapting them for the purpose of the regression fix, but admittedly they could be further improved in readability.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #21109
See merge request !6141
|
|
Fix intermittent spec failures with spec/features/issues/user_uses_slash_commands_spec.rb
This MR solves the intermittent spec failure:
```
1) Issues > User uses slash commands behaves like issuable record that supports slash commands in its description and notes note on issue with a note changing the issue's title when current user cannot change title of issue does not reopen the issue
Failure/Error: Gitlab::Routing.url_helpers.namespace_project_url(self.namespace, self)
ActionController::UrlGenerationError:
No route matches {:action=>"show", :controller=>"projects", :id=>#<Project id: 1, name: "project135", path: "gitlabhq", description: nil, created_at: "2016-08-31 20:45:48", updated_at: "2016-08-31 20:45:48", creator_id: 2, issues_enabled: true, merge_requests_enabled: true, wiki_enabled: true, namespace_id: 2, snippets_enabled: true, last_activity_at: "2016-08-31 20:45:48", import_url: nil, visibility_level: 20, archived: false, avatar: nil, import_status: "none", repository_size: 0.0, star_count: 0, import_type: nil, import_source: nil, commit_count: 0, import_error: nil, ci_id: nil, builds_enabled: true, shared_runners_enabled: true, runners_token: "_rNZHgsHzaDWGbyL3L2F", build_coverage_regex: nil, build_allow_git_fetch: true, build_timeout: 3600, pending_delete: false, public_builds: true, pushes_since_gc: 0, last_repository_check_failed: nil, last_repository_check_at: nil, container_registry_enabled: true, only_allow_merge_if_build_succeeds: false, has_external_issue_tracker: false, repository_storage: "default", request_access_enabled: true, has_external_wiki: false, lfs_enabled: nil>, :namespace_id=>nil} missing required keys: [:namespace_id]
Shared Example Group: "issuable record that supports slash commands in its description and notes" called from ./spec/features/issues/user_uses_slash_commands_spec.rb:6
# ./app/models/project.rb:611:in `web_url'
# ./app/models/project.rb:975:in `hook_attrs'
# ./lib/gitlab/data_builder/note.rb:58:in `build_base_data'
# ./lib/gitlab/data_builder/note.rb:38:in `build'
# ./app/services/notes/post_process_service.rb:19:in `hook_data'
# ./app/services/notes/post_process_service.rb:23:in `execute_note_hooks'
# ./app/services/notes/post_process_service.rb:14:in `execute'
# ./app/workers/new_note_worker.rb:10:in `perform'
# ./app/services/notes/create_service.rb:29:in `execute'
# ./app/controllers/projects/notes_controller.rb:26:in `create'
# ./lib/gitlab/request_profiler/middleware.rb:15:in `call'
# ./lib/gitlab/middleware/go.rb:16:in `call'
# ./lib/gitlab/middleware/static.rb:9:in `call'
```
There were a number of issues:
1. Sidekiq async tasks were being run after project namespaces were deleted. Use Sidekiq in fake mode to prevent this from Sidekiq tasks from being enqueued in the first place.
2. Some outstanding Ajax requests (e.g. autocomplete) were still being loaded while `DatabaseCleaner` ran
3. `logout` did not always wait for logout actually to complete
Closes #21723
See merge request !6271
|
|
Fix unnecessary horizontal scroll area in pipeline visualizations
## What does this MR do?
Removes a min-width attribute for the build pipeline visualization wrapper
## Are there points in the code the reviewer needs to double check?
I am curious why this line was there in the first place. Perhaps I'm just not seeing it.
## Why was this MR needed?
I was noticing an unnecessary horizontal scroll bar when viewing pipeline visualizations embedded in merge request builds tab:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5627/builds
## What are the relevant issue numbers?
Line appears to have been introduced in !5742
## Screenshots (if relevant)
![Screen_Shot_2016-08-24_at_11.15.13_PM](/uploads/e395ed8d4415187735d06b8386fe4633/Screen_Shot_2016-08-24_at_11.15.13_PM.png)
## Does this MR meet the acceptance criteria?
As this is a very simple cosmetic change, I don't think it warrants inclusion in the changelog, documentation, or tests.
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !6005
|
|
Fix an error where we were unable to create a CommitStatus for running state
Due to severe refactoring of Pipeline we introduced regression in how CommitStatus is handled. We received an report that it's impossible to create a CommitStatus with state `running` when there were not previous status.
The support for Commit Statuses should be simplified. Right now I'm doing minimal change to move forward and fix a bug, but I'll create a new MR that will move all logic that is now part of `lib/api/commit_statuses.rb` to separate service to simplify the implementation.
This error happens due to the fact that we introduced additional status of builds: `created`.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21345
See merge request !6107
|
|
Restore SSH Key title auto-population behavior
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21823
See merge request !6186
|
|
|
|
|
|
Added search for all lists on issue boards
Adds a search box to allow the user to search all lists in issue boards rather than just the backlog.
![Screen_Shot_2016-08-30_at_10.33.15](/uploads/67e96055d60a9b3209ce3831a1980c09/Screen_Shot_2016-08-30_at_10.33.15.png)
![Screen_Shot_2016-08-30_at_10.33.19](/uploads/8d5253b8f2ecf1cf9a69d70be8ccf1f9/Screen_Shot_2016-08-30_at_10.33.19.png)
Closes #21139
See merge request !6101
Conflicts:
app/assets/stylesheets/pages/boards.scss
app/views/projects/boards/components/_board.html.haml
|
|
'18851-commit-text-in-activity-commits-page-etc-has-the-wrong-line-height' into 'master'
Changed `.commit-row-title` `line-height` to `1.35` from `1`
## What does this MR do?
Changes `.commit-row-title` `line-height` to `1.35` from `1`, this is to match the `line-height: 20px;` from before 41c2ea9b.
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
Not enough space between commit lines
## What are the relevant issue numbers?
Closes #18851.
## Screenshots (if relevant)
New screenshot below.
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
Closes #18851
See merge request !5996
|
|
Reduce intermittent spec failures by making VueJS resource interceptor decrement outstanding resource counts when HTTP response is received
Before the count would be reduced 500 ms after a DOM update tick, which could cause race conditions since the `DatabaseCleaner` could run in the middle of a Rails controller handling the response.
Partial fix to #21197 and other intermittent spec failures.
See merge request !6224
|
|
Support empty PG database too
cc @rdavila @axil
See merge request !6221
|
|
|
|
Fix expiration date picker after update
@DouweM this object is now on `gl`, not on the window. It would only break when trying to use the date picker on a newly-inserted member element, but I figure it's probably worth sneaking into a patch.
See merge request !6184
|
|
Remove gitorious from import_sources on ApplicationSetting model
Removes 'gitorious' as import field from the import_sources field on ApplicationSetting
Closes #21804
cc @markglenfletcher
See merge request !6180
|
|
into 'master'
Fix suggested colors options for new labels in the admin area
## What does this MR do?
Execute the JS related to the suggested colors options when user access the new label in the admin area.
## Are there points in the code the reviewer needs to double check?
No.
## Why was this MR needed?
Clicking in a suggested color when creating a new label in the admin area don't change the background color.
## Screenshots (if relevant)
* Before
![2016-08-31_19.56.14](/uploads/3d50236dac578910c5062aa1e83da350/2016-08-31_19.56.14.gif)
* After
![2016-08-31_19.58.59](/uploads/376ffdcbb5b80ef51ab1d642fe9486d0/2016-08-31_19.58.59.gif)
## Does this MR meet the acceptance criteria?
- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21726
See merge request !6138
|
|
Optimize branch lookups and force a repository reload for Repository#find_branch
See merge request !6087
|
|
Add the total number of issues in the JSON response in issue board lists
Add the total number of issues in the JSON response in issue board lists
The issue board lists should always show the total number of issues in the list, not the current amount fetched by endless scroll.
Closes #21327
See merge request !5904
Conflicts:
app/assets/stylesheets/pages/boards.scss
app/views/projects/boards/components/_board.html.haml
|
|
Fix confidential issues made public after import
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21803
The gitlab.com import was ignoring the confidential attribute, hence making all issues public after being imported.
The API has changed in order to also expose this field.
See merge request !1992
|