Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
Disabled features are ignored as they are grey areas
|
|
Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.
|
|
Guest are blocked to certain feature when project is private,
therefore the scope would filter additionally with REPORTER level.
|
|
Remove impossible cases due to private project's features can only be
private or disabled.
Fix spec due to sidekiq indexing not triggered.
Update guest use cases: some features has additional constraint that
"Guest users are able to perform action on public/internal projects,
but not private ones."
|
|
|
|
[ci skip]
|
|
|
|
|
|
|
|
This is the plan to encrypt the plaintext tokens:
First release (this commit):
1. Create new encrypted fields in the database.
2. Start populating new encrypted fields, read the encrypted fields or
fallback to the plaintext fields.
3. Backfill the data removing the plaintext fields to the encrypted fields.
Second release:
4. Remove the virtual attribute (created in step 2).
5. Drop plaintext columns from the database (empty columns after step 3).
|
|
|
|
|
|
Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.
|
|
|
|
|
|
Default number of items is 3. If this is not the case,
then increase the column width of the summary items
to cater for 2 items plus the date filter.
|
|
- if the user has access level lower than REPORTER,
don't include commit count in summary
|
|
|
|
|
|
|
|
|
|
[ci skip]
|
|
|
|
|
|
[ci skip]
|
|
|
|
|
|
|
|
[ci skip]
|
|
Mask Sentry auth token
See merge request gitlab/gitlabhq!3504
|
|
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3491
|
|
'12-4-stable'
Return 404 on LFS request if project doesn't exist
See merge request gitlab/gitlabhq!3506
|
|
|
|
'12-4-stable'
Only assign merge params when allowed
See merge request gitlab/gitlabhq!3487
|
|
Pass all wiki markup formats through our Banzai pipeline filters
See merge request gitlab/gitlabhq!3485
|
|
Require Maintainer permission on group where project is transferred to
See merge request gitlab/gitlabhq!3486
|
|
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.
See merge request gitlab/gitlabhq!3488
|
|
'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable'
Labels visible despite no access to issues & repositories
See merge request gitlab/gitlabhq!3489
|
|
'12-4-stable'
Project path reveals labels from Private project if the issue is moved to public project
See merge request gitlab/gitlabhq!3490
|
|
Nested GraphQL query with circular relationship can cause Denial of Service
See merge request gitlab/gitlabhq!3492
|
|
'12-4-stable'
Filter out search results based on permissions to avoid bugs leaking data
See merge request gitlab/gitlabhq!3496
|
|
'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable'
Improper access control allows the attacker to comment in internal commit after they are no longer admin
See merge request gitlab/gitlabhq!3497
|
|
'security-ag-hide-private-members-in-project-member-autocomplete-12-4' into '12-4-stable'
Hide private members in project member autocomplete
See merge request gitlab/gitlabhq!3503
|
|
This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.
|
|
- Include new types in SystemNoteMetadata
- Add Label and Milestone reference_pattern to
Mentionable::ReferenceRegexes to be checked for cross references
|
|
in a project members' list. Add tests for possible scenarios
Re-factor and remove N + 1 queries
Remove author from changelog
Don't use memoisation when not needed
Include users part of parents of project's group
Re-factor tests
Create and add users according to roles
Re-use group created earlier
Add incomplete test for ancestoral groups
Rename method to clarify category of groups
Skip pending test, remove comments not needed
Remove extra line
Include ancestors from invited groups as well
Add specs for participants service
Add more specs
Add more specs
use instead of
Use public group owner instead of project maintainer to test owner acess
Remove tests that have now been moved into participants_service_spec
Use :context instead of :all
Create nested group instead of creating an ancestor separately
Add comment explaining doubt on the failing spec
Imrpove test setup
Optimize sql queries
Refactor specs file
Add rubocop disablement
Add special case for project owners
Add small refactor
Add explanation to the docs
Fix wording
Refactor group check
Add small changes in specs
Add cr remarks
Add cr remarks
Add specs
Add small refactor
Add code review remarks
Refactor for better database usage
Fix failing spec
Remove rubocop offences
Add cr remarks
|
|
|