Age | Commit message (Collapse) | Author |
|
|
|
[ci skip]
|
|
'66641-broken-master-real-http-connections-are-disabled-unregistered-request' into 'master'
Use `stub_full_request` to fix spec failure
Closes #66641
See merge request gitlab-org/gitlab-ce!32259
|
|
This reverts commit cec9310c4ad641a760daa0394b6a8945d134dbb8.
|
|
'security-fix-something-went-wrong-on-when-not-logged-in-ce-12-2' into '12-2-stable'
Return NO_ACCESS if user is nil
See merge request gitlab/gitlabhq!3390
|
|
|
|
|
|
[ci skip]
|
|
Avoid exposing unaccessible repo data upon GFM post processing
See merge request gitlab/gitlabhq!3382
|
|
When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.
This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.
Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.
|
|
'12-2-stable'
Ensure only authorised users can create notes on merge requests and issues
See merge request gitlab/gitlabhq!3324
|
|
* Prevent creating notes on inaccessible MRs
This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.
* Prevent creating notes in inaccessible Issues
without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.
* Add CHANGELOG entry
|
|
Prevent disclosure of merge request id via email
See merge request gitlab/gitlabhq!3350
|
|
Send TODOs for comments on commits correctly
See merge request gitlab/gitlabhq!3365
|
|
Gitaly: ignore git redirects
See merge request gitlab/gitlabhq!3374
|
|
Project visibility restriction bypass
See merge request gitlab/gitlabhq!3330
|
|
|
|
Add Gitlab::VisibilityLevelChecker that verifies
selected project visibility level (or overridden param)
is not restricted when creating or importing a project
|
|
DNS Rebind SSRF in Kubernetes Integration
See merge request gitlab/gitlabhq!3268
|
|
'12-2-stable'
Filter out old system notes for epics in notes api endpoint response
See merge request gitlab/gitlabhq!3314
|
|
into '12-2-stable'
Fix HTML injection for label description
See merge request gitlab/gitlabhq!3315
|
|
Permission fix for MergeRequestsController#pipeline_status
See merge request gitlab/gitlabhq!3322
|
|
Limit the size of issuable description and comments
See merge request gitlab/gitlabhq!3323
|
|
'12-2-stable'
Add merge note type as cross reference
See merge request gitlab/gitlabhq!3328
|
|
Use image proxy to mitigate stealing ip addresses
See merge request gitlab/gitlabhq!3333
|
|
Fix DNS rebind vulnerability for JIRA integration
See merge request gitlab/gitlabhq!3338
|
|
Introduce JobActivity limit for alive jobs
See merge request gitlab/gitlabhq!3343
|
|
'12-2-stable'
Clear reset_password_tokens when login (email or username) change
See merge request gitlab/gitlabhq!3346
|
|
'12-2-stable'
Require a captcha after unique failed logins from the same IP
See merge request gitlab/gitlabhq!3349
|
|
Enforce max chars and max render time in markdown math
See merge request gitlab/gitlabhq!3353
|
|
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
See merge request gitlab/gitlabhq!3354
|
|
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3359
|
|
admin_group authorization for Groups::RunnersController
See merge request gitlab/gitlabhq!3362
|
|
Re-escape the whole HTML content when finding HTML references
See merge request gitlab/gitlabhq!3370
|
|
|
|
[ci skip]
|
|
Prepare 12.2.1 release
See merge request gitlab-org/gitlab-ce!32107
|
|
Reduce dedup calls to gc only
See merge request gitlab-org/gitlab-ce!32083
|
|
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
|
|
Fix "ERR value is not an integer or out of range" errors
Closes #66449
See merge request gitlab-org/gitlab-ce!32126
(cherry picked from commit 8832aa9522476d9d244211856f4ac7fe545a0c97)
6bda359b Fix "ERR value is not an integer or out of range" errors
|
|
Embed metrics undefined param fix
Closes #66177
See merge request gitlab-org/gitlab-ce!31975
(cherry picked from commit 04b37e429466c9ec750936067c0a9c326e57a1c4)
1ebc87e9 Remove dashboard param when undefined
8122a21a Insert additional assertion
2c4e17f9 Ensure all params have the option to be dropped when falsy
3812e4f3 Use isNil check
5ed2c263 Add tests and null check
2ebe1715 Add change log entry
|
|
Clarify when new values are valid
See merge request gitlab-org/gitlab-ce!31951
(cherry picked from commit 47c069ccba568f407ec605ea033adfc48fe5943b)
1efa52be Clarify when new values are valid
|
|
Fix Gitaly N+1 calls with listing issues/MRs via API
Closes #66202
See merge request gitlab-org/gitlab-ce!31938
(cherry picked from commit 57ec78d53066cf9184859a0202609eb01567eab9)
ba7c501f Fix Gitaly N+1 calls with listing issues/MRs via API
|
|
Add Documentation for Feature Flag Target Users
Closes gitlab-ee#11459
See merge request gitlab-org/gitlab-ce!31918
(cherry picked from commit 69df059405f720cdb8ae8bcdf348dbafa5d1d64e)
c42f5bbc Add documentation for feature flag Target Users
|
|
Embed specific metrics chart in issue docs
See merge request gitlab-org/gitlab-ce!31900
(cherry picked from commit aed489bf901745ced6618e680913d0d213998923)
482642b0 Adds specific metric styles and prop
146243da Updated styles, removed css :D
0a5d49f7 Adds docs for embedding chart
4bbb0ddf Simpler null checks
758a195b Fix some wrapping issues
d6550ad4 Fix lint and prop type
675639cc Remove everything that isn't docs
eb27d0f1 Apply suggestion to doc/user/project/integrations/prometheus.md
364e7219 Compress generate_link_to_chart.png image
|
|
Add documentation for incrementally expand mr diffs
See merge request gitlab-org/gitlab-ce!31878
(cherry picked from commit 0a16c8e1964a169363597630ae3cda1ffb8f2b83)
c867db91 Add documentation for incrementally expand mr diffs
e9d917c2 Apply suggestion to doc/user/project/merge_requests/index.md
|
|
'64950-move-download-csv-button-functionality-in-metrics-dashboard-cards-into-the-dropdown' into 'master'
Add docs for csv download
Closes #66291
See merge request gitlab-org/gitlab-ce!31870
(cherry picked from commit 8b0acc31281d7a2feabf4d7dfd4055b10b8184cd)
40327645 Adds docs for downloading csv
11f959ad Compress download_as_csv.png image
5cf5a52f Merge remote-tracking branch 'origin/master' into...
|
|
Link more issues in Design Management Limitations
See merge request gitlab-org/gitlab-ce!31697
(cherry picked from commit e40abf9757683c222f724d0f10fbc03475b1b51d)
50956e5c Link more issues in Design Management Limitations
|
|
Rename License Management to License Compliance
Closes #63329
See merge request gitlab-org/gitlab-ce!31590
(cherry picked from commit 11fd6bdf9972a9a890beb58ba48ebf2afe7d993c)
80b05132 Rename License Management to License Compliance
|
|
Removes duplicate button from job log page
Closes #65705
See merge request gitlab-org/gitlab-ce!31544
(cherry picked from commit af2edf28259ff1c236af346cfa6c62092afe7391)
8bed16ee Removes duplicate button
|