| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
|
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
|
|
Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]
Instead it gets inserted into callbacks chain where callbacks get
called in order.
This commit forces the callback to run first.
[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191
|
|
The `errors/access_denied` page should not fail to render when no
message is provided.
When accessing something as a sessionless user, we should also display
the terms message if possible.
|
|
422 status
We have a number of import errors occurring with 422 errors, and
it's hard to determine why they are happening. This change will
surface the errors in the log lines.
Relates to #47365
|
|
When we want to show an access denied message to a user, we don't have
to hide the resource's existence.
So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.
|
|
|
|
Before we would block the `sign_out` request when the user did not
accept the terms, therefore redirecting them to the terms again.
By allowing all request to devise controllers, we avoid this problem.
|
|
This enforces the terms in the web application. These cases are
specced:
- Logging in: When terms are enforced, and a user logs in that has not
accepted the terms, they are presented with the screen. They get
directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
with the screen to accept the terms. After they accept they are
directed to the dashboard.
- While a session is active:
- For a GET: The user will be directed to the terms page first,
after they accept the terms, they will be directed to the page
they were going to
- For any other request: They are directed to the terms, after they
accept the terms, they are directed back to the page they came
from to retry the request. Any information entered would be
persisted in localstorage and available on the page.
|
|
method 'clean'` error
This commit fixes the error:
```
1) Projects::TodosController Merge Requests POST create when not authorized for merge_request doesn't create todo
Failure/Error: application_trace = ActionDispatch::ExceptionWrapper.new(env, exception).application_trace
NoMethodError:
undefined method `clean' for #<Hash:0x000055be5bda35d0>
Did you mean? clear
# ./app/controllers/application_controller.rb:113:in `log_exception'
# ./app/controllers/application_controller.rb:40:in `block in <class:ApplicationController>'
# ./spec/controllers/projects/todos_controller_spec.rb:80:in `go'
# ./spec/controllers/projects/todos_controller_spec.rb:138:in `block (6 levels) in <top (required)>'
# ./spec/controllers/projects/todos_controller_spec.rb:138:in `block (5 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# ActiveRecord::RecordNotFound:
# Couldn't find MergeRequest
# ./app/finders/concerns/finder_methods.rb:19:in `raise_not_found_unless_authorized'
Finished in 7.53 seconds (files took 12.8 seconds to load)
1 example, 1 failure
```
Also see https://github.com/rails/rails/commit/6d85804bc6aeecce5669fb4b0d7b33c069deff3a
|
|
Rails 5.0 requires to explicitly permit attributes when building a URL
using current `params` object.
The `safe_params` helper allows developers to just call `safe_params.merge(...)`
instead of manually adding `permit` to every call.
https://github.com/rails/rails/pull/20868
|
|
|
|
|
|
|
|
including/extending it
|
|
The default 404 handler would return the Content-Type format based on the
given format extension. This would cause the Rails CSRF protection to flag an
error, since the .js extension gets mapped to text/javascript format.
Closes #40771
|
|
|
|
|
|
Adds Rubocop rule for line break after guard clause
Closes #18040
See merge request gitlab-org/gitlab-ce!15188
|
|
|
|
|
|
|
|
|
|
Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses.
|
|
|
|
|
|
Devise sets `current_user`, but not all controllers authenticate users by
session tokens. Try to use the controller-defined `authenticated_user` if
`current_user` is not available.
Closes gitlab-org/gitlab-ee#3611
|
|
|
|
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
This makes the logs a bit more useful to search requests by users.
|
|
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
|
|
A `performance_team` Flipper group has been created. By default this
group is nil but this can be customized in `gitlab.yml` via the
performance_bar.allowed_group setting.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Support noticed that a number of exceptions, such as
"Encoding::CompatibilityError (incompatible character encodings: UTF-8 and
ASCII-8BIT)", failed to report to Sentry. The `rescue_from` in the
ApplicationController prevented these exceptions from being recorded.
This change ensures that these exceptions are properly captured.
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Bugfix: Always use the default language when generating emails.
Closes #32748
See merge request !11662
|
|
There was a race condition issue when the application was generating an
email and was using a language that was previously being used in other
request.
|
|
|
|
|
|
|
|
|
|
|
|
|
