| Age | Commit message (Collapse) | Author |
|---|
|
Adds `set_issue_updated_at` similar to `set_issue_created_at`
permission and cleans up the related permission check in issues
API.
|
|
|
|
This is step one of resolving
https://gitlab.com/gitlab-org/gitlab-ce/issues/56838.
Here is what changed:
- Revert the security fix from bdee9e8412d.
- Do not leak repository information (tag name, commit) to guests in API
responses.
- Do not include links to source code in API responses for users that do
not have download_code access.
- Show Releases in sidebar for guests.
- Do not display links to source code under Assets for users that do not
have download_code access.
GET ':id/releases/:tag_name' still do not allow guests to access
releases. This is to prevent guessing tag existence.
|
|
spec/features/groups/group_page_with_external_authorization_service_spec to EE
|
|
This reverts merge request !26823
|
|
spec/features/groups/group_page_with_external_authorization_service_spec to EE
|
|
The api will proxy requests to the environment's prometheus server.
The Prometheus::ProxyService class can be reused when we add support for
group prometheus servers.
|
|
jarv/dev-to-gitlab-2019-04-02
|
|
As they do not have a permission to read git tag
|
|
|
|
Fixes #56864
|
|
|
|
|
|
|
|
Disable issue board policies when issues are disabled
Closes #2798
See merge request gitlab/gitlabhq!2894
|
|
Resolve "Project fetch statistics API (HTTP only)"
Closes #42086
See merge request gitlab-org/gitlab-ce!23596
|
|
The API get projects/:id/traffic/fetches allows user with write
access to the repository to get the number of clones for the
last 30 days.
|
|
Move remove_pages permission to maintainer
Fix before_action in pages controller to check `remove_pages`
permission
Add specs
|
|
Board list policies are also included
|
|
|
|
When the external wiki is enabled, the internal wiki link is replaced
by the external wiki url. But the internal wiki is still accessible.
In this change the external wiki will have its own tab in the sidebar
and only if the services are disabled the tab (and access rights)
will not be displayed.
|
|
|
|
|
|
Load whole file in memory to simplify code
|
|
Also refactored cleanup view to use the same localized string
|
|
Process CSV uploads async using a worker then email results
|
|
Add spec for all release API - GET, POST, PUT, DELETE.
Also, fixes some minior bugs.
|
|
This commit introduces Releases API under /api/v4/projects/:id/releases
* We are introducing release policies at project level.
* We are deprecating releases changes from tags, both api and web
interface.
* Tags::CreateService no longer create a release
This feature is controlled by :releases_page feature flag
|
|
Include a new policy in Clusterables
(projects and groups), which checks if another cluster
can be added
clusterable_has_cluster? and multiple_clusters_available
private methods will be overriden in EE
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758
|
|
- maintainer for group can read, create, update, and admin cluster
- project user, at any level, cannot do anything with group cluster
|
|
|
|
If we don't call #to_a, we're relying on the members already being loaded from
elsewhere. Otherwise we'll do a separate query for each user:
[1] pry(main)> Project.first.team.members.include?(User.first)
Project Load (0.7ms) SELECT "projects".* FROM "projects" ORDER BY "projects"."id" ASC LIMIT 1
↳ (pry):3
User Load (1.8ms) SELECT "users".* FROM "users" ORDER BY "users"."id" ASC LIMIT 1
↳ (pry):3
User Exists (0.6ms) SELECT 1 AS one FROM "users" INNER JOIN "project_authorizations" ON "users"."id" = "project_authorizations"."user_id" WHERE "project_authorizations"."project_id" = $1 AND "users"."id" = $2 LIMIT 1 [["project_id", 1], ["id", 1]]
↳ (pry):3
=> true
[2] pry(main)> Project.first.team.members.to_a.include?(User.first)
Project Load (12.8ms) SELECT "projects".* FROM "projects" ORDER BY "projects"."id" ASC LIMIT 1
↳ (pry):1
User Load (9.6ms) SELECT "users".* FROM "users" INNER JOIN "project_authorizations" ON "users"."id" = "project_authorizations"."user_id" WHERE "project_authorizations"."project_id" = $1 [["project_id", 1]]
↳ (pry):1
User Load (0.6ms) SELECT "users".* FROM "users" ORDER BY "users"."id" ASC LIMIT 1
↳ (pry):1
=> true
|
|
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
|
|
Restrict reopening locked issues for non authorized issue authors
Closes #39665
See merge request gitlab-org/gitlab-ce!21299
|
|
|
|
This is more idiomatic than checking membership explicitly.
|
|
|
|
Enable frozen string in:
* app/presenters
* app/policies
Partially addresses #47424.
|
|
|
|
repository or builds are disabled
|
|
|
|
|
|
|
|
This prevents performing the requests, and disables all emoji reaction buttons
|
|
So we can distinguish between the permissions on the source and the
target project.
- `create_merge_request_from` indicates a user can create a merge
request with the project as a source_project
- `create_merge_request_in` indicates a user can create a merge
request with the project as a target_project
|
|
This prevents creating merge requests targeting archived projects.
This could happen when a project was already forked, but then the
source was archived.
|
|
That way the ProjectPolicy class can be extended with this module
before we prepend the EE::ProjectPolicy. This makes the classmethods
available for rules defined in the EE::ProjectPolicy.
|
|
|
|
prevent confusion with destroy_protected_branch
|
|
|
