| Age | Commit message (Collapse) | Author |
|---|
|
The `parent` namespace concept didn't exist until 8.15, so this was
causing a `NoMethodError`.
|
|
Fix export files not removed when a user takes over a namespace
See merge request !2051
|
|
Issue#visible_to_user moved to IssuesFinder
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.
See merge request !2039
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix missing Note access checks in by moving Note#search to updated NoteFinder
See merge request !2035
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
API: Memoize the current_user so that the sudo can work properly
Closes #25482
See merge request !8017
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Replace MR access checks with use of MergeRequestsFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### MR lookup from project
- [x] :bomb: app/finders/notes_finder.rb:17
- [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] :bomb: app/controllers/concerns/creates_commit.rb:84
- [x] :traffic_light: app/controllers/projects/commits_controller.rb:24
- [x] :traffic_light: app/controllers/projects/compare_controller.rb:56
- [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27
- [x] :vertical_traffic_light: app/models/commit.rb:268
- [x] :white_check_mark: lib/gitlab/search_results.rb:71
### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?`
See merge request !2033
|
|
'24813-project-members-with-developer-access-can-no-longer-create-tags' into 'master'
Create tag after running pre-hooks and pass updated SHA to post-hooks
Closes #24813
See merge request !7700
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Ensure state param has a valid value when filtering issuables.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
This fix makes sure we only call safe methods on issuable when filtering by state.
See merge request !2038
|
|
Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`]
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### Issue lookup without access check (security)
- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19
### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb
### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
|
|
Fix information disclosure in `Projects::BlobController#update`
## What does this MR do?
It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/22869
See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix label creation non members
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416
See merge request !2006
|
|
500 error on project show when user is not logged in and project is still empty
## What does this MR do?
Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show
## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.
## Does this MR meet the acceptance criteria?
- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #23990
See merge request !7376
|
|
Allow commit note to be visible if repo is visible
## What does this MR do?
It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes.
Closes #23824
See merge request !7504
|
|
Limit labels returned for a specific project as an administrator
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527
See merge request !7496
|
|
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
## What does this MR do?
Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`
It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only).
cc @stanhu @ahanselka
## Why was this MR needed?
Errors shown here: gitlab-org/gitlab-ce#24392
Discovered thanks to gitlab-com/infrastructure#302
## What are the relevant issue numbers?
Fixes #24392
Fixes gitlab-com/support-forum#1280
See merge request !7417
|
|
Ensure labels are loaded for all "show" methods of MR Controller
Closes #24397
See merge request !7416
|
|
Fix cache for commit status in commits list to respect branches
Fix cache for commit status in commits list to respect branches
Closes #24324
See merge request !7372
|
|
'master'
Clicking "force remove source branch" label now toggles the checkbox again
We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]`
in order to fix the checkbox toggling when the associated label is clicked.
The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311.
See merge request !7356
|
|
Fix no "Register" tab if ldap auth is enabled (#24038)
Closes #24038
See merge request !7274
|
|
Fix project Visibility level selector not using default values
closes #20245
See merge request !7264
|
|
Fix relative links in Markdown wiki when displayed in "Project" tab
Refers to #23806
See merge request !7218
|
|
Milestone dropdown does not stay selected
Closes #23713
See merge request !7117
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Account for fixed position MR when scrolling to elements
This MR accounts for the new merge request fixed affix bar when scrolling to an element on the MR page.
The fixed MR tabs bar was not being taken into account when shifting permalink scroll targets so that they are unobscured by navigation elements.
Closes #23520
See merge request !7051
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Restore unauthenticated access to public container registries
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284
/cc @stanhu @kamil @pablo
See merge request !2025
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fixups to "Round-robin repository storage"
## What does this MR do?
* Simplifies a method in application_settings.rb
* Correctly marks a migration as needing downtime
* Documents the requirement for renamed columns to be
## Are there points in the code the reviewer needs to double check?
Should any of these changes be split out? Ideally we'd get this into the same point release as !7273
## Why was this MR needed?
Post-facto review of !7273
## Screenshots (if relevant)
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [X] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [X] API support added
- Tests
- [X] Added for this feature/bug
- [x] All builds are passing
- [X] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Related to #24059
/cc @yorickpeterse @rspeicher
See merge request !7287
|
|
Show pipeline status from branch and commit than only commit
Closes #23615
See merge request !7034
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Resolve "Introduce round-robin project creation to spread load over multiple shards"
Allow multiple shards to be enabled in the admin settings page, balancing project creation across all enabled shards.
* `f.select ..., multiple: true` isn't the most beautiful UI in the world, but switching to `collection_check_boxes` (or a facsimile thereof) isn't trivial
* Should `pick_repository_storage` be a method of `ApplicationSetting`, or `Project`? It's going to accrete logic over time so perhaps it should be its own class already?
* This is written to avoid the need for a database migration, so it is`serialize :repository_storage` without `, Array`. This is tested, but alternatives include:
* Add a database migration
* Write a custom Coder that will accept a String or Array in `load` and always `dump an Array.
Closes #24059
See merge request !7273
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
See merge request !7014
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix lightweight tags not processed correctly by GitTagPushService
Closes #22271
See merge request !6532
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
'24102-cannot-unselect-remove-source-branch-when-editing-merge-request' into 'master'
Fixes #24102
See merge request !7267
|
|
Only skip group when it's actually a group in the "Share with group" select
Fixes #23961
See merge request !7262
|
|
Fix project features default values
closes #23242
See merge request !7181
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix builds tab visibility
closes #23951
See merge request !7178
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Optimize group labels page
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23684
Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/1148
See merge request !7123
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Allow owners to fetch source code in CI builds
Due to different way of handling owners of a project, they were not allowed to fetch CI sources for project.
This adds a separate code path for handling owners, that are not admins.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23437
See merge request !6943
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Respect project visibility settings in the contributions calendar
This MR fixes a number of bugs relating to access controls and date selection of events for the contributions calendar
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23403
See merge request !2019
|
|
Ensure external users are not able to clone disabled repositories.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23788
See merge request !2017
|
|
disable markdown in comments when referencing disabled features
fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548
This MR prevents the following references when tool is disabled:
- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones
This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.
See merge request !2011
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Honour issue and merge request visibility in their respective finders
This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481
See merge request !2000
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
'23872-members-of-group-that-has-project-access-getting-404-on-accessing-a-project-issue' into 'master'
Fix project member access for group links
Closes #23872.
See merge request !7144
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Increase z index on fixed mr tabs
Before:
<img src="/uploads/e890a4f185af87b66251d744fbe840d5/Screen_Shot_2016-10-26_at_11.58.45_AM.png" width="400px">
After:
<img src="/uploads/0bbf72888f6a47bd3027ee7dfff542da/Screen_Shot_2016-10-26_at_11.58.28_AM.png" width="400px">
Closes #23866
See merge request !7124
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Pass user instance to Labels::FindOrCreateService or skip_authorization: true
It fixes a bug described in #23694 when `project.owner` was passed to `Labels::FindOrCreateService`. `Labels::FindOrCreateService` expected a user instance and `project.owner` may return a group as well. This MR makes sure that we either pass a user instance or `skip_authorization: true`.
Fixes #23694
See merge request !7093
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
'23661-lacking-padding-on-syntax-highlight-blocks-in-diff-comments' into 'master'
Resolve "Lacking padding on syntax highlight blocks in diff comments"
Enforces horizontal padding on highlight block.
There was no horizontal padding on diff comment highlight blocks.
Closes #23661
See merge request !7062
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
'21248-wrong-urlencoding-when-switching-branch-in-graphs-contributers' into 'master'
Fix refs dropdown selection with special characters
Remove unneeded encode from the project-refs-dropdown renderRow method.
Closes #21248
See merge request !7061
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Modify GitHub importer to be retryable
Closes #23533
See merge request !7003
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Only remove right connector of first build of last stage
Closes #23849
See merge request !7179
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Use Hash rocket syntax to fix cycle analytics under Ruby 2.1
Refers to #23510
See merge request !6977
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fix encoding issues on pipeline commits
## What does this MR do?
#### What does this MR do?
Sets `escape: false` on `truncate` method to fix commit message on pipelines page
#### Screenshots (if relevant)
Before:
After:
#### What are the relevant issue numbers?
Closes #23258
See merge request !6832
|
