| Age | Commit message (Collapse) | Author |
|---|
|
Fix PDF.js vulnerability
See merge request gitlab/gitlabhq!3026
|
|
'11-7-stable'
Disallow changing namespace of a project in update method
See merge request gitlab/gitlabhq!3031
|
|
Check label_ids parent when updating issue board
See merge request gitlab/gitlabhq!3037
|
|
'11-7-stable'
Fix XSS in resolve conflicts form
See merge request gitlab/gitlabhq!2988
|
|
Fix related branches visible in issues for guests
See merge request gitlab/gitlabhq!3020
|
|
As they do not have a permission to read git tag
|
|
|
|
- labels have to be in the same project/group
as an issuable
|
|
|
|
fix: changed PDFJS prop to GlobalWorkerOptions
Fixed pdf tests
Added changelog entry
|
|
Guest user of a project should not see branches
|
|
When executing quick actions, this limits the `commands_changes`
response to only those used by the frontend
|
|
The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
|
|
|
|
Display only labels and assignees of issues
visible by the currently logged user
Display only issues visible to user in the burndown chart
|
|
|
|
'11-7-stable'
Filter impersonated sessions from active sessions and remove ability to revoke session
See merge request gitlab/gitlabhq!2982
|
|
Check issue milestone availability
See merge request gitlab/gitlabhq!2905
|
|
Disable issue board policies when issues are disabled
See merge request gitlab/gitlabhq!2911
|
|
Show only MRs visible to user on milestone detail
See merge request gitlab/gitlabhq!2924
|
|
Don't allow non-members to see private related MRs
See merge request gitlab/gitlabhq!2931
|
|
Validate session key when authorizing with GCP to create a cluster
See merge request gitlab/gitlabhq!2935
|
|
Check snippet attached file to be moved is within designated directory
See merge request gitlab/gitlabhq!2942
|
|
Check validity before querying so that if the dns entry for the api_url
has been changed to something invalid after the model was saved and
checked for validity, it will not query. This is to solve a toctou
(time of check to time of use) issue.
|
|
Fix leaking private repository information in API
See merge request gitlab/gitlabhq!2949
|
|
|
|
Remove link after issue move when no permissions
See merge request gitlab/gitlabhq!2956
|
|
Block local URLs for Kubernetes integration
See merge request gitlab/gitlabhq!2960
|
|
'security-add-public-internal-groups-as-members-to-your-project-idor-11-7' into '11-7-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2963
|
|
Stop linking to unrecognized package sources
See merge request gitlab/gitlabhq!2970
|
|
[11.7] Prevent disclosing project milestone titles
See merge request gitlab/gitlabhq!2974
|
|
Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
|
|
|
|
|
|
Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.
|
|
|
|
Use existing `public_url` validation to block various local urls. Note
that this validation will allow local urls if the "Allow requests to the
local network from hooks and services" admin setting is enabled.
Block KubeClient from using local addresses
It will also respect `allow_local_requests_from_hooks_and_services` so
if that is enabled KubeClinet will allow local addresses
|
|
Previously one could move any temp/ sub folder around.
Align spec with actual usage, as currently we pass temp file path to
FileMover.
|
|
Don't show new issue link after move
when a user does not have permissions
to display the new issue
|
|
|
|
defaultBranch and ciConfigPath should only be available to users with
the :download_code permission for the Project, as the respository might
be private.
When implementing the authorize check on these properties, it was
found that our current Graphql::Authorize::Instrumentation class does
not work with fields that resolve to subclasses of
GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE.
After discussion with other Create Team members, it has been decided
that because the GraphQL API is not GA, to remove these properties from
ProjectType, and instead implement them as part of epic
https://gitlab.com/groups/gitlab-org/-/epics/711
Issue:
https://gitlab.com/gitlab-org/gitlab-ce/issues/55316
|
|
It was previously possible to link a GCP account to another
user's GitLab account by having them visit the callback URL,
as there was no check that they were the initiator of the
request.
We now reject the callback unless the state parameter
matches the one added to the initiating user's session.
|
|
|
|
|
|
Board list policies are also included
|
|
Add project when creating milestone in specs
We validate milestone is from the same
project/parent group as issuable ->
we need to set project in specs correctly
Improve methods names and specs organization
|
|
Changed external wiki query method to prevent attribute caching
Closes #57228
See merge request gitlab-org/gitlab-ce!24907
(cherry picked from commit 7ffbfeb1f79b18b6a3a42e73d12b9680e3e3eb48)
247bd122 Changed external wiki query method to prevent attribute caching
|
|
Fix Detect Host Keys not working
Closes #56855
See merge request gitlab-org/gitlab-ce!24884
(cherry picked from commit 2b0f4df0217b4a4aee53f964610d66ceedb68dca)
4c1231ac Fix SSH Detect Host Keys not working
|
|
Fix migration when project repository is missing
See merge request gitlab-org/gitlab-ce!24859
(cherry picked from commit c5d431240e09e20c49dd27b9c65a4865f3f79bbd)
db35a3ae Fix migration when project repository is missing
|
|
Init GLForm instance on form while editing tags
Closes #56424
See merge request gitlab-org/gitlab-ce!24645
(cherry picked from commit 15a7f3c6af5286dee5188af045d3e80f95323472)
7506275e Init GLForm instance on form while editing tags
b0746e79 Add changelog entry
|
