| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Also, fixes broken specs
|
|
|
|
Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs
|
|
|
|
- Remove extra method for authorize_admin_project
- Ensure project presence
- Rename 'read_repo' to 'read_repository' to be more verbose
|
|
- When using 'read_repo' password and project are sent, so we used both
of them to fetch for the token
- When using 'read_registry' only the password is sent, so we only use
that for fetching the token
|
|
|
|
This will allow to download a repo using the token from the DeployToken
|
|
|
|
|
|
'security-10-3'
[10.3] Migrate `can_push` column from `keys` to `deploy_keys_project`
See merge request gitlab/gitlabhq!2276
(cherry picked from commit f6ca52d31bac350a23938e0aebf717c767b4710c)
1f2bd3c0 Backport to 10.3
|
|
Fix pulling and pushing using a personal access token with the sudo scope
Closes #40466
See merge request gitlab-org/gitlab-ce!15571
|
|
|
|
|
|
|
|
|
|
|
|
Closes #37789
|
|
Hide read_registry scope when registry is disabled on instance
See merge request !13314
|
|
|
|
|
|
* upstream/master: (184 commits)
Fix issues with pdf-js dependencies
fix missing changelog entries for security release on 2017-01-23
Update top bar issues icon
Fix pipeline icon in contextual nav for projects
Since mysql is not a priority anymore, test it less
Fix order of CI lint ace editor loading
Add container registry and spam logs icons
Fix different Markdown styles
Backport to CE for:
Make new dropdown dividers full width
Fix spec
Fix spec
Fix spec
Bump GITLAB_SHELL_VERSION and GITALY_VERSION to support unhiding refs
Add changelog
Install yarn via apt in update guides
Use long curl options
fix
Add a spec for concurrent process
Remove monkey-patched Array.prototype.first() and last() methods
...
|
|
|
|
full_authentication_abilities. This is fine because
we're going to check with can?(..) anyway
|
|
services: true, no_db: true, api: true
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
|
|
If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.
|
|
|
|
This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs
There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.
Fixes gitlab-org/gitlab-ce#19219
|
|
Use the EnforcedStyleForMultiline: no_comma option.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
- We currently support fetching code with username = 'oauth2' and
password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
error.
- There's no reason this shouldn't be enabled, especially since we allow the
OAuth client to create deploy keys with push access:
https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
|
|
|
|
'origin/personal_access_token_api_and_impersonation_token'
|
|
|
|
Gitlab::Auth.find_with_user_password is currently used in these places:
- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
which is used for the OAuth Resource Owner Password Credentials flow
- the /session API call in lib/api/session.rb, which is used to reveal
the user's current authentication_token
In both cases users should only be authenticated if they're in the
active state.
|
|
|
|
review
- cleanup formating in haml
- clarify time window is in seconds
- cleanup straneous chunks in db/schema
- rename count_uniqe_ips to update_and_return_ips_count
- other
|
|
|
|
|
|
|
|
|
|
We accept half a dozen different authentication mechanisms for
Git over HTTP. Fairly high in the list we were checking user
password, which would also query LDAP. In the case of LFS,
OAuth tokens or personal access tokens, we were unnecessarily
hitting LDAP when the authentication will not succeed. This
was causing some LDAP/AD systems to lock the account. Now,
user password authentication is the last mechanism tried since
it's the most expensive.
|
|
- The `scopes_form` partial can be used in the `admin/applications` view
as well
- Don't allow partials to access instance variables directly. Instead, pass
in the instance variables as local variables, and use `local_assigns.fetch`
to assert that the variables are passed in as expected.
- Change a few instances of `render :partial` to `render`
- Remove an instance of `required: false` in a view, since this is the default
- Inline many instances of a local variable (`ip = 'ip'`) in `auth_spec`
|
|
- This module is used for git-over-http, as well as JWT.
- The only valid scope here is `api`, currently.
|
|
Redis connection.
Reset expiry time of token, if token is retrieved again before it expires.
|
|
|
|
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043"
This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
|
|
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043
|
|
|
