Age | Commit message (Collapse) | Author |
|
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
This reverts commit 49bf8674abbbb8626e55cff04c863c03ae5b55d1.
|
|
|
|
relevant spec.
|
|
API: Share projects only with groups current_user can access
Aims to address the issues here: https://gitlab.com/gitlab-org/gitlab-ce/issues/23004
* Projects can be shared with non-existent groups
* Projects can be shared with groups that the current user does not have access to read
Concerns:
The new implementation of the API endpoint allows projects to be shared with a larger range of groups than can be done via the web UI.
The form for sharing a project with a group uses the following API endpoint to index the available groups: https://gitlab.com/gitlab-org/gitlab-ce/blob/494269fc92f61098ee6bd635a0426129ce2c5456/lib/api/groups.rb#L17. The groups indexed in the web form will only be those groups that the user is currently a member of.
The new implementation allows projects to be shared with any group that the authenticated user has access to view. This widens the range of groups to those that are public and internal.
See merge request !2005
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Escape HTML nodes in builds commands in ci linter
This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.
Closes #22541
See merge request !2001
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
API: disable rails session auth for non-GET/HEAD requests
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435
See merge request !1999
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Enforce the fork_project permission in Projects::CreateService
Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly.
CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028
See merge request !1996
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Avoid conflict with Admin labels when importing GitHub labels
If the GitHub project have duplicated labels from the Admin labels, the importer will use the Admin label.
Fixes #21319
See merge request !6158
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Allow the Rails cookie to be used for API authentication
Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.
Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.
Closes #18302
See merge request !1995
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Exclude some pending or inactivated rows in Member scopes
An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.
One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650
See merge request !1994
|
|
Fix merge conflict size limit
## What does this MR do?
The merge conflict size limit was set to 100 KB, but the docs (and the test repo, which the feature specs use) say 200 KB!
## Are there points in the code the reviewer needs to double check?
Don't think so.
## Why was this MR needed?
Derp.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !6052
|
|
'21109-discussion-resolve-runs-a-single-update-query-per-note-but-should-run-a-single-update-query-for-all-notes-instead' into 'master'
Optimize discussion notes resolving and unresolving
## What does this MR do?
Optimize discussion notes resolving and unresolving
## Are there points in the code the reviewer needs to double check?
Some changes had to be made to the discussion spec to account for the fact that notes are not individually updated now. I only focused on adapting them for the purpose of the regression fix, but admittedly they could be further improved in readability.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #21109
See merge request !6141
|
|
Fix intermittent spec failures with spec/features/issues/user_uses_slash_commands_spec.rb
This MR solves the intermittent spec failure:
```
1) Issues > User uses slash commands behaves like issuable record that supports slash commands in its description and notes note on issue with a note changing the issue's title when current user cannot change title of issue does not reopen the issue
Failure/Error: Gitlab::Routing.url_helpers.namespace_project_url(self.namespace, self)
ActionController::UrlGenerationError:
No route matches {:action=>"show", :controller=>"projects", :id=>#<Project id: 1, name: "project135", path: "gitlabhq", description: nil, created_at: "2016-08-31 20:45:48", updated_at: "2016-08-31 20:45:48", creator_id: 2, issues_enabled: true, merge_requests_enabled: true, wiki_enabled: true, namespace_id: 2, snippets_enabled: true, last_activity_at: "2016-08-31 20:45:48", import_url: nil, visibility_level: 20, archived: false, avatar: nil, import_status: "none", repository_size: 0.0, star_count: 0, import_type: nil, import_source: nil, commit_count: 0, import_error: nil, ci_id: nil, builds_enabled: true, shared_runners_enabled: true, runners_token: "_rNZHgsHzaDWGbyL3L2F", build_coverage_regex: nil, build_allow_git_fetch: true, build_timeout: 3600, pending_delete: false, public_builds: true, pushes_since_gc: 0, last_repository_check_failed: nil, last_repository_check_at: nil, container_registry_enabled: true, only_allow_merge_if_build_succeeds: false, has_external_issue_tracker: false, repository_storage: "default", request_access_enabled: true, has_external_wiki: false, lfs_enabled: nil>, :namespace_id=>nil} missing required keys: [:namespace_id]
Shared Example Group: "issuable record that supports slash commands in its description and notes" called from ./spec/features/issues/user_uses_slash_commands_spec.rb:6
# ./app/models/project.rb:611:in `web_url'
# ./app/models/project.rb:975:in `hook_attrs'
# ./lib/gitlab/data_builder/note.rb:58:in `build_base_data'
# ./lib/gitlab/data_builder/note.rb:38:in `build'
# ./app/services/notes/post_process_service.rb:19:in `hook_data'
# ./app/services/notes/post_process_service.rb:23:in `execute_note_hooks'
# ./app/services/notes/post_process_service.rb:14:in `execute'
# ./app/workers/new_note_worker.rb:10:in `perform'
# ./app/services/notes/create_service.rb:29:in `execute'
# ./app/controllers/projects/notes_controller.rb:26:in `create'
# ./lib/gitlab/request_profiler/middleware.rb:15:in `call'
# ./lib/gitlab/middleware/go.rb:16:in `call'
# ./lib/gitlab/middleware/static.rb:9:in `call'
```
There were a number of issues:
1. Sidekiq async tasks were being run after project namespaces were deleted. Use Sidekiq in fake mode to prevent this from Sidekiq tasks from being enqueued in the first place.
2. Some outstanding Ajax requests (e.g. autocomplete) were still being loaded while `DatabaseCleaner` ran
3. `logout` did not always wait for logout actually to complete
Closes #21723
See merge request !6271
|
|
Fix an error where we were unable to create a CommitStatus for running state
Due to severe refactoring of Pipeline we introduced regression in how CommitStatus is handled. We received an report that it's impossible to create a CommitStatus with state `running` when there were not previous status.
The support for Commit Statuses should be simplified. Right now I'm doing minimal change to move forward and fix a bug, but I'll create a new MR that will move all logic that is now part of `lib/api/commit_statuses.rb` to separate service to simplify the implementation.
This error happens due to the fact that we introduced additional status of builds: `created`.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21345
See merge request !6107
|
|
Restore SSH Key title auto-population behavior
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21823
See merge request !6186
|
|
Added search for all lists on issue boards
Adds a search box to allow the user to search all lists in issue boards rather than just the backlog.
![Screen_Shot_2016-08-30_at_10.33.15](/uploads/67e96055d60a9b3209ce3831a1980c09/Screen_Shot_2016-08-30_at_10.33.15.png)
![Screen_Shot_2016-08-30_at_10.33.19](/uploads/8d5253b8f2ecf1cf9a69d70be8ccf1f9/Screen_Shot_2016-08-30_at_10.33.19.png)
Closes #21139
See merge request !6101
Conflicts:
app/assets/stylesheets/pages/boards.scss
app/views/projects/boards/components/_board.html.haml
|
|
Optimize branch lookups and force a repository reload for Repository#find_branch
See merge request !6087
|
|
Add the total number of issues in the JSON response in issue board lists
Add the total number of issues in the JSON response in issue board lists
The issue board lists should always show the total number of issues in the list, not the current amount fetched by endless scroll.
Closes #21327
See merge request !5904
Conflicts:
app/assets/stylesheets/pages/boards.scss
app/views/projects/boards/components/_board.html.haml
|
|
Fix confidential issues made public after import
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21803
The gitlab.com import was ignoring the confidential attribute, hence making all issues public after being imported.
The API has changed in order to also expose this field.
See merge request !1992
|
|
Scope webhooks/services that will run for confidential issues
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20661
See merge request !1986
Conflicts:
db/schema.rb
|
|
Remove gitorious
## What does this MR do?
Remove gitorious as import source
## Are there points in the code the reviewer needs to double check?
Did I remove everything?
## Why was this MR needed?
This button yielded a 404
## What are the relevant issue numbers?
Closes #17062
/cc @JobV
See merge request !5866
|
|
'gh-importer-use-default-project-visibility-for-non-private-projects' into 'master'
GitHub importer use default project visibility for non-private projects
## What does this MR do?
GitHub importer use the `Default Project Visibility` setting for all non-private projects.
## Why was this MR needed?
This allow users to import projects when `Public` visibility is restricted.
## What are the relevant issue numbers?
Fixes #21437
See merge request !6023
|
|
'21457-not-create-groups-for-unallowed-users-when-importing-projects' into 'master'
Don't create groups for unallowed users when importing projects
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21457
See merge request !1990
|
|
'21567-fix-sorting-issues-by-last-updated-after-import-from-github' into 'master'
Fix sorting issues by "last updated" after import from GitHub
## What does this MR do?
Don't touch Issue/Merge Request when importing GitHub comments as it will trigger an update on `updated_at` field. It also use `updated_at` as the last updated date doesn't matter the Issue/Pull Request state.
## Why was this MR needed?
After import from GitHub, sorting issues by "last updated" doesn't work as expected.
## What are the relevant issue numbers?
Fixes #21567
See merge request !6110
|
|
Fixed escaping issue with labels filter
## What does this MR do?
Encodes label names to stop any JS errors.
## What are the relevant issue numbers?
Closes #15552
See merge request !6123
|
|
'master'
Fix issue boards leak private labels names descriptions
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/21167
/cc @stanhu
See merge request !1989
|
|
Do not enforce using a hash with hidden ci key
## What does this MR do?
This MR remove the validation rule that was to strict.
## Why was this MR needed?
Enforcing hidden CI job configuration to be a hash, narrows options of using YAML anchors, and was not backwards compatbile.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #21512
See merge request !6079
|
|
'21446-service-external-wiki-only-works-when-project-wiki-is-enabled' into 'master'
Fix "Wiki" link not appearing in navigation for projects with external wiki
## Are there points in the code the reviewer needs to double check?
No
## What are the relevant issue numbers?
Closes #21446
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !6057
|
|
into 'master'
Fix resolving conflicts on forks
## What does this MR do?
When we resolve conflicts, we create a merge commit in the source branch with parents `[source_branch_head, target_branch_head]`. But when the MR is from a fork, `target_branch_head` might not exist in the source repo at all, so we need to fetch it if it isn't there. We can do this locally so it should be fast.
## Are there points in the code the reviewer needs to double check?
The `TestEnv` changes are needed to reset the branch refs if we're reusing a git directory locally - otherwise, there might not be conflicts!
## Why was this MR needed?
It's a bug in a new feature!
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes #21459.
See merge request !6082
|
|
into 'master'
Fix diff comments on legacy MRs
Allow diff commenting on MRs without complete diff refs. (Commenting would work before, but the JSON response would fail, so you'd only see your comment after a refresh.)
Is this really all I needed to do? I feel like there must be more to it :blush:
It's a regression!
Closes #21211.
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !6029
Conflicts:
spec/features/merge_requests/diff_notes_spec.rb
|
|
'21257-label-lists-should-shows-opened-or-closed-issues-with-that-label' into 'master'
Label list shows all issues (opened or closed) with that label
## What does this MR do?
Change the label list to shows all issues (opened or closed) with that label.
## What are the relevant issue numbers?
Closes #21257
See merge request !5991
|
|
'21247-mergerequestscontroller-conflicts-may-fail-with-iso-8859-data' into 'master'
Handle non-UTF-8 conflicts gracefully
## What does this MR do?
If a conflict file isn't in a UTF-8-compatible encoding, we can't resolve it in the UI.
## What are the relevant issue numbers?
Closes #21247.
See merge request !5961
|
|
Fix external issue tracker "Issues" link leading to 404s
## What does this MR do?
This MR fixes the redirection to the wrong URL when using an external issue tracker, such as JIRA or Redmine. a70431f874 modified the behavior to link to the external issue tracker
issues URL instead of the project path URL. This restores the previous behavior.
## Why was this MR needed?
The issues URL often has `:id` associated with it for linking mentioned issues.
For external issue trackers, the project page is the intended target.
## What are the relevant issue numbers?
Closes #21252
Related to #21402
See merge request !6006
|
|
'master'
Handle unavailable system info
## What does this MR do?
Handle the case where we can't get system info without blowing up. As this is the first tab in the monitoring section, it's difficult to get to the other tabs if this page throws a 500. Also be more specific about the info we want, so we don't fail on something we don't care about (like `/proc/net/dev`).
## Why was this MR needed?
grsecurity can prevent users from reading `/proc`, which is what Vmstat uses to find CPU and memory info.
## What are the relevant issue numbers?
Closes #21378.
See merge request !5989
|
|
|
|
last_push_event widget considers fork events on the main project
Push events on the fork of the current project are considered to be shown besides the push events on the current project. Before we just consider fork events if exists a fork so we miss current project events if the current user has a fork.
Closes #20254
See merge request !5978
|
|
Does not halt the GitHub import process when an error occurs
## What are the relevant issue numbers?
Fixes #20385
https://gitlab.com/gitlab-org/gitlab-ce/issues/20149
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5763
|
|
Fix typo in gitlab-workhorse header
See merge request !5891
|
|
Bump SimpleCov merge timeout to 365 days
## What does this MR do?
In case that CI pipeline fails because of intermittent errors in one of the jobs, when someone retries the only failing job located in the middle stage, the job that calculates compound coverage that is configured in later stage, and triggered after retrying job in the pipeline, will still return an accurate coverage value.
Closes #21144
See merge request !5932
|
|
Fixed enter key in search input not working
## What does this MR do?
Fixes a bug where the enter key wouldn't search in the top nav search input
Closes #20627
See merge request !5888
|
|
Fix incorrect "stopped impersonation" log message
Minor bug: Usernames were swapped in the log message.
Closes #21015
See merge request !5949
|
|
Fix file links on project page Files view
## What does this MR do?
Fix the project show page when the default view is set to Files so that the links work.
## Are there points in the code the reviewer needs to double check?
I can't figure out what caused this to break :confused:
## What are the relevant issue numbers?
Closes https://gitlab.com/gitlab-com/support-forum/issues/959.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) (N/A)
- [x] API support added (N/A)
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5933
|
|
into 'master'
17465 Fixed dropdown cursor key navigation
## What does this MR do?
This MR fixes the use of cursor/arrow/enter key events with search dropdowns, allowing a user to navigate up and down the list with the arrow keys and then select their item with the enter key.
It also applies some *minor* scroll user experience fixes, such as resetting the selected dropdown item every time it opens/closes (also stops multiple dropdowns conflicting) and forcing the dropdown scroll to scroll right to the top or bottom depending on whether they have selected the first or last item, respectively.
## Are there points in the code the reviewer needs to double check?
I would like someone with GitLab experience to check over whether this would harm any unique implementations of the GitLabDropdown or SearchAutocomplete.
## Why was this MR needed?
The current version has incorrectly behaving search dropdowns in the navbar, they either do not navigate using the keyboard or do not use the enter keystroke to select a highlighted item.
## What are the relevant issue numbers?
Fixes #17465.
Closes #20752.
Closes #21014.
**Contributes** to #20754.
## Screenshots (if relevant)
![17465.mp4](/uploads/1145abec226036abbaaa4aa46020f52b/17465.mp4)
See merge request !4781
|
|
Fix assorted rspec failures due to stale, cached user permissions
RequestStore is disabled in tests, but the Ability class was caching user permissions based on the user and project ID of previous test runs. Revise code to use RequestStore only if it is active.
See merge request !5919
|
|
Fix Error 500 resulting when loading network graph
`discussion_id` may not be present when the SELECT call for notes does not include this attribute. Don't attempt to set the discussion ID unless the model contains the attribute:
```ruby
irb(main):019:0> notes[0]
Note Load (10.3ms) SELECT notes.commit_id, count(notes.id) as note_count FROM "notes" WHERE "notes"."project_id" = $1 AND (noteable_type = 'Commit') GROUP BY notes.commit_id [["project_id", 13083]]
ActiveModel::MissingAttributeError: missing attribute: discussion_id
```
Closes #21119, #21128
See merge request !5922
|
|
|
|
Backport changes from gitlab-org/gitlab-ee!581
See merge request !5884
|
|
Disable “issue by email” feature until it uses a different token
Separate token being worked on in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5914, but too late for 8.11.
See merge request !5915
|
|
Todos sorting dropdown
Implements #18135
![todos_sorting](/uploads/bff76827c421628134dfb8b864e47c74/todos_sorting.png)
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5691
|