| Age | Commit message (Collapse) | Author |
|---|
|
Escape HTML nodes in builds commands in ci linter
This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.
Closes #22541
See merge request !2001
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
API: disable rails session auth for non-GET/HEAD requests
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435
See merge request !1999
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Enforce the fork_project permission in Projects::CreateService
Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly.
CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028
See merge request !1996
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Allow the Rails cookie to be used for API authentication
Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.
Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.
Closes #18302
See merge request !1995
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Exclude some pending or inactivated rows in Member scopes
An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.
One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650
See merge request !1994
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Set permissions to admin for importing a project via Import/Export
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20802
In order to import a project, it is now required to be an admin
Moved from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5766
See merge request !1983
(cherry picked from commit 966b303802e12204f5d32af24b13bd0ceb5342a1)
|
|
Fix problems with events under notes importing GitLab projects
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19588
See merge request !5154
(cherry picked from commit 734e44ee79590be6d9f01ca3e815304221a5c88d)
|
|
'master'
Fix diff comments not showing up in activity feed
## What does this MR do?
It fixes the detection of note events to check for `Note` and `LegacyDiffNote`.
## Are there points in the code the reviewer needs to double check?
No? /cc @DouweM (since I believe you introduced `LegacyDiffNote`
## Why was this MR needed?
To fix #19092.
## What are the relevant issue numbers?
Fixes #19092.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5069
(cherry picked from commit b5b17d00eddef8011e3a71d5f4ad46c6d40cbf8a)
|
|
Fix emoji paths in relative root configurations
## What does this MR do?
If a site specifies a relative URL root, emoji files would omit the path from the URL, leading to lots of 404s.
## Are there points in the code the reviewer needs to double check?
At first, I tried to use `ActionView::Helpers::AssetUrlHelper.asset_url` since this is what it's intended to do. But this helper function is extremely slow, and it took minutes to generate the URLs for the hundreds of links needed for each emoji.
## Why was this MR needed?
Because emojis were broken in relative URL installations
## What are the relevant issue numbers?
#15642
## Does this MR meet the acceptance criteria?
- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [X] Added for this feature/bug
- [x] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5027
(cherry picked from commit 88dbc4d110507c4c658d45e2b0ec0a2db756d6b9)
|
|
Fixing problems with events for import/export
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19202
A couple of issues related to target being missing in exported `Events` (as being polymorphic and not have `ActiveRecord` relationships is a bit more tricky than normal models) plus as the export was in JSON, the import retrieves hashed fields as stringified hashes and not symbolized - so fixed that as well, which was the cause of https://gitlab.com/gitlab-org/gitlab-ce/issues/19202
Also fixed / refactored tests
:simpl
Import/Export Version has been bumped to 0.1.1 as theses changes to events won't work very well with old exports - forcing users to generate a new export in the new version.
See merge request !4987
(cherry picked from commit c368cb605bfb586cf93cff3879212906812f327b)
|
|
Admin should be able to turn shared runners into specific ones:
## What does this MR do?
Make sure admins could turn shared runners into specific runners.
## Are there points in the code the reviewer needs to double check?
Is this the desired behaviour?
## Why was this MR needed?
Closes #19039
Closes #19272
See merge request !4961
(cherry picked from commit b569f842b37434efd0cbae4b0c197391e0610b12)
|
|
Handle external issues in IssueReferenceFilter
Rendering issue references such as `#1` was broken for projects using an external issues tracker.
See gitlab-org/gitlab-ce#19036
See merge request !4988
(cherry picked from commit 6e82c0e06ea25d6d0871037fb09301698ca972bd)
|
|
Do not show build retry link when build is active
Closes #19244
See merge request !4967
(cherry picked from commit dc2d0051dc64318d732e34aeae87f0b4291c8a82)
|
|
Ensure logged-out users can't see private refs
https://gitlab.com/gitlab-org/gitlab-ce/issues/18033
I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10.
See merge request !1974
(cherry picked from commit 3a6ebb1fd624c216a4ce65380e64072793b7ccda)
|
|
Fix privilege escalation issue with OAuth external users
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312
This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.
/cc @douwe
See merge request !1975
(cherry picked from commit 5e6342b7ac08b4b37b233cad54f4aeaf0144b977)
|
|
Use clock_gettime for all performance timestamps
This MR adjusts the performance monitoring code to use `Process.clock_gettime` (thus `clock_gettime(3)`) instead of `Time.now`.
Using `Time.now` / `Time.new` adds more overhead than `Process.clock_gettime`, it also doesn't provide a way of getting timestamps in nanoseconds (which `Process.clock_gettime` does allow).
See merge request !4899
(cherry picked from commit 53ad9522c46edf8ede068145fa3d89e2b047c076)
|
|
Fix visibility of snippets when searching
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18997
See merge request !1972
|
|
Fix an information disclosure when requesting access to a group containing private projects
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19102.
The commit speaks for itself:
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.
Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.
Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...
My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.
Now they are all secure.
See merge request !1973
|
|
Fix a wrong MR status when merge_when_build_succeeds & project.only_allow_merge_if_build_succeeds are true
## What does this MR do?
Fix a wrong MR status when merge_when_build_succeeds & project.only_allow_merge_if_build_succeeds are true.
## Are there points in the code the reviewer needs to double check?
@stanhu I reused your proposal from the issue, I think it's a good enough solution.
## What are the relevant issue numbers?
Fixes #19035.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4912
|
|
Support for rendering/redacting multiple documents
See merge request !4828
|
|
Apply selected value as label
## What does this MR do?
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
## What are the relevant issue numbers?
## Screenshots (if relevant)
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4886
|
|
Fix unwanted label unassignment
## What does this MR do?
- When updating the milestone
- [x] Do not remove labels when assigning a milestone
- [x] Do not remove labels when unassigning a milestone
- [x] Do not remove labels when assigning a milestone and adding another label
- When toggling selected issues labels should be kept
- [x] Select an issue with an assigned label -> pick another label from dropdown-> unselect the issue -> select the issue again -> submit the form: Existing label should not be removed.
## Are there points in the code the reviewer needs to double check?
Labels should not be added or removed to issues when doing bulk actions unless we explicitly select a label from the dropdown
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4863
|
|
Fix 404 for pipelines
## What does this MR do?
Allow to access pipelines of public project by logged guest.
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17885
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4881
|
|
Fix errors found on importing GitLab CE repo
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18968
See merge request !4855
|
|
Handle external issues in IssueReferenceFilter
Handling of external issues was broken when I refactored
`IssueReferenceFilter` to use fewer SQL queries.
Fixes #18827
See merge request !4789
|
|
Fix bug in `WikiLinkFilter`.
Closes #18819
- [ ] #18819 Wiki link filter exception
- [x] Make sure [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/6d169d36cabda783116bcb8e2e6f73254566a670/builds) passes
- [ ] Wait for merge
- [ ] Pick into 8.9
See merge request !4775
|
|
Fix subsequent SAML sign ins
Fixes a bug when `auto_link_ldap_user` is `true` that causes SAML users to be unable to sign in a second time.
Fix the problem for https://gitlab.zendesk.com/agent/tickets/22546
See merge request !4718
|
|
'18871-check-improve-how-we-display-access-requesters-in-admin-area' into 'master'
Display group/project access requesters separately in admin
## What does this MR do?
It displays the access requesters in a separate list in group & project members pages.
It also harmonize the members counter UI to use `%span.badge` everywhere (in the admin & non-admin members views).
## Are there points in the code the reviewer needs to double check?
No.
## Why was this MR needed?
To not confuse access requesters with actual members.
## What are the relevant issue numbers?
Closes #18871.
## Screenshots
### Group members
| Before | After |
| --------- | ---- |
|  |  |
### Project members
| Before | After |
| --------- | ---- |
|  |  |
### Admin group members
| Before | After |
| --------- | ---- |
|  |  |
### Admin project members
| Before | After |
| --------- | ---- |
|  |  |
## Does this MR meet the acceptance criteria?
- [x] No CHANGELOG since this is related to the original "request access" MR.
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4798
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
'18755-fix-destroy-project-causes-post_decline_request-to-be-executed' into 'master'
Resolve "Destroying a project causes post_decline_request to be executed"
## What does this MR do?
Ensure we don't send "access request declined" to access requesters when a project is deleted.
## Are there points in the code the reviewer needs to double check?
I've created a service to decouple the notification sending from the AR model.
## Why was this MR needed?
Because there was an issue.
## What are the relevant issue numbers?
Fixes #18755, #18750.
## Does this MR meet the acceptance criteria?
- [x] No CHANGELOG needed.
- [x] Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4744
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
GitLab CI Yaml template dropdown
## What does this MR do?
Make it possible to select a dropdown for an easy start with GitLab CI.
## What are the relevant issue numbers?
Closes #17521
## TODO
- [ ] Backend
- [x] CHANGELOG item
- [x] Fix rubocop failure
- [x] API Support
- [x] New tests
- [x] Add disclaimer to the top of the gitlab-ci.yml
- [ ] Frontend
- [x] New tests
See merge request !4411
|
|
Make it possible to lock runner on a specific project
Make it possible to lock runner on a specific project.
----
----
Closes #3407
See merge request !4093
|
|
Fix builds API response that did not include commit data
## What does this MR do?
This is fix for problem with builds API response not including information about commit this build is created for.
## What are the relevant issue numbers?
Closes #18476
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4827
|
|
Show proper image ID on registry page
## What does this MR do?
Display the container registry image ID (from the config blob) instead of the first image layer ID
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
To show proper image ID on container_registry page.
This only supports manifest V2, since the manifest V1 doesn't expose information about Image ID.
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18159.
## Screenshots (if relevant)
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4821
|
|
Updated blank state for environments and deployments
## What does this MR do?
Adds a designed blank state to environments and deployments.
@markpundsack do we want to hide the new environments when empty? Looks weird otherwise with the green button at the top.
## What are the relevant issue numbers?
Closes #18661
## Screenshots (if relevant)
See merge request !4818
|
|
Optimize Banzai::Filter::RelativeLinkFilter
See merge request !4813
|
|
Cache Participable#participants in instance variable
See merge request !4803
|
|
Remove calls to Rugged::BranchCollection#each from extracts_path before_action
See merge request !4802
|
|
Fallback to group's owners/masters when a project has none for the "access requested email"
## What does this MR do?
From b31c5052f9acf5d9118b2b81b556199279e7ca30:
Fallback to group's owners/masters when a project has none
A project in a group can have no explicit owners/masters,
in that case we fallbacks to the group's owners/masters.
## Are there points in the code the reviewer needs to double check?
No.
## Why was this MR needed?
Because of #18757.
## What are the relevant issue numbers?
Fixes #18757.
## Does this MR meet the acceptance criteria?
- [x] No need for CHANGELOG.
- [x] No need for documentation.
- [x] No API support added.
- [x] Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4791
|
|
Refs dropdown is now loaded async
## What does this MR do?
The refs dropdown is loaded async so not to block the page.
## What are the relevant issue numbers?
Part of #18202
## Screenshots (if relevant)
See merge request !4508
|
|
Allow to fetch LFS from CI
## What does this MR do?
This adds support for fetching LFS object from CI jobs (mostly it's made for supporting GitLab CI).
## What is left?
- [x] Write tests covering a new authorization mechanism
cc @grzesiek @marin
See merge request !4465
|
|
Fixes item icon state when for issues that have the same labels assigned
## What does this MR do?
Previously if all issues had the same labels the dropdown was showing the labels with indeterminate stated which is wrong. This MR fixes that and shows the correct state.
## What are the relevant issue numbers?
Fixes #18714
## Screenshots (if relevant)
**Before**
**After**
## Does this MR meet the acceptance criteria?
- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- [ ] Tests
- [ ] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4721
|
|
Remove Duplicated keys adding UNIQUE index to fingerprint
See merge request !4787
|
|
Fix RangeError exceptions when referring to issues or merge requests outside of max database values
When using #XYZ in Markdown text, if XYZ exceeds the maximum value of a signed 32-bit integer, we get an exception when the Markdown render attempts to run `where(iids: XYZ)`. Introduce a method that will throw out out-of-bounds values.
Closes #18777
See merge request !4777
|
|
# Conflicts:
# app/controllers/projects/todos_controller.rb
|
|
Ensure that group owner cannot request access to a project of their group
## What does this MR do?
It fixes two things:
- 91ad995d69e1a0f8991fd896f1d9febc109273fe Ensure that group owner cannot request access to a project of their group
- ec3ff061148d556757e7cd486cdc6083d77acf34 Ensure group/project owners can see their members' access_level (see the commit message for details)
## Are there points in the code the reviewer needs to double check?
Not really, these are pretty simple fixes.
## Why was this MR needed?
Because there was an issue created!
## What are the relevant issue numbers?
Fixes #18717.
## Does this MR meet the acceptance criteria?
- [x] CHANGELOG is not needed since the bug is only present in a 8.9 RC
- [x] Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4729
|
|
API endpoints for award emoji
Closes #10884
See merge request !4575
|
|
Implement custom notification level options
part of #12758
See merge request !4389
|
|
Do not check repos without push events
Reduce false positives from automatic repository checks by skipping
projects without push events.
See merge request !4684
|
|
Ensure Todos counters doesn't count Todos for projects pending delete
Use `TodosFinder` instead of `current_user.todos` to filter projects
pending delete on Todos counters helpers.
Counters should not reflect the number of Todos displayed on the tabs.
Fixes #18633
See merge request !4663
|
