From 7af585f1667935165701ec290e6ce37a436ad4c6 Mon Sep 17 00:00:00 2001 From: Valery Sizov Date: Wed, 13 Sep 2017 17:11:10 +0300 Subject: Fast forward merge: basic implemenation[ci skip] --- app/controllers/projects_controller.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/controllers') diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index b13034d3333..a738ca9f361 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -344,6 +344,7 @@ class ProjectsController < Projects::ApplicationController :tag_list, :visibility_level, :template_name, + :merge_method, project_feature_attributes: %i[ builds_access_level -- cgit v1.2.3 From 8fa87ea3fb862bdae624aec360c80b12cda3905c Mon Sep 17 00:00:00 2001 From: Brian Neel Date: Wed, 23 Aug 2017 00:40:16 -0400 Subject: # This is a combination of 1 commit. # This is the 1st commit message: Add logging for all web authentication events # This is the commit message #2: Re-add underscore to after_inactive_sign_up_path_for # This is the commit message #3: Standardize on username= # This is the commit message #4: after_filter -> after_action, _resource -> resource # This is the commit message #5: Add two-factor login failures and account lockouts # This is the commit message #6: Move logging from two-factor concern to user model # This is the commit message #7: Add spaces around default parameter assignments # This is the commit message #8: Move logs out of user model # This is the commit message #9: Replace filtered_params with user_params # This is the commit message #10: Standardize case # This is the commit message #1: Fixes for username and AppLogger.info --- .../concerns/authenticates_with_two_factor.rb | 2 ++ app/controllers/confirmations_controller.rb | 1 + app/controllers/registrations_controller.rb | 4 +++- app/controllers/sessions_controller.rb | 16 ++++++++++++++-- 4 files changed, 20 insertions(+), 3 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index b75e401a8df..5281dbe11c4 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -59,6 +59,7 @@ module AuthenticatesWithTwoFactor sign_in(user) else user.increment_failed_attempts! + Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=OTP") flash.now[:alert] = 'Invalid two-factor code.' prompt_for_two_factor(user) end @@ -75,6 +76,7 @@ module AuthenticatesWithTwoFactor sign_in(user) else user.increment_failed_attempts! + Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=U2F") flash.now[:alert] = 'Authentication via U2F device failed.' prompt_for_two_factor(user) end diff --git a/app/controllers/confirmations_controller.rb b/app/controllers/confirmations_controller.rb index 306afb65f10..1b87ae0ccb2 100644 --- a/app/controllers/confirmations_controller.rb +++ b/app/controllers/confirmations_controller.rb @@ -14,6 +14,7 @@ class ConfirmationsController < Devise::ConfirmationsController if signed_in?(resource_name) after_sign_in_path_for(resource) else + Gitlab::AppLogger.info("Email Confirmed: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip}") flash[:notice] += " Please sign in." new_session_path(resource_name) end diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb index 1bc6520370a..5ea3a5d5562 100644 --- a/app/controllers/registrations_controller.rb +++ b/app/controllers/registrations_controller.rb @@ -42,10 +42,12 @@ class RegistrationsController < Devise::RegistrationsController end def after_sign_up_path_for(user) + Gitlab::AppLogger.info("User Created: username=#{user.username} email=#{user.email} ip=#{request.remote_ip} confirmed:#{user.confirmed?}") user.confirmed? ? dashboard_projects_path : users_almost_there_path end - def after_inactive_sign_up_path_for(_resource) + def after_inactive_sign_up_path_for(resource) + Gitlab::AppLogger.info("User Created: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip} confirmed:false") users_almost_there_path end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index be6491d042c..a2cb5b692af 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -13,6 +13,8 @@ class SessionsController < Devise::SessionsController before_action :auto_sign_in_with_provider, only: [:new] before_action :load_recaptcha + after_action :log_failed_login, only: [:new] + def new set_minimum_password_length @ldap_servers = Gitlab::LDAP::Config.available_servers @@ -29,12 +31,13 @@ class SessionsController < Devise::SessionsController end # hide the signed-in notification flash[:notice] = nil - log_audit_event(current_user, with: authentication_method) + log_audit_event(current_user, resource, with: authentication_method) log_user_activity(current_user) end end def destroy + Gitlab::AppLogger.info("User Logout: username=#{current_user.username} ip=#{request.remote_ip}") super # hide the signed_out notice flash[:notice] = nil @@ -42,6 +45,14 @@ class SessionsController < Devise::SessionsController private + def log_failed_login + Gitlab::AppLogger.info("Failed login: username=#{user_params[:login]} ip=#{request.remote_ip}") if failed_login? + end + + def failed_login? + (options = env["warden.options"]) && options[:action] == "unauthenticated" + end + def login_counter @login_counter ||= Gitlab::Metrics.counter(:user_session_logins_total, 'User sign in count') end @@ -123,7 +134,8 @@ class SessionsController < Devise::SessionsController user.invalidate_otp_backup_code!(user_params[:otp_attempt]) end - def log_audit_event(user, options = {}) + def log_audit_event(user, resource, options = {}) + Gitlab::AppLogger.info("User login: username=#{resource.username} ip=#{request.remote_ip} method=#{options[:with]} admin=#{resource.admin?}") AuditEventService.new(user, user, options) .for_authentication.security_event end -- cgit v1.2.3 From 66d9d258ad8ab168018b5fb627e59c2385d5fdc0 Mon Sep 17 00:00:00 2001 From: Brian Neel Date: Wed, 27 Sep 2017 23:54:52 -0400 Subject: Standardize capitalization and status --- app/controllers/concerns/authenticates_with_two_factor.rb | 4 ++-- app/controllers/sessions_controller.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index 5281dbe11c4..db8c362f125 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -59,7 +59,7 @@ module AuthenticatesWithTwoFactor sign_in(user) else user.increment_failed_attempts! - Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=OTP") + Gitlab::AppLogger.info("Failed Login: user=#{user.username} ip=#{request.remote_ip} method=OTP") flash.now[:alert] = 'Invalid two-factor code.' prompt_for_two_factor(user) end @@ -76,7 +76,7 @@ module AuthenticatesWithTwoFactor sign_in(user) else user.increment_failed_attempts! - Gitlab::AppLogger.info("Failed login: user=#{user.username} ip=#{request.remote_ip} method=U2F") + Gitlab::AppLogger.info("Failed Login: user=#{user.username} ip=#{request.remote_ip} method=U2F") flash.now[:alert] = 'Authentication via U2F device failed.' prompt_for_two_factor(user) end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index a2cb5b692af..fc0c0024ad7 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -46,7 +46,7 @@ class SessionsController < Devise::SessionsController private def log_failed_login - Gitlab::AppLogger.info("Failed login: username=#{user_params[:login]} ip=#{request.remote_ip}") if failed_login? + Gitlab::AppLogger.info("Failed Login: username=#{user_params[:login]} ip=#{request.remote_ip}") if failed_login? end def failed_login? @@ -135,7 +135,7 @@ class SessionsController < Devise::SessionsController end def log_audit_event(user, resource, options = {}) - Gitlab::AppLogger.info("User login: username=#{resource.username} ip=#{request.remote_ip} method=#{options[:with]} admin=#{resource.admin?}") + Gitlab::AppLogger.info("Successful Login: username=#{resource.username} ip=#{request.remote_ip} method=#{options[:with]} admin=#{resource.admin?}") AuditEventService.new(user, user, options) .for_authentication.security_event end -- cgit v1.2.3 From 7dac9624bc19019f7432cf12ac8713a5dad03b69 Mon Sep 17 00:00:00 2001 From: Brian Neel Date: Fri, 29 Sep 2017 17:34:47 -0400 Subject: Remove lock reason and add guard clause --- app/controllers/sessions_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index fc0c0024ad7..90bf6c51699 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -46,7 +46,9 @@ class SessionsController < Devise::SessionsController private def log_failed_login - Gitlab::AppLogger.info("Failed Login: username=#{user_params[:login]} ip=#{request.remote_ip}") if failed_login? + return unless failed_login? + + Gitlab::AppLogger.info("Failed Login: username=#{user_params[:login]} ip=#{request.remote_ip}") end def failed_login? -- cgit v1.2.3 From 10096256f1cf91cbf3bc10e4f02499d265a87bfb Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Mon, 2 Oct 2017 09:47:08 -0700 Subject: Improve performance of filtering notes in NotesController Reduces the number of queries needed to redact notes to which the user does not have access. Also includes an N+1 query test as a guard against future issues. This is a follow-up from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/14327#note_40976854. --- app/controllers/concerns/notes_actions.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index 18fd8eb114d..915f32b4c33 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -15,9 +15,9 @@ module NotesActions notes = notes_finder.execute .inc_relations_for_view - .reject { |n| n.cross_reference_not_visible_for?(current_user) } notes = prepare_notes_for_rendering(notes) + notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } notes_json[:notes] = if noteable.discussions_rendered_on_frontend? -- cgit v1.2.3 From 7f69659a5d932ef6cac72001b19b89a103535bd9 Mon Sep 17 00:00:00 2001 From: Jarka Kadlecova Date: Tue, 19 Sep 2017 10:30:18 +0200 Subject: Remove edit action for issues --- app/controllers/projects/issues_controller.rb | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index a3ec79a56d9..ee6e6f80cdd 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -16,7 +16,7 @@ class Projects::IssuesController < Projects::ApplicationController before_action :authorize_create_issue!, only: [:new, :create] # Allow modify issue - before_action :authorize_update_issue!, only: [:edit, :update, :move] + before_action :authorize_update_issue!, only: [:update, :move] # Allow create a new branch and empty WIP merge request from current issue before_action :authorize_create_merge_request!, only: [:create_merge_request] @@ -63,10 +63,6 @@ class Projects::IssuesController < Projects::ApplicationController respond_with(@issue) end - def edit - respond_with(@issue) - end - def show @noteable = @issue @note = @project.notes.new(noteable: @issue) @@ -126,10 +122,6 @@ class Projects::IssuesController < Projects::ApplicationController @issue = Issues::UpdateService.new(project, current_user, update_params).execute(issue) respond_to do |format| - format.html do - recaptcha_check_with_fallback { render :edit } - end - format.json do render_issue_json end -- cgit v1.2.3 From 5dd26d4e5a5a27ca93e6d55b4261c42f4f70e762 Mon Sep 17 00:00:00 2001 From: "Jacob Vosmaer (GitLab)" Date: Tue, 3 Oct 2017 16:58:33 +0000 Subject: Hide Gollum inside Gitlab::Git::Wiki --- app/controllers/projects/wikis_controller.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb index 968d880886c..a8ebdf5a4a9 100644 --- a/app/controllers/projects/wikis_controller.rb +++ b/app/controllers/projects/wikis_controller.rb @@ -18,16 +18,12 @@ class Projects::WikisController < Projects::ApplicationController response.headers['Content-Security-Policy'] = "default-src 'none'" response.headers['X-Content-Security-Policy'] = "default-src 'none'" - if file.on_disk? - send_file file.on_disk_path, disposition: 'inline' - else - send_data( - file.raw_data, - type: file.mime_type, - disposition: 'inline', - filename: file.name - ) - end + send_data( + file.raw_data, + type: file.mime_type, + disposition: 'inline', + filename: file.name + ) else return render('empty') unless can?(current_user, :create_wiki, @project) @page = WikiPage.new(@project_wiki) -- cgit v1.2.3