Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.
When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.
We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.
Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.
https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26248 added
support for deduplicating FindCommit requests using Gitaly ref name
caching. However, not all endpoints were covered, and in one case the
Gitaly wrapper wasn't actually surrounding the serialization step. We
can safely cache ref names between FindCommit calls for #index and #show
endpoints for merge requests and pipelines. This can significantly
reduce the number of FindCommit requests.
When we unhooked ClustersController from
Project::ApplicationsController, we missed an EE override to
handle_not_found_or_authorized.
Rather than carry on with override RoutingActions, make a specific proc
for Project that we override in EE instead. Use that proc in both
Clusters::BaseController and Project::ApplicationsController.
Enables frozen string for some vestigial files as
well as the following:
* app/controllers/projects/**/*.rb
* app/controllers/sherlock/**/*.rb
* app/controllers/snippets/**/*.rb
* app/controllers/users/**/*.rb
Partially addresses #47424.
This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the
```
ArgumentError:
Attempting to generate a URL from non-sanitized request parameters!
An attacker can inject malicious data into the generated URL, such as
changing the host. Whitelist and sanitize passed parameters to be secure.
```
error.
[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168
So we can distinguish between the permissions on the source and the
target project.
- `create_merge_request_from` indicates a user can create a merge
request with the project as a source_project
- `create_merge_request_in` indicates a user can create a merge
request with the project as a target_project
This prevents creating merge requests targeting archived projects.
This could happen when a project was already forked, but then the
source was archived.
In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change:
When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`.
Note: This changes the behavior of user lookups (see the spec change) so it acts the same way as groups and projects. Unauthenticated clients attempting to access a user page will be redirected to login whether the user exists and is publicly restricted, or does not exist at all.
* Regards project-level pages config
- Nav link is now shown only if Pages is enabled for instance
- Navigation to following controllers denied if Pages disabled:
* projects/pages_controller
* projects/pages_domains_controller
- 'disabled' partial removed
+ Test for pages_controller introduced
GitLab Bot
Marin Jankovski
Stan Hu
Luke Duncalfe
James Edwards-Jones
Andrew Newdigate
Thong Kuah
gfyoung
Lin Jen-Shin
blackst0ne
Bob Van Landuyt
Christiaan Van den Poel
Jen-Shin Lin
Zeger-Jan van de Weg
Nick Thomas
Douwe Maan
Kamil Trzcinski
Michael Kozono
Grzegorz Bizon
Mark Fletcher
Douwe Maan
Jacopo
Sam Rose
Sean McGivern
Adam Pahlevi