This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Fixes deprecation warning:
```
DEPRECATION WARNING: The success? predicate is deprecated and
will be removed in Rails 6.0.
Please use successful? as provided by Rack::Response::Helpers.
```
Updates specs to use new rails5 format.
The old format:
`get :show, { some: params }, { some: headers }`
The new format:
`get :show, params: { some: params }, headers: { some: headers }`
Before a 404 would be rendered only after a request to Gitaly would
return with an InvalidArgument error. Now we check that the ref have a
valid format before sending it to Gitaly. In both cases, a 404 is
returned to the user, but this change prevents Gitaly from generating
error noise in production.
Closes https://gitlab.com/gitlab-org/gitaly/issues/1425
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
We need to do two things to support this:
1. Simplify the regex capture in the routing for the CommitsController
to not exclude the '.atom' suffix. That's a perfectly valid git
branch name, so we shouldn't blow up if we get it.
2. Because Rails now can't automatically detect the request format, add
some code to do so in `ExtractPath` when there is no path. This means
that, given branches 'foo' and 'foo.atom', the Atom feed for the
former is unroutable. To fix this: don't do that! Give the branches
different names!
GitLab Bot
Kerri Miller
Vitali Tatarintev
gfyoung
Stan Hu
Thong Kuah
blackst0ne
Cindy Pallares
Douwe Maan
Kia Mei Somabes
Mark Chao
Jacopo
Guilherme Vieira
Douwe Maan
Robert Speicher
Sean McGivern
tiagonbotelho