Updated projects.md to show tag_list field when performing GETs
Updated projects_spec.rb to include check for tag_list key in project list
Added changes to the CHANGELOG
API: Events paginate
Updated the api method for /project/:id/events, to use the paginate method instead of limiting and offsetting the recent events in the method itself.
This will also change the first page to be 1 instead of 0, but using 0 will still work and will give back the first page.
This also add's the link headers (next/first/last).
See merge request !267
Change ordering so that confirm is removed from attrs before attempting to User.build_user
Possible fix gitlab-org/gitlab-ce#1296
See merge request !445
Branch names that contain `/` return a 405 error when being deleted because the slash is escaped to `%2F`
This patch will unescape the param prior to executing the delete action.
Restricted visibility levels - bug fix and new feature
This allows admin users to override restricted visibility settings when creating and updating projects and snippets, and moves the restricted visibility configuration from gitlab.yml to the web UI. See #1903.
## Move configuration location
I added a new section to the application settings page for restricted visibility levels. Each level has a checkbox, styled with Bootstrap to look like a toggle button. A checked box means that the level is restricted. I added a glowing text shadow and changed the background color for checked buttons because the default styles made it hard to distinguish between checked and unchecked. This image shows the new section with the "Public" box checked:
## Allow admins to override
To allow admin users to override the restricted visibility levels, I had to remove the `visibility_level` validation from the `Project` class. The model doesn't know about the `current_user`, which should determine whether the restrictions can be overridden. We could use the creator in the validation, but that wouldn't work correctly for projects where a non-admin user is the creator and an admin tries to change the project to a restricted visibility level.
The `Project::UpdateService` and `Project::CreateService` classes already had code to determine whether the current user is allowed to use a given visibility level; now all visibility level validation is done in those classes. Currently, when a non-admin tries to create or update a project using a restricted level, these classes silently set the visibility level to the global default (create) or the project's existing value (update). I changed this behavior to be more like an Active Model validation, where using a restricted level causes the entire request to be rejected.
Project and personal snippets didn't have service classes, and restricted visibility levels weren't being enforced in the model or the controllers. The UI disabled radio buttons for restricted levels, but that wouldn't be difficult to circumvent. I created the `CreateSnippetService` and `UpdateSnippetService` classes to do the same restricted visibility check that the project classes do. And since I was dealing with snippet visibility levels, I updated the API endpoints for project snippets to allow users to set and update the visibility level.
## TODO
* [x] Add more tests for restricted visibility functionality
cc @sytse @dzaporozhets
See merge request !1655
Add new service classes to create and update project and personal
snippets. These classes are responsible for enforcing restricted
visibility settings for non-admin users.
Ruby str_equal uses memcmp internally to compare String.
Memcmp is vunerable to timing attacks because it returns early
on mismatch (on most x32 platforms memcmp uses a bytewise comparision).
Devise.secure_compare implements a constant time comparision instead.
Don't leak information about private project existence via Git-over-SSH/HTTP.
Fixes#2040 and https://gitlab.com/gitlab-org/gitlab-ce/issues/343.
Both `Grack::Auth` (used by Git-over-HTTP) and `Api::Internal /allowed` (used by gitlab-shell/Git-over-SSH) now return a generic "Not Found" error when the project exists but the user doesn't have access to it.
See merge request !1578
bugagazavr
Douwe Maan
Christoph Dreis
Cristian Medina
Dmitriy Zaporozhets
Dan Tudor
Nihad Abbasov
Stephan van Leeuwen
RICKETTM@uk.ibm.com
Dmitriy Zaporozhets
Vinnie Okada
Jörg Thalheim
Jeroen van Baarsen
sue445
jubianchi
