root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
40,634 Commits 9,131 Branches 1,640 Tags 2 GiB
Commit Graph

7 Commits

Author SHA1 Message Date
Douwe Maan 6d37fe952b Merge branch 'jej-fix-missing-access-check-on-issues' into 'security' 
Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
 - Permissions check tested

- [x]  app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x]  app/controllers/projects/todos_controller.rb:19

- [x] Potential double render in app/controllers/projects/todos_controller.rb

- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030
 2016-11-28 21:25:46 -03:00
Paco Guzman 244134f9c3 Cache todos pending/done dashboard query counts 2016-07-12 18:57:52 +02:00
Z.J. van de Weg abca19da8b Use HTTP matchers if possible 2016-06-27 20:10:42 +02:00
Phil Hughes 914f973108 Removed update method 
Re-structured controller spec
Renamed issuable param to issuable_id
 2016-06-17 18:31:37 +01:00
Phil Hughes 60b4049280 Added todo controller tests for merge requests 2016-06-17 09:13:21 +01:00
Phil Hughes b56965c5bb Correctly checks if user is logged in when adding todo 2016-06-17 09:06:00 +01:00
Phil Hughes 85fab13eba Improved manual todos 
Based on feedback from !4502
 2016-06-17 09:01:03 +01:00