Fix missing access checks on issue lookup using IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested
- [x] ✅ app/controllers/projects/branches_controller.rb:39
- `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] ✅ app/controllers/projects/todos_controller.rb:19
- [x] Potential double render in app/controllers/projects/todos_controller.rb
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24
See merge request !2030
* master: (312 commits)
Fix bad selection on dropdown menu for tags filter
Fixed issue boards scrolling with a lot of lists & issues
You can only assign default_branch when editing a project ...
Don't convert data which already is the target type
Stop supporting Google and Azure as backup strategies
renames some of the specs and adds changelog entry
Fixed dragging issue moving wrong issue after multiple drags of issue
Fixed issue boards issue sorting when dragging issue into list
Rephrase some system notes to be compatible with new system note style
Add missing JIRA file that redirects to the new location
Fix documentation to create the `pg_trm` extension before creating the DB
Document that we always use `do...end` for `before` in RSpec
Backport Note#commands_changes from EE
Log mv_namespace parameters
Add default_branch attr to Project API payload in docs.
Fix title case to sentence case
properly escape username validation error message flash
Remove header ids from University docs
Add missing documentation.
Added test that checks the correct select box is there for the LFS ...
...
Conflicts:
app/services/system_note_service.rb
spec/features/merge_requests/merge_when_pipeline_succeeds_spec.rb
spec/services/merge_requests/merge_when_pipeline_succeeds_service_spec.rb
spec/services/system_note_service_spec.rb
An external link was recently added but was broken because
'https://gitlab.com/help/' was prepended to every link in the page.
Since no link in the main help readme begins with "help" and since doing
so wouldn't make sense, the substitution conditionaly prepending "help"
can be simplified and reused.
Signed-off-by: David Wagner <david@marvid.fr>
This also updates _some_ specs to use these new methods, just to serve
as an example for others going forward, but by no means is this
exhaustive.
Original implementations at !5992 and !6012.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/20944
Resolves#24576
Modify the guard clause of the `ApplicationController#require_email`
before action to skip requests where an admin is impersonating the
current user.
Disable the "request access" functionality by default for new groups and projects
Currently this feature is enabled by default, and additional action is required to disable it.
Closes#21992Closes!7011
See merge request !7425
Add button to delete all merged branches
## What does this MR do?
It adds a button to the branches page that the user can use to delete all the branches that are already merged. This can be used to clean up all the branches that were forgotten to delete while merging MRs.
**Note**
~~This MR is WIP until MR !6408 is merged.~~
## Are there points in the code the reviewer needs to double check?
The UX of the actual "Delete merged branches" button.
## Why was this MR needed?
Fixes#21076
## Screenshots
Before:
After:
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Closes#21076
See merge request !6449
It adds a button to the branches page that the user can use to delete
all the branches that are already merged. This can be used to clean up
all the branches that were forgotten to delete while merging MRs.
Fixes#21076.
Pass user instance to Labels::FindOrCreateService or skip_authorization: true
## What does this MR do?
It fixes a bug described in #23694 when `project.owner` was passed to `Labels::FindOrCreateService`. `Labels::FindOrCreateService` expected a user instance and `project.owner` may return a group as well. This MR makes sure that we either pass a user instance or `skip_authorization: true`.
## Are there points in the code the reviewer needs to double check?
- places where we pass `skip_authorization: true`
## Does this MR meet the acceptance criteria?
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Fixes#23694
See merge request !7093
If notification_email is blank, it's set from email. If an admin
attempted to create a user with an invalid email, an error would be
displayed for both fields. Only validate the notification_email if it's
different from email.
- Disable {project, group} members submit button if no users
If no users are selected, the submit button should be disabled.
- Alert user when no users were added to {project, group}.
When no users were selected for adding, an alert message is
flashed that no users were added.
- Also, this commit adds a feedback when users were actually added to a
project, in symmetry with how group members are handled.
Closes#22967, #23270.
Add group level labels
## What does this MR do?
Add group level labels.
## Are there points in the code the reviewer needs to double check?
* `LabelsFinder`
* `Gitlab::Gfm::ReferenceRewriter`
* `Banzai::Filter::LabelReferenceFilter`
## Why was this MR needed?
We'll be adding more feature that allow you to do cross-project management of issues.
## Screenshots (if relevant)
* Group Labels
* Project Labels
* Expanded references for group labels when moving issue to another project
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
#19997
See merge request !6425
When reading conflicts:
1. Add a `type` field. `text` works as before, and has `sections`;
`text-editor` is a file with ambiguous conflict markers that can only
be resolved in an editor.
2. Add a `content_path` field pointing to a JSON representation of the
file's content for a single file.
3. Hitting `content_path` returns a similar datastructure to the `file`,
but without the `content_path` and `sections` fields, and with a
`content` field containing the full contents of the file (with
conflict markers).
When writing conflicts:
1. Instead of `sections` being at the top level, they are now in a
`files` array. This matches the read format better.
2. The `files` array contains file hashes, each of which must contain:
a. `new_path`
b. `old_path`
c. EITHER `sections` (which works as before) or `content` (with the
full content of the resolved file).
Ability to bulk assign issues to author of merge request
## What does this MR do?
Provides a link to auto-assign issues to the author of a merge request, when they are mentioned as being closed by the MR.
## Are there points in the code the reviewer needs to double check?
## Why was this MR needed?
To help avoid working on a MR without having assigned related issues to self
## What are the relevant issue numbers?
Fixes#18876
## Screenshots (if relevant)
## Tasks
- [x] Refactor or move away from using `BulkUpdateService`
- [x] ~~Consider alternate link message when only a subset of issues will be assigned~~
- [x] Minimize repeated calls to expensive `closes_issues` method
- [x] Move away from using inflector for pluralization and fix flash message
- [x] Change auth `before_action` and fallback to error flash message
- [x] Shouldn't overwrite current assignee if one exists
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] ~~[Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)~~
- [x] ~~API support added~~
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5725
Allow browsing branches that end with '.atom'
## What does this MR do?
1. Simplify the regex capture in the routing for the CommitsController
to not exclude the '.atom' suffix. That's a perfectly valid git
branch name, so we shouldn't blow up if we get it.
2. Because Rails now can't automatically detect the request format, add
some code to do so in `ExtractPath` when there is no path. This means
that, given branches 'foo' and 'foo.atom', the Atom feed for the
former is unroutable. To fix this: don't do that! Give the branches
different names!
## Why was this MR needed?
Creating a branch or tag name ending in '.atom' would cause some 500s on that repo.
## What are the relevant issue numbers?
Closes#21955. Related to !5994.
See merge request !6750
We need to do two things to support this:
1. Simplify the regex capture in the routing for the CommitsController
to not exclude the '.atom' suffix. That's a perfectly valid git
branch name, so we shouldn't blow up if we get it.
2. Because Rails now can't automatically detect the request format, add
some code to do so in `ExtractPath` when there is no path. This means
that, given branches 'foo' and 'foo.atom', the Atom feed for the
former is unroutable. To fix this: don't do that! Give the branches
different names!
Remove NamespacesController
* removes unnecessary NamespacesController. The main purpose of this controller was redirect to group or user page when URL like https://gitlab.com/gitlab-org was used. Now this functionality is handled by constrainers (like this https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/routes/user.rb#L17-21) and take user to correct controller right from the start.
* serve non existing API routes like `/api/v3/whatever` with Grape instead of Rails. Before this change wrong API url was served by rails with not obvious 404, 405 & 500 errors
See merge request !6733
The main purpose of this controller was redirect to group or user page
when URL like https://gitlab.com/gitlab-org was used. Now this
functionality is handled by contrainers and take user to correct
controller right from the start
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.
Also ensure that users who are locked can't continue to submit 2FA
codes.
Resolve "`Member.add_user`doesn't detect existing members that have requested access"
## What does this MR do?
This merge request handle the case when an access requester is added to a group or project (via the members page or the API).
In `Member.add_user`, if an access requester already exists, we simply accept their request (and set the `created_by`, `access_level` and `expires_at` attributes if given).
## Are there points in the code the reviewer needs to double check?
I've taken the opportunity to cleanup the whole `{Group,Project}Member.add_user*` methods since it was quite a mess.
## What are the relevant issue numbers?
Closes#21983
See merge request !6393
Changes include:
- Ensure Member.add_user is not called directly when not necessary
- New GroupMember.add_users_to_group to have the same abstraction level as for Project
- Refactor Member.add_user to take a source instead of an array of members
- Fix Rubocop offenses
- Always use Project#add_user instead of project.team.add_user
- Factorize users addition as members in Member.add_users_to_source
- Make access_level a keyword argument in GroupMember.add_users_to_group and ProjectMember.add_users_to_projects
- Destroy any requester before adding them as a member
- Improve the way we handle access requesters in Member.add_user
Instead of removing the requester and creating a new member,
we now simply accepts their access request. This way, they will
receive a "access request granted" email.
- Fix error that was previously silently ignored
- Stop raising when access level is invalid in Member, let Rails validation do their work
Signed-off-by: Rémy Coutable <remy@rymai.me>
Projects::ForkService delegates to this service almost entirely, but needed
one small change so it would propagate create errors correctly.
CreateService#execute needs significant refactoring; it is now right at the
complexity limit set by Rubocop. I avoided doing so in this commit to keep the
diff as small as possible.
Several tests depend on the insecure behaviour of ForkService, so fi them up at
the same time.
And Snippets get awards
## What does this MR do?
Makes snippets more awesome, by making them awardables
## Why was this MR needed?
Because Snippets were left behind.
## What are the relevant issue numbers?
Closes#17878
See merge request !4456
* Created a force=true param that will continue with the previous
behaviour of the unsubscribe method
* Created a filter for not-logged users so they see a unsubsribe
confirmation page
* Added the List-Unsubscribe header on emails so the email client can
display it on top
Pass the remember_me option into the u2f form and support it while authenticating
## What does this MR do?
Adds remember me support in the u2f authentication, and makes sure the flag gets passed from the login form to the u2f form.
Based on the changes for the same thing done for regular 2fa: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4369
## Why was this MR needed?
The remember me option wasn't working for u2f devices (yubikey)
## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18103
See merge request !5918
Refactor ability.rb into Policies
## What does this MR do?
Factors out `ability.rb` into a new abstraction - the "policy" (stored in `app/policies`). A policy is a class named `#{class_name}Policy` (looked up automatically as needed) that implements `rules` as follows:
``` ruby
class ThingPolicy < BasePolicy
def rules
@user # this is a user to determine abilities for, optionally nil in the anonymous case
@subject # this is the subject of the ability, guaranteed to be an instance of `Thing`
can! :some_ability # grant the :some_ability permission
cannot! :some_ability # ensure that :some_ability is not allowed. this overrides any `can!` that is called before or after
delegate! @subject.other_thing # merge the abilities (can!) and prohibitions (cannot!) from `@subject.other_thing`
can? :some_ability # test whether, so far, :some_ability is allowed
end
def anonymous_rules
# optional. if not implemented `rules` is called where `@user` is nil. otherwise this method is called when `@user` is nil.
end
end
```
See merge request !5796
Add test for closed MR without fork
Add view test visibility of Reopen and Close buttons
Fix controller tests and validation method
Fix missing space
Remove unused variables from test
closed_without_fork? method refactoring
Add information about missing fork
When closed MR without fork can't edit target branch
Tests for closed MR edit view
Fix indentation and rebase, refactoring
James Lopez
Douwe Maan
Rémy Coutable
Grzegorz Bizon
Robert Speicher
Douwe Maan
Dmitriy Zaporozhets
Sean McGivern
Stan Hu
David Wagner
Kamil Trzcinski
Robert Speicher
Oren Kanner
Douglas Barbosa Alexandre
Cagdas Gerede
Fu Xu
Alex Sanford
Nick Thomas
Toon Claes
tiagonbotelho
Rodolfo Santos
Valery Sizov
Yorick Peterse
Adam Niedzielski
Alejandro Rodríguez
Steve Halasz
Phil Hughes
Linus G Thiel
Z.J. van de Weg
Felipe Artur
Sean McGivern
Alfredo Sumaran
Semyon Pupkov
Georg G
James Edwards-Jones
James
barthc
Thomas Balthazar
Connor Shea
Maximiliano Perez Coto
Katarzyna Kobierska
Airat Shigapov
DJ Mountney
http://jneen.net/