When we unhooked ClustersController from
Project::ApplicationsController, we missed an EE override to
handle_not_found_or_authorized.
Rather than carry on with override RoutingActions, make a specific proc
for Project that we override in EE instead. Use that proc in both
Clusters::BaseController and Project::ApplicationsController.
Enables frozen string for some vestigial files as
well as the following:
* app/controllers/projects/**/*.rb
* app/controllers/sherlock/**/*.rb
* app/controllers/snippets/**/*.rb
* app/controllers/users/**/*.rb
Partially addresses #47424.
This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the
```
ArgumentError:
Attempting to generate a URL from non-sanitized request parameters!
An attacker can inject malicious data into the generated URL, such as
changing the host. Whitelist and sanitize passed parameters to be secure.
```
error.
[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168
So we can distinguish between the permissions on the source and the
target project.
- `create_merge_request_from` indicates a user can create a merge
request with the project as a source_project
- `create_merge_request_in` indicates a user can create a merge
request with the project as a target_project
This prevents creating merge requests targeting archived projects.
This could happen when a project was already forked, but then the
source was archived.
In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change:
When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`.
Note: This changes the behavior of user lookups (see the spec change) so it acts the same way as groups and projects. Unauthenticated clients attempting to access a user page will be redirected to login whether the user exists and is publicly restricted, or does not exist at all.
* Regards project-level pages config
- Nav link is now shown only if Pages is enabled for instance
- Navigation to following controllers denied if Pages disabled:
* projects/pages_controller
* projects/pages_domains_controller
- 'disabled' partial removed
+ Test for pages_controller introduced
Thong Kuah
gfyoung
Stan Hu
Lin Jen-Shin
blackst0ne
Bob Van Landuyt
Christiaan Van den Poel
Jen-Shin Lin
Zeger-Jan van de Weg
Nick Thomas
Douwe Maan
Kamil Trzcinski
Michael Kozono
Grzegorz Bizon
Mark Fletcher
Douwe Maan
Jacopo
Sam Rose
Sean McGivern
Adam Pahlevi
Felipe Artur
Ruben Davila
Paco Guzman
Zeger-Jan van de Weg
Robert Speicher
Rémy Coutable
kkm
Robert Speicher
Dmitriy Zaporozhets