BigW Consortium Gitlab

  1. 16 Aug, 2017 1 commit
  2. 11 Aug, 2017 1 commit
  3. 10 Aug, 2017 1 commit
  4. 02 Aug, 2017 1 commit
  5. 01 Aug, 2017 1 commit
  6. 26 Jul, 2017 4 commits
  7. 21 Jul, 2017 1 commit
  8. 19 Jul, 2017 1 commit
  9. 06 Jul, 2017 1 commit
  10. 04 Jul, 2017 1 commit
  11. 30 Jun, 2017 1 commit
    • Implement review comments for !12445 from @godfat and @rymai. · 3c88a786
      Timothy Andrew authored
      - Use `GlobalPolicy` to authorize the users that a non-authenticated user can
        fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
        visibility level is not restricted.
      
      - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
        the `username` parameter is passed.
      
      - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
        route + method, rather than the description.
      
      - Change the type of `current_user` check in `UsersFinder` to be more
        compatible with EE.
  12. 28 Jun, 2017 4 commits
  13. 26 Jun, 2017 1 commit
    • Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6
      Timothy Andrew authored
      - The issue filtering frontend code needs access to this API for non-logged-in
        users + public projects. It uses the API to fetch information for a user by
        username.
      
      - We don't authenticate this API anymore, but instead - if the `current_user` is
        not present:
      
        - Verify that the `username` parameter has been passed. This disallows an
          unauthenticated user from grabbing a list of all users on the instance. The
          `UsersFinder` class performs an exact match on the `username`, so we are
          guaranteed to get 0 or 1 users.
        - Verify that the resulting user (if any) is accessible to be viewed publicly
          by calling `can?(current_user, :read_user, user)`
  14. 02 Jun, 2017 1 commit
  15. 01 Jun, 2017 1 commit
  16. 30 May, 2017 4 commits
  17. 10 May, 2017 2 commits
  18. 26 Apr, 2017 1 commit
    • Allow admins to sudo to blocked users. · 4dfdef2d
      Timothy Andrew authored
      - Currently, (for example) admins can't delete snippets for blocked users, which
        is an unexpected limitation.
      
      - We modify `authenticate!` to conduct the `access_api` policy check against the
        `initial_current_user`, instead of the user being impersonated.
      
      - Update CHANGELOG for !10842
  19. 09 Apr, 2017 1 commit
  20. 27 Mar, 2017 1 commit
    • API: Make the /notes endpoint work with noteable iid instead of id · add5cd99
      Toon Claes authored
      In API V4 all endpoints were changed so Merge Requests and Issues
      should be referred by iid, instead of id. Except the /notes endpoint
      was forgotten. So change the endpoints from:
      
      - /projects/:id/issues/:issue_id/notes
      - /projects/:id/merge_requests/:merge_request_id/notes
      
      To:
      
      - /projects/:id/issues/:issue_iid/notes
      - /projects/:id/merge_requests/:merge_request_iid/notes
      
      For Project Snippets nothing changes.
  21. 22 Mar, 2017 1 commit
  22. 09 Mar, 2017 2 commits
  23. 07 Mar, 2017 2 commits
  24. 06 Mar, 2017 2 commits
  25. 03 Mar, 2017 2 commits
  26. 02 Mar, 2017 1 commit