BigW Consortium Gitlab

  1. 12 May, 2017 1 commit
  2. 10 May, 2017 1 commit
  3. 03 Apr, 2017 1 commit
  4. 24 Jan, 2017 2 commits
  5. 15 Dec, 2016 1 commit
    • Merge branch 'jej-note-search-uses-finder' into 'security' · 12db4cc0
      Douwe Maan authored
      Fix missing Note access checks in by moving Note#search to updated NoteFinder
      
      Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
      
      ## Which fixes are in this MR?
      
      :warning: - Potentially untested  
      :bomb: - No test coverage  
      :traffic_light: - Test coverage of some sort exists (a test failed when error raised)  
      :vertical_traffic_light: - Test coverage of return value (a test failed when nil used)  
      :white_check_mark: - Permissions check tested
      
      ### Note lookup without access check
      
      - [x] :white_check_mark: app/finders/notes_finder.rb:13 :download_code check
      - [x] :white_check_mark: app/finders/notes_finder.rb:19 `SnippetsFinder`
      - [x] :white_check_mark: app/models/note.rb:121 [`Issue#visible_to_user`]
      - [x] :white_check_mark: lib/gitlab/project_search_results.rb:113
        - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`.
        - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked.
      
      ### Previous discussions
      - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit
      - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used
        - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223
      
      ###  Acceptance criteria met?
      - [x] Tests added for new code
      - [x] TODO comments removed
      - [x] Squashed and removed skipped tests
      - [x] Changelog entry
      - [ ] State Gitlab versions affected and issue severity in description
      - [ ] Create technical debt issue for NotesFinder.
        - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two.
        - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)`
        - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes`
      
      See merge request !2035
  6. 16 Nov, 2016 1 commit
  7. 08 Nov, 2016 1 commit
  8. 20 Oct, 2016 2 commits
  9. 06 Sep, 2016 1 commit
  10. 03 Jun, 2016 2 commits
  11. 31 May, 2016 1 commit
  12. 17 Mar, 2016 1 commit
  13. 11 Mar, 2016 2 commits
    • Added ProjectSearchResults#project_ids_relation · 8c2868e8
      Yorick Peterse authored
      This ensures some other methods such as the "issues" method still work.
    • Refactor Gitlab::ProjectSearchResults · ec349dc1
      Yorick Peterse authored
      Previously this class would be given a project ID which was then used to
      retrieve the corresponding Project object. However, in all cases the
      Project object was already known as it was used to grab the ID to pass
      to ProjectSearchResults. By just passing a Project instead we remove the
      need for an extra query as well as the need for some other complexity
      in this class.
  14. 03 Nov, 2015 1 commit
  15. 02 Nov, 2015 1 commit
  16. 29 Oct, 2015 2 commits
  17. 21 Oct, 2015 1 commit
  18. 09 Jun, 2015 1 commit
  19. 08 Jun, 2015 1 commit
    • No need to check if `repository_ref` is present · c418261b
      zenati authored
      There is no need to check if `repository_ref` is present as:
      ```
            @repository_ref = if repository_ref.present?
                                repository_ref
                              else
                                nil
                              end
      ```
      
      is as same as doing:
      
      ```
      @repository_ref = repository_ref
      ```
  20. 23 Mar, 2015 1 commit
  21. 25 Sep, 2014 2 commits
  22. 09 Sep, 2014 1 commit
  23. 06 Sep, 2014 2 commits
  24. 05 Sep, 2014 1 commit
  25. 27 Aug, 2014 1 commit
  26. 26 Aug, 2014 2 commits