- 15 Sep, 2016 2 commits
-
-
Patricio Cano authored
-
Patricio Cano authored
- Required on the GitLab Rails side is mostly authentication and API related.
-
- 01 Sep, 2016 1 commit
-
-
Felipe Artur authored
-
- 30 Aug, 2016 1 commit
-
-
http://jneen.net/ authored
-
- 24 Aug, 2016 1 commit
-
-
Paco Guzman authored
-
- 17 Aug, 2016 1 commit
-
-
Paco Guzman authored
Use just SQL to check is a user can admin_issue on a project Tradeoff - we duplicate how we check admin_issue in a SQL relation in the Ability class
-
- 12 Aug, 2016 1 commit
-
-
Paco Guzman authored
-
- 04 Aug, 2016 1 commit
-
-
Adam Niedzielski authored
-
- 03 Aug, 2016 1 commit
-
-
Sean McGivern authored
.secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't.
-
- 01 Aug, 2016 1 commit
-
-
Adam Niedzielski authored
-
- 20 Jul, 2016 1 commit
-
-
Alejandro Rodríguez authored
Currently, even when searching for all authorized issues of *one* project, we run the `Users#authorized_projects` query (which can be rather slow). This update checks if we are handling issues of just one project and does the authorization check locally. It does have the downside of basically repeating the logic of `Users#authorized_projects` on `Project#authorized_for_user`.
-
- 19 Jul, 2016 1 commit
-
-
Robert Speicher authored
Prior, when providing a `min_access_level` parameter to this method, we called `Gitlab::Access.values` instead of `all_values`, mistakenly omitting the `OWNER` level. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19878
-
- 18 Jul, 2016 5 commits
-
-
Patricio Cano authored
-
Patricio Cano authored
Refactor and rename `restricted_signup_domains` to `domain_whitelist` to better conform to its behavior and newly introduced behavior.
-
Patricio Cano authored
-
Patricio Cano authored
-
Patricio Cano authored
-
- 15 Jul, 2016 1 commit
-
-
Kamil Trzcinski authored
-
- 12 Jul, 2016 1 commit
-
-
Sean McGivern authored
-
- 07 Jul, 2016 1 commit
-
-
Dravere authored
As requested by the issue #14508 this adds an option in the application settings to set newly registered users by default as external. The default setting is set to false to stay backward compatible.
-
- 05 Jul, 2016 1 commit
-
-
Robert Speicher authored
`avatar.present?` goes through CarrierWave, and checks that the file exists on disk and checks its filesize. Because we're hitting the disk, this adds extra overhead to something where the worst-case scenario is rendering a broken image. Instead, we now just check that the _database attribute_ is present, which is good enough for our purposes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/19273
-
- 01 Jul, 2016 1 commit
-
-
Grzegorz Bizon authored
-
- 29 Jun, 2016 1 commit
-
-
Grzegorz Bizon authored
-
- 28 Jun, 2016 1 commit
-
-
James Lopez authored
-
- 24 Jun, 2016 1 commit
-
-
Rémy Coutable authored
The issue was with the `User#groups` and `User#projects` associations which goes through the `User#group_members` and `User#project_members`. Initially I chose to use a secure approach by storing the requester's user ID in `Member#created_by_id` instead of `Member#user_id` because I was aware that there was a security risk since I didn't know the codebase well enough. Then during the review, we decided to change that and directly store the requester's user ID into `Member#user_id` (for the sake of simplifying the code I believe), meaning that every `group_members` / `project_members` association would include the requesters by default... My bad for not checking that all the `group_members` / `project_members` associations and the ones that go through them (e.g. `Group#users` and `Project#users`) were made safe with the `where(requested_at: nil)` / `where(members: { requested_at: nil })` scopes. Now they are all secure. Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 23 Jun, 2016 1 commit
-
-
Nathan Bush authored
-
- 20 Jun, 2016 1 commit
-
-
Paco Guzman authored
-
- 17 Jun, 2016 1 commit
-
-
Paco Guzman authored
- As todos are created/updated inside the TodoService we repopulate the cache just there for both pending/done todos - Todos as mark as done from the TodosController we update cache there too - All the added methods are kept in the User class for cohesion
-
- 16 Jun, 2016 3 commits
-
-
James Lopez authored
This reverts commit 13e37a3e.
-
James Lopez authored
-
Timothy Andrew authored
- Extract a duplicated `redirect_to` - Fix a typo: "token", not "certificate" - Have the "Expires at" datepicker be attached to a text field, not inline - Have both private tokens and personal access tokens verified in a single "authenticate_from_private_token" method, both in the application and API. Move relevant logic to `User#find_by_personal_access_token` - Remove unnecessary constants relating to API auth. We don't need a separate constant for personal access tokens since the param is the same as for private tokens.
-
- 14 Jun, 2016 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 13 Jun, 2016 2 commits
-
-
Douglas Barbosa Alexandre authored
-
Douglas Barbosa Alexandre authored
-
- 10 Jun, 2016 2 commits
-
-
Felipe Artur authored
-
Felipe Artur authored
-
- 06 Jun, 2016 1 commit
-
-
Timothy Andrew authored
- To hold registrations from U2F devices, and to authenticate them. - Previously, `User#two_factor_enabled` was aliased to the `otp_required_for_login` column on `users`. - This commit changes things a bit: - `User#two_factor_enabled` is not a method anymore - `User#two_factor_enabled?` checks both the `otp_required_for_login` column, as well as `U2fRegistration`s - Change all instances of `User#two_factor_enabled` to `User#two_factor_enabled?` - Add the `u2f` gem, and implement registration/authentication at the model level.
-
- 03 Jun, 2016 2 commits
-
-
James Lopez authored
This reverts commit 3e991230.
-
James Lopez authored
# Conflicts: # app/models/project.rb
-
- 02 Jun, 2016 1 commit
-
-
Josh Frye authored
-