BigW Consortium Gitlab

  1. 15 Sep, 2016 2 commits
  2. 01 Sep, 2016 1 commit
  3. 30 Aug, 2016 1 commit
  4. 24 Aug, 2016 1 commit
  5. 17 Aug, 2016 1 commit
  6. 12 Aug, 2016 1 commit
  7. 04 Aug, 2016 1 commit
  8. 03 Aug, 2016 1 commit
    • Store OTP secret key in secrets.yml · 405379bb
      Sean McGivern authored
      .secret stores the secret token used for both encrypting login cookies
      and for encrypting stored OTP secrets. We can't rotate this, because
      that would invalidate all existing OTP secrets.
      
      If the secret token is present in the .secret file or an environment
      variable, save it as otp_key_base in secrets.yml. Now .secret can be
      rotated without invalidating OTP secrets.
      
      If the secret token isn't present (initial setup), then just generate a
      separate otp_key_base and save in secrets.yml.
      
      Update the docs to reflect that secrets.yml needs to be retained past
      upgrades, but .secret doesn't.
  9. 01 Aug, 2016 1 commit
  10. 20 Jul, 2016 1 commit
  11. 19 Jul, 2016 1 commit
  12. 18 Jul, 2016 5 commits
  13. 15 Jul, 2016 1 commit
  14. 12 Jul, 2016 1 commit
  15. 07 Jul, 2016 1 commit
    • Added setting to set new users by default as external · a0a9494e
      Dravere authored
      As requested by the issue #14508 this adds an option in the application
      settings to set newly registered users by default as external. The
      default setting is set to false to stay backward compatible.
  16. 05 Jul, 2016 1 commit
  17. 01 Jul, 2016 1 commit
  18. 29 Jun, 2016 1 commit
  19. 28 Jun, 2016 1 commit
  20. 24 Jun, 2016 1 commit
    • Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: 's avatarRémy Coutable <remy@rymai.me>
  21. 23 Jun, 2016 1 commit
  22. 20 Jun, 2016 1 commit
  23. 17 Jun, 2016 1 commit
    • Cache todo counters (pending/done) · f6bfa46d
      Paco Guzman authored
      - As todos are created/updated inside the TodoService
      we repopulate the cache just there for both pending/done todos
      - Todos as mark as done from the TodosController we update cache
      there too
      - All the added methods are kept in the User class for cohesion
  24. 16 Jun, 2016 3 commits
    • Revert "squashed merge and fixed conflicts" · 452c076a
      James Lopez authored
      This reverts commit 13e37a3e.
    • squashed merge and fixed conflicts · 13e37a3e
      James Lopez authored
    • Implement @DouweM's feedback. · 7ee0898a
      Timothy Andrew authored
      - Extract a duplicated `redirect_to`
      - Fix a typo: "token", not "certificate"
      - Have the "Expires at" datepicker be attached to a text field, not inline
      - Have both private tokens and personal access tokens verified in a
        single "authenticate_from_private_token" method, both in the
        application and API. Move relevant logic to
        `User#find_by_personal_access_token`
      - Remove unnecessary constants relating to API auth. We don't need a
        separate constant for personal access tokens since the param is the
        same as for private tokens.
  25. 14 Jun, 2016 1 commit
  26. 13 Jun, 2016 2 commits
  27. 10 Jun, 2016 2 commits
  28. 06 Jun, 2016 1 commit
    • Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew authored
      - To hold registrations from U2F devices, and to authenticate them.
      - Previously, `User#two_factor_enabled` was aliased to the
        `otp_required_for_login` column on `users`.
      - This commit changes things a bit:
          - `User#two_factor_enabled` is not a method anymore
          - `User#two_factor_enabled?` checks both the
            `otp_required_for_login` column, as well as `U2fRegistration`s
          - Change all instances of `User#two_factor_enabled` to
            `User#two_factor_enabled?`
      - Add the `u2f` gem, and implement registration/authentication at the
        model level.
  29. 03 Jun, 2016 2 commits
  30. 02 Jun, 2016 1 commit