BigW Consortium Gitlab

  1. 22 May, 2017 1 commit
  2. 08 May, 2017 1 commit
  3. 05 May, 2017 2 commits
  4. 24 Apr, 2017 1 commit
  5. 19 Apr, 2017 1 commit
  6. 17 Apr, 2017 1 commit
  7. 05 Apr, 2017 1 commit
  8. 25 Mar, 2017 1 commit
  9. 17 Mar, 2017 1 commit
  10. 13 Mar, 2017 1 commit
  11. 28 Feb, 2017 1 commit
  12. 16 Feb, 2017 1 commit
  13. 10 Feb, 2017 1 commit
  14. 05 Feb, 2017 1 commit
  15. 22 Jan, 2017 1 commit
  16. 16 Dec, 2016 4 commits
  17. 06 Dec, 2016 1 commit
  18. 05 Dec, 2016 1 commit
    • Fix Archived project merge requests add to group's Merge Requests · 4d26ab28
      Jacopo authored
      counter
      
      This is done by:
       - Extending the IssuableFinder adding the non_archived option to the params
       - Overriding the #filter_params in the MergeRequestsAction
       - Passing the non_archived param in the nav/_group.html.haml navbar
         partial from the groups/merge_requests.html.haml
  19. 26 Nov, 2016 1 commit
  20. 11 Nov, 2016 1 commit
  21. 09 Nov, 2016 1 commit
  22. 13 Sep, 2016 1 commit
  23. 20 Jul, 2016 2 commits
  24. 05 Jul, 2016 1 commit
  25. 01 Jul, 2016 2 commits
  26. 24 Jun, 2016 1 commit
    • Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: 's avatarRémy Coutable <remy@rymai.me>
  27. 20 Jun, 2016 2 commits
  28. 18 Jun, 2016 1 commit
  29. 16 Jun, 2016 2 commits
  30. 14 Jun, 2016 2 commits