- 01 Mar, 2017 1 commit
-
-
Dmitriy Zaporozhets authored
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-
- 08 Feb, 2017 1 commit
-
-
Dmitriy Zaporozhets authored
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-
- 24 Jun, 2016 1 commit
-
-
Rémy Coutable authored
The issue was with the `User#groups` and `User#projects` associations which goes through the `User#group_members` and `User#project_members`. Initially I chose to use a secure approach by storing the requester's user ID in `Member#created_by_id` instead of `Member#user_id` because I was aware that there was a security risk since I didn't know the codebase well enough. Then during the review, we decided to change that and directly store the requester's user ID into `Member#user_id` (for the sake of simplifying the code I believe), meaning that every `group_members` / `project_members` association would include the requesters by default... My bad for not checking that all the `group_members` / `project_members` associations and the ones that go through them (e.g. `Group#users` and `Project#users`) were made safe with the `where(requested_at: nil)` / `where(members: { requested_at: nil })` scopes. Now they are all secure. Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 19 Mar, 2016 1 commit
-
-
Robert Speicher authored
-
- 30 Apr, 2015 1 commit
-
-
Douwe Maan authored
-
- 15 Mar, 2015 1 commit
-
-
Douwe Maan authored
-
- 12 Mar, 2015 1 commit
-
-
Dmitriy Zaporozhets authored
-
- 09 Mar, 2015 1 commit
-
-
Dmitriy Zaporozhets authored
-
- 14 Sep, 2014 1 commit
-
-
Dmitriy Zaporozhets authored
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-
- 12 Feb, 2014 1 commit
-
-
Ciro Santillli authored
-
- 19 Jan, 2014 1 commit
-
-
skv authored
-
- 26 Sep, 2013 1 commit
-
-
Dmitriy Zaporozhets authored
Before we have only owner_id to determine group owner With multiple owners per group we should get rid of owner_id in group. So from now @group.owner will always be nil but @group.owners return an actual array of users who can admin this group
-
- 06 Aug, 2013 1 commit
-
-
Dmitriy Zaporozhets authored
-
- 12 Jul, 2013 2 commits
-
-
Dmitriy Zaporozhets authored
-
Dmitriy Zaporozhets authored
-