delta/gitlab/gitlab-ce.git/app/controllers/application_controller.rb, branch backport-gitlab-database gitlab.com: gitlab-org/gitlab-ce.git Limit the TTL for anonymous sessions to 1 hour 2018-07-18T19:39:51+00:00 Stan Hu stanhu@gmail.com 2018-07-18T18:18:14+00:00 c559c43dafb75005f5589c473729054845bb498b By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended. Closes #48101 
By default, all sessions are given the same expiration time configured in the
session store (e.g. 1 week). However, unauthenticated users can generate a lot
of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
for unauthenticated to something much lower than the default (e.g. 1 hour) to
limit Redis memory. In addition, Rails creates a new session after login,
so the short TTL doesn't even need to be extended.

Closes #48101
Improve manifest feature after backend review 2018-07-11T09:22:57+00:00 Dmitriy Zaporozhets dmitriy.zaporozhets@gmail.com 2018-07-09T11:59:07+00:00 6743147b7d9f310fbf5afa520e19ae495fd4df33 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Add ability to disable manifest import 2018-07-11T09:22:57+00:00 Dmitriy Zaporozhets dmitriy.zaporozhets@gmail.com 2018-07-05T12:46:39+00:00 98d29f6e78526d9bc35233a1049a502294f56384 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
[Rails5] Force the `protect_from_forgery` callback run first 2018-06-21T10:44:31+00:00 blackst0ne blackst0ne.ru@gmail.com 2018-06-21T10:44:31+00:00 6fef87f17fa6fde7c15668faa43b563eebc0a918 Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by default anymore. [1] Instead it gets inserted into callbacks chain where callbacks get called in order. This commit forces the callback to run first. [1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191 
Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]

Instead it gets inserted into callbacks chain where callbacks get
called in order.

This commit forces the callback to run first.

[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191
Render access denied without message 2018-06-13T15:03:48+00:00 Bob Van Landuyt bob@vanlanduyt.co 2018-06-13T14:05:55+00:00 7fe92d998125d3dc8be3544346de8dbd5c64b240 The `errors/access_denied` page should not fail to render when no message is provided. When accessing something as a sessionless user, we should also display the terms message if possible. 
The `errors/access_denied` page should not fail to render when no
message is provided.

When accessing something as a sessionless user, we should also display
the terms message if possible.
Log response body to production_json.log when a controller responds with a 422 status 2018-06-06T20:16:15+00:00 Stan Hu stanhu@gmail.com 2018-06-06T07:47:53+00:00 5d3abdf9a7c0260c708a46e2fd232b0490940f80 We have a number of import errors occurring with 422 errors, and it's hard to determine why they are happening. This change will surface the errors in the log lines. Relates to #47365 
We have a number of import errors occurring with 422 errors, and
it's hard to determine why they are happening. This change will
surface the errors in the log lines.

Relates to #47365
Render a 403 when showing an access denied message 2018-06-05T08:29:27+00:00 Bob Van Landuyt bob@vanlanduyt.co 2018-06-04T15:04:04+00:00 491e1fc905ef52dcc2e7df7deabd3c1f6e42aa52 When we want to show an access denied message to a user, we don't have to hide the resource's existence. So in that case we render a 403, this 403 is not handled by nginx on omnibus installs, making sure the message is visible to the user. 
When we want to show an access denied message to a user, we don't have
to hide the resource's existence.

So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.
Update 404 and 403 pages 2018-05-31T21:28:19+00:00 Paul Slaughter pslaughter@gitlab.com 2018-05-31T21:28:19+00:00 bbff2d680d22051041be5fc5dd2e801fd1cc862d 






Allow a user to sign out when on the terms page
2018-05-11T06:27:43+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-05-10T09:35:02+00:00

a5cb2fe2e09b9b758905693360ecc680ff4afe2a

Before we would block the `sign_out` request when the user did not
accept the terms, therefore redirecting them to the terms again.

By allowing all request to devise controllers, we avoid this problem.





Before we would block the `sign_out` request when the user did not
accept the terms, therefore redirecting them to the terms again.

By allowing all request to devise controllers, we avoid this problem.







Enforces terms in the web application
2018-05-04T11:54:43+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-04-27T14:50:33+00:00

7684217d6806408cd338260119364419260d1720

This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.





This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.