delta/gitlab/gitlab-ce.git/app/controllers/dashboard/groups_controller.rb, branch git-user-encoding gitlab.com: gitlab-org/gitlab-ce.git Reuse the groups tree for explore and dashboard. 2017-10-04T20:49:41+00:00 Bob Van Landuyt bob@vanlanduyt.co 2017-09-13T15:16:30+00:00 3a4dc55f2924debcdbb37eb63d8ce57b1358df81 






Use the default sort set by the `Sortable` concern
2017-10-04T20:49:41+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2017-09-13T09:29:32+00:00

39df53ff0aeac24d390eea52a1df6dfe103a4c14












Only show root groups on the dashboard
2017-10-04T20:49:41+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2017-09-13T08:25:37+00:00

1fb49b8729b126360e9852b184c0ba63c330c4b5

The children are lazy-loaded when expanding





The children are lazy-loaded when expanding







Use same response-body in groups-dashboard as we do for group-home
2017-10-04T20:49:41+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2017-09-12T12:58:44+00:00

3e6dd7d88daaac2dbafc234753942086e0ba0403












Removes default scope from sortable
2017-09-07T12:01:59+00:00

Tiago Botelho
tiagonbotelho@hotmail.com

2017-08-15T10:27:37+00:00

cfd475a45ee2655fa0148b0b561f95b44fe8641b












Use group and project finders instead of direct ActiveRecord relations
2017-06-08T01:22:34+00:00

Douwe Maan
douwe@selenight.nl

2017-06-08T01:22:34+00:00

e56556e1feadefe795c48b91b484ed04e022cf9b












Serialize groups as json for Dashboard::GroupsController
2017-05-04T20:45:02+00:00

Dmitriy Zaporozhets
dmitriy.zaporozhets@gmail.com

2017-05-04T20:45:02+00:00

5bce197b617f2542430db7aecec321cf1619de72

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>





Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>







Add filter and sorting to dashboard groups page
2017-03-01T13:39:59+00:00

Dmitriy Zaporozhets
dmitriy.zaporozhets@gmail.com

2017-03-01T13:31:56+00:00

b7c30cae4eedab5e8e41d9764ac08ca12361d054

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>





Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>







Store group and project full name and full path in routes table
2017-02-08T17:14:29+00:00

Dmitriy Zaporozhets
dmitriy.zaporozhets@gmail.com

2017-02-04T18:26:11+00:00

2989192d1aa8051aa09164cd097418bd3063d4ad

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>





Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>







Fix an information disclosure when requesting access to a group containing private projects
2016-06-24T10:01:48+00:00

Rémy Coutable
remy@rymai.me

2016-06-24T10:01:48+00:00

aec3475df94bc9681a723c344f3df05972ebe68c

The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>





The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>