delta/gitlab/gitlab-ce.git/app/controllers/omniauth_callbacks_controller.rb, branch patch-53 gitlab.com: gitlab-org/gitlab-ce.git Externalize strings in flash messages 2019-04-08T14:17:45+00:00 Martin Wortschack mwortschack@gitlab.com 2019-04-08T14:17:45+00:00 76e8960f4ab30e91e7e9aca0ae82e10ba23d460d - Externalize strings in controllers - Update PO file 
- Externalize strings in controllers
- Update PO file
Move out link\unlink ability checks to a policy 2019-03-19T12:38:16+00:00 Pavel Shutsin pshutsin@gitlab.com 2019-03-18T14:36:34+00:00 8ee1927db90d43205b4e6f8bd13f209c74b41bd1 We can extend the policy in EE for additional behavior 
We can extend the policy in EE for additional behavior
Backport build_auth_user for GroupSAML callback 2019-02-06T17:28:35+00:00 James Edwards-Jones jedwardsjones@gitlab.com 2019-02-06T17:28:35+00:00 24f3f9600484efcf088c73509a4f3c72fc30fff0 






Avoid CSRF check on SAML failure endpoint
2019-02-04T10:10:51+00:00

James Edwards-Jones
jedwardsjones@gitlab.com

2019-01-19T20:41:39+00:00

6548e01f18c24ec8703bb85557d7509dbeace013

SAML and OAuth failures should cause a message to be presented, as well
as logging that an attempt was made. These were incorrectly prevented by
the CSRF check on POST endpoints such as SAML.

In addition we were using a NullSession forgery protection, which made
testing more difficult and could have allowed account linking to take
place if a CSRF was ever needed but not present.





SAML and OAuth failures should cause a message to be presented, as well
as logging that an attempt was made. These were incorrectly prevented by
the CSRF check on POST endpoints such as SAML.

In addition we were using a NullSession forgery protection, which made
testing more difficult and could have allowed account linking to take
place if a CSRF was ever needed but not present.







Addressing peer review feedback.
2019-01-10T06:00:39+00:00

Scott Escue
scott.escue@gmail.com

2018-06-04T21:28:18+00:00

4dcaa4df3622ae267363fcff184d0929b2102035

Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.





Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController.







Preserve URL fragment across sign-in and sign-up redirects
2019-01-10T06:00:38+00:00

Scott Escue
scott.escue@gmail.com

2018-05-22T20:04:19+00:00

6540a9468a8bce3f496423179db1862cfb9f5c8c

If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.





If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.







Enable frozen string in app/controllers/**/*.rb
2018-09-19T04:22:45+00:00

gfyoung
gfyoung17@gmail.com

2018-09-14T05:42:05+00:00

73322a0e551bbbc42d429b15e7ad9fd375ab761d

Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.





Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.







Honor saml assurance level to allow 2FA bypassing
2018-06-25T15:32:03+00:00

Roger Rüttimann
roger.ruettimann@gmail.com

2018-06-25T15:32:03+00:00

2efe27ba181daa18db9e227b13be428ebdfc23f1












[Rails5] Force the `protect_from_forgery` callback run first
2018-06-21T10:44:31+00:00

blackst0ne
blackst0ne.ru@gmail.com

2018-06-21T10:44:31+00:00

6fef87f17fa6fde7c15668faa43b563eebc0a918

Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]

Instead it gets inserted into callbacks chain where callbacks get
called in order.

This commit forces the callback to run first.

[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191





Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]

Instead it gets inserted into callbacks chain where callbacks get
called in order.

This commit forces the callback to run first.

[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191







Backport helpers from GroupSAML failure messages
2018-05-21T15:43:12+00:00

James Edwards-Jones
jedwardsjones@gitlab.com

2018-04-22T23:17:49+00:00

b98a88cfe9033b5d694ac237a50ad4fe923ad95d