delta/gitlab/gitlab-ce.git/app/models/group.rb, branch 22964-git-commit-documentation-article gitlab.com: gitlab-org/gitlab-ce.git Allow Member.add_user to handle access requesters 2016-09-28T07:43:00+00:00 Rémy Coutable remy@rymai.me 2016-09-16T15:54:21+00:00 ec0061a95cbba02286b2c143048c93d8f26ff5f0 Changes include: - Ensure Member.add_user is not called directly when not necessary - New GroupMember.add_users_to_group to have the same abstraction level as for Project - Refactor Member.add_user to take a source instead of an array of members - Fix Rubocop offenses - Always use Project#add_user instead of project.team.add_user - Factorize users addition as members in Member.add_users_to_source - Make access_level a keyword argument in GroupMember.add_users_to_group and ProjectMember.add_users_to_projects - Destroy any requester before adding them as a member - Improve the way we handle access requesters in Member.add_user Instead of removing the requester and creating a new member, we now simply accepts their access request. This way, they will receive a "access request granted" email. - Fix error that was previously silently ignored - Stop raising when access level is invalid in Member, let Rails validation do their work Signed-off-by: Rémy Coutable <remy@rymai.me> 
Changes include:

- Ensure Member.add_user is not called directly when not necessary
- New GroupMember.add_users_to_group to have the same abstraction level as for Project
- Refactor Member.add_user to take a source instead of an array of members
- Fix Rubocop offenses
- Always use Project#add_user instead of project.team.add_user
- Factorize users addition as members in Member.add_users_to_source
- Make access_level a keyword argument in GroupMember.add_users_to_group and ProjectMember.add_users_to_projects
- Destroy any requester before adding them as a member
- Improve the way we handle access requesters in Member.add_user
  Instead of removing the requester and creating a new member,
  we now simply accepts their access request. This way, they will
  receive a "access request granted" email.
- Fix error that was previously silently ignored
- Stop raising when access level is invalid in Member, let Rails validation do their work

Signed-off-by: Rémy Coutable <remy@rymai.me>
Added group-specific setting for LFS. 2016-09-15T17:27:32+00:00 Patricio Cano suprnova32@gmail.com 2016-09-01T23:49:48+00:00 fd621429508ba3877e27a8187f0d491576b65ad0 Groups can enable/disable LFS, but this setting can be overridden at the project level. Admin only 
Groups can enable/disable LFS, but this setting can be overridden at the project level. Admin only
Add expiration date to group memberships 2016-08-18T20:09:17+00:00 Sean McGivern sean@gitlab.com 2016-08-18T16:01:50+00:00 396f85e438ddc9bcd89f5a557980ce82b71e098b 






Replace optional parameters with keyword arguments.
2016-08-02T18:37:22+00:00

Adam Niedzielski
adamsunday@gmail.com

2016-08-02T18:37:22+00:00

b2c8dc6f35ceb08e23422a356831070b5136809d












Dumb-down avatar presence check in `avatar_url` methods
2016-07-05T14:51:11+00:00

Robert Speicher
rspeicher@gmail.com

2016-07-05T14:51:11+00:00

c7b68b6e66a487b8b12556fe10dd1dde78581eca

`avatar.present?` goes through CarrierWave, and checks that the file
exists on disk and checks its filesize. Because we're hitting the disk,
this adds extra overhead to something where the worst-case scenario is
rendering a broken image.

Instead, we now just check that the _database attribute_ is present,
which is good enough for our purposes.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/19273





`avatar.present?` goes through CarrierWave, and checks that the file
exists on disk and checks its filesize. Because we're hitting the disk,
this adds extra overhead to something where the worst-case scenario is
rendering a broken image.

Instead, we now just check that the _database attribute_ is present,
which is good enough for our purposes.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/19273







Exclude requesters from Project#members, Group#members and User#members
2016-07-01T15:44:46+00:00

Rémy Coutable
remy@rymai.me

2016-06-27T14:20:57+00:00

bd78f5733ca546bf940438b84aefa2fa3abacb36

And create new Project#requesters, Group#requesters scopes.

Signed-off-by: Rémy Coutable <remy@rymai.me>





And create new Project#requesters, Group#requesters scopes.

Signed-off-by: Rémy Coutable <remy@rymai.me>







Fix an information disclosure when requesting access to a group containing private projects
2016-06-24T10:01:48+00:00

Rémy Coutable
remy@rymai.me

2016-06-24T10:01:48+00:00

aec3475df94bc9681a723c344f3df05972ebe68c

The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>





The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>







Turn Group#owners into a has_many association
2016-06-16T09:10:41+00:00

Yorick Peterse
yorickpeterse@gmail.com

2016-06-15T13:22:05+00:00

84e2be5a5f3f020f1c57b013e82143ff90e48e58

This allows the owners to be eager loaded where needed.





This allows the owners to be eager loaded where needed.







UI and copywriting improvements
2016-06-14T11:18:14+00:00

Rémy Coutable
remy@rymai.me

2016-06-02T16:05:06+00:00

515205d3c1c6655302ed0ae44cc5954dead7ae79

+ Move 'Edit Project/Group' out of membership-related partial
+ Show the access request buttons only to logged-in users
+ Put the request access buttons out of in a more visible button
+ Improve the copy in the #remove_member_message helper

Signed-off-by: Rémy Coutable <remy@rymai.me>





+ Move 'Edit Project/Group' out of membership-related partial
+ Show the access request buttons only to logged-in users
+ Put the request access buttons out of in a more visible button
+ Improve the copy in the #remove_member_message helper

Signed-off-by: Rémy Coutable <remy@rymai.me>







Factorize members mails into a new Emails::Members module
2016-06-14T11:07:26+00:00

Rémy Coutable
remy@rymai.me

2016-06-02T14:14:02+00:00

6d103a2f4764441b1650ba6d790732056c9a8516

Signed-off-by: Rémy Coutable <remy@rymai.me>





Signed-off-by: Rémy Coutable <remy@rymai.me>