delta/gitlab/gitlab-ce.git/app/models/user.rb, branch api-shared-groups gitlab.com: gitlab-org/gitlab-ce.git Dumb-down avatar presence check in `avatar_url` methods 2016-07-05T14:51:11+00:00 Robert Speicher rspeicher@gmail.com 2016-07-05T14:51:11+00:00 c7b68b6e66a487b8b12556fe10dd1dde78581eca `avatar.present?` goes through CarrierWave, and checks that the file exists on disk and checks its filesize. Because we're hitting the disk, this adds extra overhead to something where the worst-case scenario is rendering a broken image. Instead, we now just check that the _database attribute_ is present, which is good enough for our purposes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/19273 
`avatar.present?` goes through CarrierWave, and checks that the file
exists on disk and checks its filesize. Because we're hitting the disk,
this adds extra overhead to something where the worst-case scenario is
rendering a broken image.

Instead, we now just check that the _database attribute_ is present,
which is good enough for our purposes.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/19273
Enable Style/EmptyLines cop, remove redundant ones 2016-07-01T19:56:17+00:00 Grzegorz Bizon grzesiek.bizon@gmail.com 2016-07-01T19:56:17+00:00 9e211091a85c20adea63b89111240350d6d8ffcb 






Enable Style/SpaceAfterComma Rubocop cop
2016-06-29T13:23:44+00:00

Grzegorz Bizon
grzesiek.bizon@gmail.com

2016-06-29T13:23:44+00:00

28bafd5354427d27cabe40966bd069a75984e2b1












add missing attribute to attr_encrypted so it is fully backwards-compatible
2016-06-28T07:55:19+00:00

James Lopez
james@jameslopez.es

2016-06-28T07:55:19+00:00

31c95aa031ea6e5e7cd1bf8d08e3c6543f0ab2e7












Fix an information disclosure when requesting access to a group containing private projects
2016-06-24T10:01:48+00:00

Rémy Coutable
remy@rymai.me

2016-06-24T10:01:48+00:00

aec3475df94bc9681a723c344f3df05972ebe68c

The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>





The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>







Fix user creation with stronger minimum password requirements:q
2016-06-23T15:52:05+00:00

Nathan Bush
nathan@pfmediatech.com

2016-05-05T14:40:49+00:00

64883faa6ebffd1e67d36d537e1e0bf2196bf107












Unify check branch name exist
2016-06-20T19:44:21+00:00

Paco Guzman
pacoguzmanp@gmail.com

2016-06-20T13:38:54+00:00

208b18c956b38103b98bc93a952dc1e8a200dead












Cache todo counters (pending/done)
2016-06-17T17:04:36+00:00

Paco Guzman
pacoguzmanp@gmail.com

2016-06-02T13:46:58+00:00

f6bfa46daae3a00ca6f74abb6e6eddc9eac96197

- As todos are created/updated inside the TodoService
we repopulate the cache just there for both pending/done todos
- Todos as mark as done from the TodosController we update cache
there too
- All the added methods are kept in the User class for cohesion




- As todos are created/updated inside the TodoService
we repopulate the cache just there for both pending/done todos
- Todos as mark as done from the TodosController we update cache
there too
- All the added methods are kept in the User class for cohesion






Merge remote-tracking branch 'origin/master' into 2979-personal-access-tokens
2016-06-16T02:57:37+00:00

Timothy Andrew
mail@timothyandrew.net

2016-06-16T02:57:37+00:00

90bba2bc4637a059e17415a64b25776a6ab1b4bf












Implement @DouweM's feedback.
2016-06-16T02:54:13+00:00

Timothy Andrew
mail@timothyandrew.net

2016-06-16T02:54:13+00:00

7ee0898a9ec4a03c9a55841b1cbea67add460c50

- Extract a duplicated `redirect_to`
- Fix a typo: "token", not "certificate"
- Have the "Expires at" datepicker be attached to a text field, not inline
- Have both private tokens and personal access tokens verified in a
  single "authenticate_from_private_token" method, both in the
  application and API. Move relevant logic to
  `User#find_by_personal_access_token`
- Remove unnecessary constants relating to API auth. We don't need a
  separate constant for personal access tokens since the param is the
  same as for private tokens.





- Extract a duplicated `redirect_to`
- Fix a typo: "token", not "certificate"
- Have the "Expires at" datepicker be attached to a text field, not inline
- Have both private tokens and personal access tokens verified in a
  single "authenticate_from_private_token" method, both in the
  application and API. Move relevant logic to
  `User#find_by_personal_access_token`
- Remove unnecessary constants relating to API auth. We don't need a
  separate constant for personal access tokens since the param is the
  same as for private tokens.