delta/gitlab/gitlab-ce.git/spec/controllers/application_controller_spec.rb, branch backport-gitlab-database gitlab.com: gitlab-org/gitlab-ce.git Limit the TTL for anonymous sessions to 1 hour 2018-07-18T19:39:51+00:00 Stan Hu stanhu@gmail.com 2018-07-18T18:18:14+00:00 c559c43dafb75005f5589c473729054845bb498b By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended. Closes #48101 
By default, all sessions are given the same expiration time configured in the
session store (e.g. 1 week). However, unauthenticated users can generate a lot
of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
for unauthenticated to something much lower than the default (e.g. 1 hour) to
limit Redis memory. In addition, Rails creates a new session after login,
so the short TTL doesn't even need to be extended.

Closes #48101
Merge branch 'rails5-fix-47804' into 'master' 2018-06-14T07:03:59+00:00 Rémy Coutable remy@rymai.me 2018-06-14T07:03:59+00:00 8e0697dae375266ee9eaff3dfc4e892f2bd365cb Rails5 fix stack level too deep Closes #47804 See merge request gitlab-org/gitlab-ce!19762 
Rails5 fix stack level too deep

Closes #47804

See merge request gitlab-org/gitlab-ce!19762
 Rails5 fix stack level too deep 2018-06-13T15:45:26+00:00 Jasper Maes jaspermaes.jm@gmail.com 2018-06-13T15:35:39+00:00 b6996837ea992a98018caa0210f10ae6f3bcc9c0 






Render access denied without message
2018-06-13T15:03:48+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-06-13T14:05:55+00:00

7fe92d998125d3dc8be3544346de8dbd5c64b240

The `errors/access_denied` page should not fail to render when no
message is provided.

When accessing something as a sessionless user, we should also display
the terms message if possible.





The `errors/access_denied` page should not fail to render when no
message is provided.

When accessing something as a sessionless user, we should also display
the terms message if possible.







Log response body to production_json.log when a controller responds with a 422 status
2018-06-06T20:16:15+00:00

Stan Hu
stanhu@gmail.com

2018-06-06T07:47:53+00:00

5d3abdf9a7c0260c708a46e2fd232b0490940f80

We have a number of import errors occurring with 422 errors, and
it's hard to determine why they are happening. This change will
surface the errors in the log lines.

Relates to #47365





We have a number of import errors occurring with 422 errors, and
it's hard to determine why they are happening. This change will
surface the errors in the log lines.

Relates to #47365







Render a 403 when showing an access denied message
2018-06-05T08:29:27+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-06-04T15:04:04+00:00

491e1fc905ef52dcc2e7df7deabd3c1f6e42aa52

When we want to show an access denied message to a user, we don't have
to hide the resource's existence.

So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.





When we want to show an access denied message to a user, we don't have
to hide the resource's existence.

So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.







Export assigned issues in iCalendar feed
2018-05-31T14:01:04+00:00

Imre Farkas
ifarkas@gitlab.com

2018-05-31T14:01:04+00:00

20dfe25c151cc883ce0d38b67125b5ca41e6d422












Enforces terms in the web application
2018-05-04T11:54:43+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-04-27T14:50:33+00:00

7684217d6806408cd338260119364419260d1720

This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.





This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.







Allow password authentication to be disabled entirely
2017-11-23T13:16:14+00:00

Markus Koller
markus-koller@gmx.ch

2017-11-23T13:16:14+00:00

257fd5713485a05460a9170190100643199a7e48












Impersonation no longer gets stuck on password change.
2017-11-20T17:02:41+00:00

Tiago Botelho
tiagonbotelho@hotmail.com

2017-09-13T11:18:15+00:00

053a1988467acecfdc941f13f183d28fb0a11f1c