delta/gitlab/gitlab-ce.git/spec/controllers/projects, branch patch-7 gitlab.com: gitlab-org/gitlab-ce.git Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security' 2016-12-09T00:42:07+00:00 Douwe Maan douwe@gitlab.com 2016-11-29T13:47:43+00:00 f23b1cb453deea2659c0cb9e9047c72d859bbf9d Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested - [x] :bomb: app/finders/notes_finder.rb:17 - [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x] :bomb: app/controllers/concerns/creates_commit.rb:84 - [x] :traffic_light: app/controllers/projects/commits_controller.rb:24 - [x] :traffic_light: app/controllers/projects/compare_controller.rb:56 - [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29 - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27 - [x] :vertical_traffic_light: app/models/commit.rb:268 - [x] :white_check_mark: lib/gitlab/search_results.rb:71 - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033 
Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested

- [x] :bomb:  app/finders/notes_finder.rb:17
- [x] :warning:  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] :bomb:  app/controllers/concerns/creates_commit.rb:84
- [x] :traffic_light:  app/controllers/projects/commits_controller.rb:24
- [x] :traffic_light:  app/controllers/projects/compare_controller.rb:56
- [x] :vertical_traffic_light:  app/controllers/projects/discussions_controller.rb:29
- [x] :white_check_mark:  app/controllers/projects/todos_controller.rb:27
- [x] :vertical_traffic_light:  app/models/commit.rb:268
- [x] :white_check_mark: lib/gitlab/search_results.rb:71

- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033
Feature: delegate all open discussions to Issue 2016-12-05T19:55:45+00:00 Bob Van Landuyt bob@vanlanduyt.co 2016-10-26T21:21:50+00:00 1123057ab792ac73b1611f4d3a9faf79369dd6da When a merge request can only be merged when all discussions are resolved. This feature allows to easily delegate those discussions to a new issue, while marking them as resolved in the merge request. The user is presented with a new issue, prepared with mentions of all unresolved discussions, including the first unresolved note of the discussion, time and link to the note. When the issue is created, the discussions in the merge request will get a system note directing the user to the newly created issue. 
When a merge request can only be merged when all discussions are
resolved. This feature allows to easily delegate those discussions to a
new issue, while marking them as resolved in the merge request.

The user is presented with a new issue, prepared with mentions of all
unresolved discussions, including the first unresolved note of the
discussion, time and link to the note.

When the issue is created, the discussions in the merge request will get
a system note directing the user to the newly created issue.
Merge branch 'master' into fix/rename-mwbs-to-merge-when-pipeline-succeeds 2016-11-30T11:21:33+00:00 Grzegorz Bizon grzesiek.bizon@gmail.com 2016-11-30T11:21:33+00:00 00ca7adca2de8ff05cca3df9eb2df8a67f638cfe * master: (110 commits) Rewrite an HTTP link to use HTTPS Edit /spec/features/profiles/preferences_spec.rb to match changes in 084d90ac Add blue back to sub nav active Remove JSX/React eslint plugins. Fix a transient spec failure Adds hoverstates for collapsed Issue/Merge Request sidebar Moved groups above projects Add StackProf to the Gemfile, along with a utility to get a profile for a spec Update Sidekiq-cron to fix compatibility issues with Sidekiq 4.2.1 Add a CHANGELOG entry Alert user when logged in user email is not the same as the invitation Expose timestamp in build entity used by serializer Rename `MergeRequest#pipeline` to `head_pipeline` Remove unnecessary database indexes CE-specific changes gitlab-org/gitlab-ee#1137 Fixing typo & Clarifying Key name fix started_at check fix blob controller spec failure - updated not to use file-path- fix blob controller spec failure Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security' ... Conflicts: app/controllers/projects/merge_requests_controller.rb lib/api/merge_requests.rb spec/requests/api/merge_requests_spec.rb 
* master: (110 commits)
  Rewrite an HTTP link to use HTTPS
  Edit /spec/features/profiles/preferences_spec.rb to match changes in 084d90ac
  Add blue back to sub nav active
  Remove JSX/React eslint plugins.
  Fix a transient spec failure
  Adds hoverstates for collapsed Issue/Merge Request sidebar
  Moved groups above projects
  Add StackProf to the Gemfile, along with a utility to get a profile for a spec
  Update Sidekiq-cron to fix compatibility issues with Sidekiq 4.2.1
  Add a CHANGELOG entry
  Alert user when logged in user email is not the same as the invitation
  Expose timestamp in build entity used by serializer
  Rename `MergeRequest#pipeline` to `head_pipeline`
  Remove unnecessary database indexes
  CE-specific changes gitlab-org/gitlab-ee#1137
  Fixing typo & Clarifying Key name
  fix started_at check
  fix blob controller spec failure - updated not to use file-path-
  fix blob controller spec failure
  Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'
  ...

Conflicts:
	app/controllers/projects/merge_requests_controller.rb
	lib/api/merge_requests.rb
	spec/requests/api/merge_requests_spec.rb
fix blob controller spec failure - updated not to use file-path- 2016-11-29T09:40:56+00:00 James Lopez james@jameslopez.es 2016-11-29T09:40:56+00:00 280afe0a6480185f61c4f107724367bd5a170b2a 






Merge branch 'jej-fix-missing-access-check-on-issues' into 'security'
2016-11-29T00:25:46+00:00

Douwe Maan
douwe@gitlab.com

2016-11-18T13:51:52+00:00

6d37fe952b5679d7586eaa569d0488dbb92032fe

Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested

- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19

- [x] Potential double render in app/controllers/projects/todos_controller.rb

- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030





Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested

- [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19

- [x] Potential double render in app/controllers/projects/todos_controller.rb

- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030







Merge branch 'jej-22869' into 'security'
2016-11-29T00:25:18+00:00

Douwe Maan
douwe@gitlab.com

2016-11-07T17:09:22+00:00

742cee756bf39d93fe5c7f207f8a54143ae6a384

Fix information disclosure in `Projects::BlobController#update`

It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

https://gitlab.com/gitlab-org/gitlab-ce/issues/22869

See merge request !2023





Fix information disclosure in `Projects::BlobController#update`

It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

https://gitlab.com/gitlab-org/gitlab-ce/issues/22869

See merge request !2023







Merge branch 'master' into fix/rename-mwbs-to-merge-when-pipeline-succeeds
2016-11-25T10:05:34+00:00

Grzegorz Bizon
grzesiek.bizon@gmail.com

2016-11-25T10:05:34+00:00

895d97af87c66f4763e8d1fc0ef6cae19924b18d

* master: (312 commits)
  Fix bad selection on dropdown menu for tags filter
  Fixed issue boards scrolling with a lot of lists & issues
  You can only assign default_branch when editing a project ...
  Don't convert data which already is the target type
  Stop supporting Google and Azure as backup strategies
  renames some of the specs and adds changelog entry
  Fixed dragging issue moving wrong issue after multiple drags of issue
  Fixed issue boards issue sorting when dragging issue into list
  Rephrase some system notes to be compatible with new system note style
  Add missing JIRA file that redirects to the new location
  Fix documentation to create the `pg_trm` extension before creating the DB
  Document that we always use `do...end` for `before` in RSpec
  Backport Note#commands_changes from EE
  Log mv_namespace parameters
  Add default_branch attr to Project API payload in docs.
  Fix title case to sentence case
  properly escape username validation error message flash
  Remove header ids from University docs
  Add missing documentation.
  Added test that checks the correct select box is there for the LFS ...
  ...

Conflicts:
	app/services/system_note_service.rb
	spec/features/merge_requests/merge_when_pipeline_succeeds_spec.rb
	spec/services/merge_requests/merge_when_pipeline_succeeds_service_spec.rb
	spec/services/system_note_service_spec.rb





* master: (312 commits)
  Fix bad selection on dropdown menu for tags filter
  Fixed issue boards scrolling with a lot of lists & issues
  You can only assign default_branch when editing a project ...
  Don't convert data which already is the target type
  Stop supporting Google and Azure as backup strategies
  renames some of the specs and adds changelog entry
  Fixed dragging issue moving wrong issue after multiple drags of issue
  Fixed issue boards issue sorting when dragging issue into list
  Rephrase some system notes to be compatible with new system note style
  Add missing JIRA file that redirects to the new location
  Fix documentation to create the `pg_trm` extension before creating the DB
  Document that we always use `do...end` for `before` in RSpec
  Backport Note#commands_changes from EE
  Log mv_namespace parameters
  Add default_branch attr to Project API payload in docs.
  Fix title case to sentence case
  properly escape username validation error message flash
  Remove header ids from University docs
  Add missing documentation.
  Added test that checks the correct select box is there for the LFS ...
  ...

Conflicts:
	app/services/system_note_service.rb
	spec/features/merge_requests/merge_when_pipeline_succeeds_spec.rb
	spec/services/merge_requests/merge_when_pipeline_succeeds_service_spec.rb
	spec/services/system_note_service_spec.rb







Rephrase some system notes to be compatible with new system note style
2016-11-24T10:26:29+00:00

Douwe Maan
douwe@selenight.nl

2016-11-23T06:55:23+00:00

6df22f72c6c312199c547e017ce1f947cf88e34c












Updated code based on feedback
2016-11-21T16:29:07+00:00

James Lopez
james@jameslopez.es

2016-11-21T16:29:07+00:00

a3331eee91fdd2170865c37641a88af2b47f9839












Adds a flag to reflect whether or not there is data in cycle analytics
2016-11-21T16:19:18+00:00

James Lopez
james@jameslopez.es

2016-11-21T14:39:43+00:00

dde8fba524aa071d08121818a1e2c3d635664819