delta/gitlab/gitlab-ce.git/spec/controllers, branch parallel-diff

Merge branch 'issue_15044' into 'master'

2016-04-13T09:10:57+00:00


Allow to close invalid merge request

fixes #15044

See merge request !3664

Add changelog entry, improve specs and model code

2016-04-12T18:52:03+00:00

Fix specs for Projects::NotificationSettingsController

2016-04-12T15:57:39+00:00

Improve specs for group/project notification controller

2016-04-12T15:10:59+00:00

Requires user to be signed in when changing notification settings

2016-04-11T23:50:26+00:00

Allow to close invalid merge request

2016-04-11T22:00:59+00:00

Merge branch 'issue_14012' into 'master'

2016-04-07T15:19:56+00:00


Fix problem when creating milestones in groups without projects

Fixes #14012 

See merge request !3481

Implement review suggestions

2016-04-07T13:59:24+00:00

Merge branch 'fix/2fa-authentication-spoofing' into 'master'

2016-04-07T11:56:44+00:00


Fix 2FA authentication spoofing

## Summary

This is security fix for vulnerability described at 
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

## Fix

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

## Further work

Current 2FA code is a bit tricky, so it probably needs some refactoring.



See merge request !1947

Make sessions controller specs more explicit

2016-04-07T11:16:48+00:00