summaryrefslogtreecommitdiff
path: root/lib/api
Commit message (Collapse)AuthorAgeFilesLines
* Respond with full GitAccess error if user has project read access.api-internal-errorsDouwe Maan2015-03-241-1/+1
|
* Refactor GitAccess to use instance variables.Douwe Maan2015-03-242-20/+19
|
* Merge branch 'fix-restricted-visibility' into 'master'Dmitriy Zaporozhets2015-03-163-15/+19
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Restricted visibility levels - bug fix and new feature This allows admin users to override restricted visibility settings when creating and updating projects and snippets, and moves the restricted visibility configuration from gitlab.yml to the web UI. See #1903. ## Move configuration location I added a new section to the application settings page for restricted visibility levels. Each level has a checkbox, styled with Bootstrap to look like a toggle button. A checked box means that the level is restricted. I added a glowing text shadow and changed the background color for checked buttons because the default styles made it hard to distinguish between checked and unchecked. This image shows the new section with the "Public" box checked: ![restricted_visibility_settings](https://dev.gitlab.org/Okada/gitlabhq/uploads/629562e4313f89b795e81c3bb0f95893/restricted_visibility_settings.png) ## Allow admins to override To allow admin users to override the restricted visibility levels, I had to remove the `visibility_level` validation from the `Project` class. The model doesn't know about the `current_user`, which should determine whether the restrictions can be overridden. We could use the creator in the validation, but that wouldn't work correctly for projects where a non-admin user is the creator and an admin tries to change the project to a restricted visibility level. The `Project::UpdateService` and `Project::CreateService` classes already had code to determine whether the current user is allowed to use a given visibility level; now all visibility level validation is done in those classes. Currently, when a non-admin tries to create or update a project using a restricted level, these classes silently set the visibility level to the global default (create) or the project's existing value (update). I changed this behavior to be more like an Active Model validation, where using a restricted level causes the entire request to be rejected. Project and personal snippets didn't have service classes, and restricted visibility levels weren't being enforced in the model or the controllers. The UI disabled radio buttons for restricted levels, but that wouldn't be difficult to circumvent. I created the `CreateSnippetService` and `UpdateSnippetService` classes to do the same restricted visibility check that the project classes do. And since I was dealing with snippet visibility levels, I updated the API endpoints for project snippets to allow users to set and update the visibility level. ## TODO * [x] Add more tests for restricted visibility functionality cc @sytse @dzaporozhets See merge request !1655
| * Merge branch 'master' into fix-restricted-visibilityVinnie Okada2015-03-141-1/+4
| |\ | | | | | | | | | | | | Conflicts: db/schema.rb
| * | More restricted visibility changesVinnie Okada2015-03-101-4/+4
| | | | | | | | | | | | Bug fixes and new tests for the restricted visibility changes.
| * | Enforce restricted visibilities for snippetsVinnie Okada2015-03-081-9/+13
| | | | | | | | | | | | | | | | | | Add new service classes to create and update project and personal snippets. These classes are responsible for enforcing restricted visibility settings for non-admin users.
| * | Allow admins to override restricted visibilityVinnie Okada2015-03-082-4/+4
| | | | | | | | | | | | | | | Allow admins to use restricted visibility levels when creating or updating projects.
* | | Use `project_member` instead of `team_member`.Douwe Maan2015-03-151-14/+14
| | |
* | | Use `group_member` instead of `users_group` or `membership`.Douwe Maan2015-03-151-5/+5
| |/ |/|
* | use constant-time string compare for internal api authenticationJörg Thalheim2015-03-061-1/+4
|/ | | | | | | Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacks because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.
* Merge branch 'project-existence-leak' into 'master'Dmitriy Zaporozhets2015-03-031-17/+22
|\ | | | | | | | | | | | | | | | | | | Don't leak information about private project existence via Git-over-SSH/HTTP. Fixes #2040 and https://gitlab.com/gitlab-org/gitlab-ce/issues/343. Both `Grack::Auth` (used by Git-over-HTTP) and `Api::Internal /allowed` (used by gitlab-shell/Git-over-SSH) now return a generic "Not Found" error when the project exists but the user doesn't have access to it. See merge request !1578
| * Don't leak information about private project existence via Git-over-SSH/HTTP.Douwe Maan2015-03-021-17/+22
| |
* | Enable ParenthesesAsGroupedExpression ruleDmitriy Zaporozhets2015-03-021-1/+1
| |
* | Merge pull request #8890 from sue445/feature/project_api_avatar_urlJeroen van Baarsen2015-03-011-0/+1
|\ \ | |/ |/| Expose avatar_url in projects API
| * Expose avatar_url in projects APIsue4452015-03-011-0/+1
| | | | | | | | | | | | * Impl Project#avatar_url * Refactor ApplicationHelper: Use Project#avatar_url * Update changelog
* | Merge branch 'master' into mmonaco/gitlab-ce-api-user-noconfirmDmitriy Zaporozhets2015-02-2721-151/+614
|\ \ | |/ | | | | | | Conflicts: lib/api/users.rb
| * Improve error messages when file editing failsVinnie Okada2015-02-221-1/+2
| | | | | | | | | | Give more specific errors in API responses and web UI flash messages when a file update fails.
| * Improve broadcast message APIDmitriy Zaporozhets2015-02-182-2/+4
| |
| * Dont send 404 if no broadcast messages now because it flood gitlab-shell ↵Dmitriy Zaporozhets2015-02-181-2/+0
| | | | | | | | logs with 404 errors :(
| * Remove Group#owner_id from API since it is not used any moreDmitriy Zaporozhets2015-02-172-2/+2
| |
| * Edit group members via APIVinnie Okada2015-02-113-10/+31
| | | | | | | | | | Add an API endpoint to update the access level of an existing group member.
| * Add internal broadcast message API.Douwe Maan2015-02-072-0/+12
| |
| * Refactor and improve sorting objects in API for projects, issues and merge ↵Dmitriy Zaporozhets2015-02-054-58/+72
| | | | | | | | requests
| * Explicitly define ordering in models using default_scopeDmitriy Zaporozhets2015-02-051-2/+0
| |
| * Merge pull request #8712 from jvanbaarsen/add-merge-request-files-endpointDmitriy Zaporozhets2015-02-042-5/+27
| |\ | | | | | | Added a way to retrieve MR files
| | * Added a way to retrieve MR filesJeroen van Baarsen2015-02-042-5/+27
| | | | | | | | | | | | Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com>
| * | Merge pull request #8723 from jubianchi/api-groups-pathDmitriy Zaporozhets2015-02-033-34/+23
| |\ \ | | | | | | | | Access groups using path
| | * | Acces groups with their path in APIjubianchi2015-02-033-34/+23
| | | |
| * | | Rubocop: Style/CaseIndentation enabledDmitriy Zaporozhets2015-02-021-5/+2
| | | |
| * | | Avoid using {...} for multi-line blocksDmitriy Zaporozhets2015-02-024-9/+7
| | | |
| * | | Rubocop enabled for: Use spaces inside hash literal bracesDmitriy Zaporozhets2015-02-024-5/+5
| |/ /
| * | Convert hashes to ruby 1.9 styleDmitriy Zaporozhets2015-02-022-3/+3
| |/
| * Merge pull request #8609 from ↵Dmitriy Zaporozhets2015-01-271-8/+29
| |\ | | | | | | | | | | | | jubianchi/issues/6289-api-handle-error-project-repo Handle errors on API when a project does not have a repository
| | * Handle errors on API when a project does not have a repository (Closes #6289)jubianchi2015-01-191-8/+29
| | |
| * | Merge branch 'feature_api_project_edit' into 'master'Dmitriy Zaporozhets2015-01-221-0/+43
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Implement edit via API for projects I've picked up https://github.com/gitlabhq/gitlabhq/pull/8055 fixed the few hound warnings and replaced all double quotes in the spec file where possible. # From the original PR: Implements edit via API for projects. Edit was part of missing features in feature request Full CRUD operations via API for projects. http://feedback.gitlab.com/forums/176466-general/suggestions/3904506-full-crud-operations-via-api-for-projects Feature is implemented using existing UpdateService for projects. Permission to change visibility level and name are checked in addition to check for permission to administer project. Doesn't allow updating project namespace id, because there was existing API-method for transferring project to a group. Documentation added to doc/api/projects.md. Uses API request PUT /projects/:id . Tests included for: 1. Success for changing path 2. Success for changing name 3. Success for changing visibility level 4. Success for changing all other attributes 5. Success for changing name & path to existing name & path but in different namespace 6. Failure if not authenticated 7. Failure if path exists in project's namespace 8. Failure if name exists in project's namespace 9. Failure if not sufficient permission to change name 10. Failure if not sufficient permission to change visibility level 11. Failure if not sufficient permission to change other attributes Allows updating following parameters: * name * path * visibility_level * public * default_branch * issues_enabled * wiki_enabled * snippets_enabled * merge_requests_enabled * description See merge request !310
| | * | Implement edit via API for projectsMika Mäenpää2015-01-221-0/+43
| | | |
| * | | Fix the test and add documentation for the "per-milestone issues API call"Hannes Rosenögger2015-01-221-1/+1
| | | |
| * | | Add per-milestone issues API callJustin Whear2015-01-221-0/+15
| |/ /
| * | developer can push to protected branchesValery Sizov2015-01-201-6/+2
| |/
| * Merge pull request #8464 from dserodio/group-api-descriptionDmitriy Zaporozhets2015-01-182-2/+2
| |\ | | | | | | Add description attribute to group API (GET and POST)
| | * Add description attribute to group API (GET and POST)Daniel Serodio2015-01-162-2/+2
| | |
| * | Merge pull request #8307 from cirosantilli/project-api-comment-typoJeroen van Baarsen2015-01-181-1/+1
| |\ \ | | |/ | |/| Typo in project API events comment
| | * Typo in project API events commentCiro Santilli2014-11-141-1/+1
| | |
| * | Merge pull request #8096 from cirosantilli/regex-to-stringDmitriy Zaporozhets2015-01-151-2/+2
| |\ \ | | | | | | | | Replace regex methods by string ones since faster and more readable
| | * | Replace regex methods by string ones since fasterCiro Santilli2014-12-281-2/+2
| | | | | | | | | | | | | | | | and more readable.
| * | | Add search filter option on project api for authorized projects.Marin Jankovski2015-01-121-3/+4
| | | |
| * | | Fix failing tests due to updates on the return messages.Marin Jankovski2015-01-074-8/+8
| | | |
| * | | Add a message when unable to save an object through api.Marin Jankovski2015-01-078-15/+15
| | | |
| * | | Forward the messages in api response.Marin Jankovski2014-12-306-8/+8
| | | |
| * | | Message for api files and groups.Marin Jankovski2014-12-303-5/+5
| | | |
View Lorry Controller Status