1. 19 Dec, 2018 1 commit
  2. 19 Sep, 2018 1 commit
    • gfyoung's avatar
      Enable frozen string in app/controllers/**/*.rb · 73322a0e
      gfyoung authored
      Enables frozen string for the following:
      
      * app/controllers/*.rb
      * app/controllers/admin/**/*.rb
      * app/controllers/boards/**/*.rb
      * app/controllers/ci/**/*.rb
      * app/controllers/concerns/**/*.rb
      
      Partially addresses #47424.
      73322a0e
  3. 11 Sep, 2018 1 commit
  4. 06 Jul, 2018 1 commit
    • Bob Van Landuyt's avatar
      Preload ancestors after pagination when filtering · de35c044
      Bob Van Landuyt authored
      We need to preload the ancestors of search results after applying
      pagination limits. This way the search results itself are paginated,
      but not the ancestors.
      
      If we don't do this, we might not preload a parent group of a search
      result as it has been cut off by pagination.
      de35c044
  5. 04 Apr, 2018 1 commit
  6. 22 Jan, 2018 1 commit
  7. 11 Jan, 2018 1 commit
  8. 22 Nov, 2017 1 commit
  9. 17 Nov, 2017 1 commit
  10. 12 Oct, 2017 1 commit
  11. 11 Oct, 2017 1 commit
  12. 09 Oct, 2017 1 commit
  13. 05 Oct, 2017 2 commits
  14. 04 Oct, 2017 6 commits
  15. 07 Sep, 2017 1 commit
  16. 08 Jun, 2017 1 commit
  17. 04 May, 2017 1 commit
  18. 01 Mar, 2017 1 commit
  19. 08 Feb, 2017 1 commit
  20. 24 Jun, 2016 1 commit
    • Rémy Coutable's avatar
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      aec3475d
  21. 19 Mar, 2016 1 commit
  22. 30 Apr, 2015 1 commit
  23. 15 Mar, 2015 1 commit
  24. 12 Mar, 2015 1 commit
  25. 09 Mar, 2015 1 commit
  26. 14 Sep, 2014 1 commit
  27. 12 Feb, 2014 1 commit
  28. 19 Jan, 2014 1 commit
  29. 26 Sep, 2013 1 commit
  30. 06 Aug, 2013 1 commit
  31. 12 Jul, 2013 2 commits