1. 21 Jul, 2017 1 commit
  2. 28 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Initial attempt at refactoring API scope declarations. · 6f192250
      Timothy Andrew authored
      - Declaring an endpoint's scopes in a `before` block has proved to be
        unreliable. For example, if we're accessing the `API::Users` endpoint - code
        in a `before` block in `API::API` wouldn't be able to see the scopes set in
        `API::Users` since the `API::API` `before` block runs first.
      
      - This commit moves these declarations to the class level, since they don't need
        to change once set.
      6f192250
  3. 08 Jun, 2017 3 commits
    • DJ Mountney's avatar
      Merge branch 'dz-api-x-frame' into 'security-9-2' · e1d1a524
      DJ Mountney authored
      Restrict API X-Frame-Options to same origin
      
      See merge request !2103
      e1d1a524
    • DJ Mountney's avatar
      Bring in security changes from the 9.2.5 release · 565ead61
      DJ Mountney authored
      Ran:
       - git format-patch v9.2.2..v9.2.5 --stdout > patchfile.patch
       - git checkout -b 9-2-5-security-patch origin/v9.2.2
       - git apply patchfile.patch
       - git commit
       - [Got the sha ref for the commit]
       - git checkout -b upstream-9-2-security master
       - git cherry-pick <SHA of the patchfile commit>
       - [Resolved conflicts]
       - git cherry-pick --continue
      565ead61
    • DJ Mountney's avatar
      Bring in security changes from the 9.2.5 release · 1d1363e2
      DJ Mountney authored
      Ran:
       - git format-patch v9.2.2..v9.2.5 --stdout > patchfile.patch
       - git checkout -b 9-2-5-security-patch origin/v9.2.2
       - git apply patchfile.patch
       - git commit
       - [Got the sha ref for the commit]
       - git checkout -b upstream-9-2-security master
       - git cherry-pick <SHA of the patchfile commit>
       - [Resolved conflicts]
       - git cherry-pick --continue
      1d1363e2
  4. 06 Jun, 2017 1 commit
    • Mark Fletcher's avatar
      Introduce an Events API · ad3e180e
      Mark Fletcher authored
      * Meld the following disparate endpoints:
       * `/projects/:id/events`
       * `/events`
       * `/users/:id/events`
      + Add result filtering to the above endpoints:
       * action
       * target_type
       * before and after dates
      ad3e180e
  5. 31 May, 2017 1 commit
  6. 30 May, 2017 1 commit
  7. 25 May, 2017 1 commit
  8. 04 May, 2017 2 commits
  9. 22 Mar, 2017 1 commit
  10. 07 Mar, 2017 1 commit
  11. 06 Mar, 2017 4 commits
  12. 03 Mar, 2017 1 commit
  13. 02 Mar, 2017 3 commits
  14. 28 Feb, 2017 2 commits
  15. 24 Feb, 2017 1 commit
  16. 22 Feb, 2017 2 commits
  17. 21 Feb, 2017 3 commits
  18. 17 Feb, 2017 1 commit
  19. 16 Feb, 2017 2 commits
  20. 13 Feb, 2017 1 commit
  21. 10 Feb, 2017 1 commit
  22. 07 Feb, 2017 2 commits
  23. 06 Feb, 2017 1 commit
  24. 30 Jan, 2017 1 commit
  25. 09 Jan, 2017 1 commit
  26. 16 Dec, 2016 1 commit
    • Timothy Andrew's avatar
      Calls to the API are checked for scope. · 7fa06ed5
      Timothy Andrew authored
      - Move the `Oauth2::AccessTokenValidationService` class to
        `AccessTokenValidationService`, since it is now being used for
        personal access token validation as well.
      
      - Each API endpoint declares the scopes it accepts (if any). Currently,
        the top level API module declares the `api` scope, and the `Users` API
        module declares the `read_user` scope (for GET requests).
      
      - Move the `find_user_by_private_token` from the API `Helpers` module to
        the `APIGuard` module, to avoid littering `Helpers` with more
        auth-related methods to support `find_user_by_private_token`
      7fa06ed5