1. 13 Jun, 2018 1 commit
  2. 23 Apr, 2018 1 commit
  3. 08 Feb, 2018 1 commit
  4. 06 Feb, 2018 1 commit
  5. 01 Feb, 2018 1 commit
    • Yorick Peterse's avatar
      Track and act upon the number of executed queries · cca61980
      Yorick Peterse authored
      This ensures that we have more visibility in the number of SQL queries
      that are executed in web requests. The current threshold is hardcoded to
      100 as we will rarely (maybe once or twice) change it.
      
      In production and development we use Sentry if enabled, in the test
      environment we raise an error. This feature is also only enabled in
      production/staging when running on GitLab.com as it's not very useful to
      other users.
      cca61980
  6. 04 Dec, 2017 1 commit
  7. 21 Nov, 2017 1 commit
  8. 02 Nov, 2017 1 commit
  9. 28 Sep, 2017 4 commits
  10. 26 Sep, 2017 1 commit
  11. 23 Sep, 2017 2 commits
  12. 16 Sep, 2017 1 commit
  13. 05 Sep, 2017 2 commits
  14. 28 Aug, 2017 3 commits
  15. 11 Aug, 2017 1 commit
  16. 20 Jul, 2017 1 commit
  17. 12 Jul, 2017 1 commit
  18. 07 Jul, 2017 2 commits
  19. 04 Jul, 2017 1 commit
  20. 30 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Implement review comments for !12445 from @godfat and @rymai. · 3c88a786
      Timothy Andrew authored
      - Use `GlobalPolicy` to authorize the users that a non-authenticated user can
        fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
        visibility level is not restricted.
      
      - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
        the `username` parameter is passed.
      
      - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
        route + method, rather than the description.
      
      - Change the type of `current_user` check in `UsersFinder` to be more
        compatible with EE.
      3c88a786
  21. 28 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Initial attempt at refactoring API scope declarations. · 6f192250
      Timothy Andrew authored
      - Declaring an endpoint's scopes in a `before` block has proved to be
        unreliable. For example, if we're accessing the `API::Users` endpoint - code
        in a `before` block in `API::API` wouldn't be able to see the scopes set in
        `API::Users` since the `API::API` `before` block runs first.
      
      - This commit moves these declarations to the class level, since they don't need
        to change once set.
      6f192250
  22. 26 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6
      Timothy Andrew authored
      - The issue filtering frontend code needs access to this API for non-logged-in
        users + public projects. It uses the API to fetch information for a user by
        username.
      
      - We don't authenticate this API anymore, but instead - if the `current_user` is
        not present:
      
        - Verify that the `username` parameter has been passed. This disallows an
          unauthenticated user from grabbing a list of all users on the instance. The
          `UsersFinder` class performs an exact match on the `username`, so we are
          guaranteed to get 0 or 1 users.
        - Verify that the resulting user (if any) is accessible to be viewed publicly
          by calling `can?(current_user, :read_user, user)`
      20f679d6
  23. 24 Jun, 2017 1 commit
  24. 23 Jun, 2017 9 commits