1. 01 Nov, 2016 1 commit
    • Yar's avatar
      Allow to search for user by secondary email address in the admin interface · f8530580
      Yar authored
      It is not possible to search for a user by his secondary email address in
      the Users search bar in the admin interface(/admin/users). A use-case could
       be that an admin wants to remove a specific secondary email address of an
      user, because it interferes with another user. Issue #23761
      
      This commit adds ability to search not only by main email, but also
      by any secondary email in the admin interface.
      f8530580
  2. 24 Oct, 2016 1 commit
  3. 05 Oct, 2016 1 commit
    • Yorick Peterse's avatar
      Refactor Gitlab::Identifier · 16ed9b61
      Yorick Peterse authored
      This refactors Gitlab::Identifier so it uses fewer queries and is
      actually tested. Queries are reduced by caching the output as well as
      using 1 query (instead of 2) to find a user using an SSH key.
      16ed9b61
  4. 01 Sep, 2016 1 commit
  5. 24 Aug, 2016 1 commit
  6. 17 Aug, 2016 1 commit
  7. 12 Aug, 2016 1 commit
  8. 09 Aug, 2016 1 commit
  9. 04 Aug, 2016 1 commit
  10. 02 Aug, 2016 1 commit
  11. 19 Jul, 2016 1 commit
  12. 18 Jul, 2016 4 commits
  13. 15 Jul, 2016 1 commit
  14. 12 Jul, 2016 1 commit
  15. 07 Jul, 2016 1 commit
    • Dravere's avatar
      Added setting to set new users by default as external · a0a9494e
      Dravere authored
      As requested by the issue #14508 this adds an option in the application
      settings to set newly registered users by default as external. The
      default setting is set to false to stay backward compatible.
      a0a9494e
  16. 24 Jun, 2016 1 commit
    • Rémy Coutable's avatar
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: Rémy Coutable's avatarRémy Coutable <remy@rymai.me>
      aec3475d
  17. 07 Jun, 2016 8 commits
  18. 06 Jun, 2016 1 commit
    • Timothy Andrew's avatar
      Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew authored
      - To hold registrations from U2F devices, and to authenticate them.
      - Previously, `User#two_factor_enabled` was aliased to the
        `otp_required_for_login` column on `users`.
      - This commit changes things a bit:
          - `User#two_factor_enabled` is not a method anymore
          - `User#two_factor_enabled?` checks both the
            `otp_required_for_login` column, as well as `U2fRegistration`s
          - Change all instances of `User#two_factor_enabled` to
            `User#two_factor_enabled?`
      - Add the `u2f` gem, and implement registration/authentication at the
        model level.
      791cc913
  19. 03 Jun, 2016 2 commits
  20. 28 May, 2016 1 commit
  21. 16 May, 2016 1 commit
  22. 11 May, 2016 1 commit
  23. 10 May, 2016 2 commits
    • Sean McGivern's avatar
      Restrict starred projects to viewable ones · 97424ea5
      Sean McGivern authored
      `User#starred_projects` doesn't perform any visibility checks. This has
      a couple of problems:
      
      1. It assumes a user can always view all of their starred projects in
         perpetuity (project not changed to private, access revoked, etc.).
      2. It assumes that we'll only ever allow a user to star a project they
         can view. This is currently the case, but bugs happen.
      
      Add `User#viewable_starred_projects` to filter the starred projects by
      those the user either has explicit access to, or are public or
      internal. Then use that in all places where we list the user's starred
      projects.
      97424ea5
    • Zeger-Jan van de Weg's avatar
      dccf8a9f
  24. 09 May, 2016 1 commit
  25. 31 Mar, 2016 1 commit
  26. 15 Mar, 2016 1 commit
  27. 13 Mar, 2016 2 commits