1. 18 May, 2018 1 commit
  2. 09 Jan, 2018 1 commit
  3. 17 Nov, 2017 4 commits
  4. 02 Nov, 2017 3 commits
  5. 12 Oct, 2017 1 commit
  6. 05 Oct, 2017 1 commit
  7. 29 Sep, 2017 1 commit
  8. 28 Sep, 2017 1 commit
  9. 09 Aug, 2017 1 commit
  10. 27 Jul, 2017 1 commit
  11. 28 Jun, 2017 2 commits
  12. 14 Jun, 2017 1 commit
  13. 01 May, 2017 1 commit
  14. 26 Apr, 2017 1 commit
    • Timothy Andrew's avatar
      Allow admins to sudo to blocked users. · 4dfdef2d
      Timothy Andrew authored
      - Currently, (for example) admins can't delete snippets for blocked users, which
        is an unexpected limitation.
      
      - We modify `authenticate!` to conduct the `access_api` policy check against the
        `initial_current_user`, instead of the user being impersonated.
      
      - Update CHANGELOG for !10842
      4dfdef2d
  15. 21 Apr, 2017 1 commit
  16. 09 Mar, 2017 1 commit
    • jneen's avatar
      fix a brittle stub · a5c05544
      jneen authored
      true is neither nil nor a user and doesn't make sense as the return
      value of `current_user`
      a5c05544
  17. 19 Jan, 2017 1 commit
  18. 23 Dec, 2016 1 commit
  19. 16 Dec, 2016 2 commits
    • Timothy Andrew's avatar
      Modify `ApiHelpers` spec to adhere to the Four-Phase test style. · fc7a5a38
      Timothy Andrew authored
      - Use whitespace to separate the setup, expectation and teardown phases.
      fc7a5a38
    • Timothy Andrew's avatar
      Calls to the API are checked for scope. · 7fa06ed5
      Timothy Andrew authored
      - Move the `Oauth2::AccessTokenValidationService` class to
        `AccessTokenValidationService`, since it is now being used for
        personal access token validation as well.
      
      - Each API endpoint declares the scopes it accepts (if any). Currently,
        the top level API module declares the `api` scope, and the `Users` API
        module declares the `read_user` scope (for GET requests).
      
      - Move the `find_user_by_private_token` from the API `Helpers` module to
        the `APIGuard` module, to avoid littering `Helpers` with more
        auth-related methods to support `find_user_by_private_token`
      7fa06ed5
  20. 13 Dec, 2016 1 commit
  21. 12 Dec, 2016 1 commit
  22. 07 Dec, 2016 1 commit
  23. 01 Dec, 2016 1 commit
  24. 01 Nov, 2016 1 commit
  25. 27 Oct, 2016 1 commit
  26. 23 Sep, 2016 1 commit
  27. 19 Sep, 2016 1 commit
    • Nick Thomas's avatar
      Enable Warden for the Grape API · 10c07226
      Nick Thomas authored
      The practical effect of this commit is to make the API check the Rails session
      cookie for authentication details. If the cookie is present and valid, it will
      be used to authenticate.
      
      The API now has several authentication options for users. They follow in this
      order of precedence:
      
      * Authentication token
      * Personal access token
      * OAuth2 Bearer token (Doorkeeper - application access)
      * Rails session cookie
      10c07226
  28. 24 Aug, 2016 1 commit
  29. 09 Aug, 2016 1 commit
  30. 19 Jul, 2016 1 commit
  31. 18 Jul, 2016 1 commit
  32. 13 Jul, 2016 2 commits
    • Robert Speicher's avatar
      Revert "Merge branch '18193-developers-can-merge' into 'master' · 530f5158
      Robert Speicher authored
      This reverts commit 9ca633eb, reversing
      changes made to fb229bbf.
      530f5158
    • Timothy Andrew's avatar
      Refactor `Gitlab::GitAccess` · 60245bbe
      Timothy Andrew authored
      1. Don't use case statements for dispatch anymore. This leads to a lot
         of duplication, and makes the logic harder to follow.
      
      2. Remove duplicated logic.
      
          - For example, the `can_push_to_branch?` exists, but we also have a
            different way of checking the same condition within `change_access_check`.
      
          - This kind of duplication is removed, and the `can_push_to_branch?`
            method is used in both places.
      
      3. Move checks returning true/false to `UserAccess`.
      
          - All public methods in `GitAccess` now return an instance of
            `GitAccessStatus`. Previously, some methods would return
            true/false as well, which was confusing.
      
          - It makes sense for these kinds of checks to be at the level of a
            user, so the `UserAccess` class was repurposed for this. The prior
            `UserAccess.allowed?` classmethod is converted into an instance
            method.
      
          - All external uses of these checks have been migrated to use the
            `UserAccess` class
      
      4. Move the "change_access_check" into a separate class.
      
          - Create the `GitAccess::ChangeAccessCheck` class to run these
            checks, which are quite substantial.
      
          - `ChangeAccessCheck` returns an instance of `GitAccessStatus` as
            well.
      
      5. Break out the boolean logic in `ChangeAccessCheck` into `if/else`
         chains - this seems more readable.
      
      6. I can understand that this might look like overkill for !4892, but I
         think this is a good opportunity to clean it up.
      
          - http://martinfowler.com/bliki/OpportunisticRefactoring.html
      60245bbe