Signed-off-by: Rémy Coutable <remy@rymai.me>

Conflicts:
	VERSION

Conflicts:
	.gitlab-ci.yml

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Robert Speicher authored 8 years ago and Rémy Coutable committed 8 years ago

Escape HTML nodes in builds commands in ci linter

This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.

Closes #22541

See merge request !2001

Signed-off-by: Rémy Coutable <remy@rymai.me>

Douwe Maan authored 8 years ago and Rémy Coutable committed 8 years ago

API: disable rails session auth for non-GET/HEAD requests

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435



See merge request !1999

Signed-off-by: Rémy Coutable <remy@rymai.me>

Douwe Maan authored 8 years ago and Rémy Coutable committed 8 years ago

Set a restrictive CORS policy for the API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450



See merge request !1998

Signed-off-by: Rémy Coutable <remy@rymai.me>

Rémy Coutable authored 8 years ago and Rémy Coutable committed 8 years ago

Enforce the fork_project permission in Projects::CreateService

Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly.

CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028



See merge request !1996

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Rémy Coutable authored 8 years ago and Rémy Coutable committed 8 years ago

Allow the Rails cookie to be used for API authentication

Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.

Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.

Closes #18302

See merge request !1995

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Douwe Maan authored 8 years ago and Rémy Coutable committed 8 years ago

Exclude some pending or inactivated rows in Member scopes

An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.

One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650



See merge request !1994

Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Robert Speicher authored 8 years ago and Robert Speicher committed 8 years ago

Update doorkeeper to 4.2.0

Changelog: https://git.io/v6PnV

See merge request !5881

(cherry picked from commit c5aa31c8)