Commit graph

13 commits

Author SHA1 Message Date
GitLab Bot
b7dfe2ae40 Add latest changes from gitlab-org/gitlab@master 2019-09-13 13:26:31 +00:00
Alex Kalderimis
d30a90a354 Prevent unauthorised comments on merge requests
* Prevent creating notes on inaccessible MRs

This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.

* Prevent creating notes in inaccessible Issues

without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.

* Add CHANGELOG entry
2019-08-07 03:04:33 +01:00
Heinrich Lee Yu
35b8f103a8
Prevent comments by email when issue is locked
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.

Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
2019-01-31 16:52:48 +01:00
Jarka Kadlecová
d729ea19da Restrict reopening locked issues for issue authors 2018-09-04 12:25:18 +02:00
gfyoung
d5bf57a6af Enable frozen string in presenters and policies
Enable frozen string in:

* app/presenters
* app/policies

Partially addresses #47424.
2018-07-24 13:18:25 -07:00
Sean McGivern
e7b1d201dd Fix N+1 in MergeRequestParser
read_project can be prevented by a very expensive condition, which we want to
avoid, while still not writing manual SQL queries. read_project_for_iids is used
by read_issue_iid and read_merge_request_iid to satisfy both of those
constraints, and allow the declarative policy runner to use its normal caching
strategy.
2018-04-05 13:59:05 +01:00
Bob Van Landuyt
148816cd67 Port read_cross_project ability from EE 2018-02-22 17:11:36 +01:00
http://jneen.net/
37c401433b convert all the policies to DeclarativePolicy 2017-06-27 12:44:37 -07:00
Douwe Maan
bf061d0aff
Merge branch 'issue_23548_dev' into 'master'
disable markdown in comments when referencing disabled features

fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548

This MR prevents the following references when tool is disabled:

- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones

This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.

See merge request !2011

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-11-09 12:25:17 +01:00
Yorick Peterse
509910b89f
Process commits in a separate worker
This moves the code used for processing commits from GitPushService to
its own Sidekiq worker: ProcessCommitWorker.

Using a Sidekiq worker allows us to process multiple commits in
parallel. This in turn will lead to issues being closed faster and cross
references being created faster. Furthermore by isolating this code into
a separate class it's easier to test and maintain the code.

The new worker also ensures it can efficiently check which issues can be
closed, without having to run numerous SQL queries for every issue.
2016-11-07 13:11:44 +01:00
Yorick Peterse
f694f94c49
Added IssueCollection
This class can be used to reduce a list of issues down to a subset based
on user permissions. This class operates in such a way that it can
reduce issues using as few queries as possible, if any at all.
2016-11-07 12:49:24 +01:00
http://jneen.net/
b105dc791d newline before default return 2016-08-30 15:55:37 -07:00
http://jneen.net/
4d904bf352 port issues to Issu{able,e}Policy 2016-08-30 11:39:22 -07:00