Commit graph

68 commits

Author SHA1 Message Date
James Edwards-Jones
202bd2da16 Backport InternalRedirect#sanitize_redirect 2018-06-14 09:02:32 +10:00
Bob Van Landuyt
491e1fc905 Render a 403 when showing an access denied message
When we want to show an access denied message to a user, we don't have
to hide the resource's existence.

So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.
2018-06-05 10:29:27 +02:00
Stan Hu
0c43170630 Fix cross-origin errors when attempting to download JavaScript attachments
If you upload a file with a .js extension, Rails' cross-origin JavaScript
protection will prevent a user from downloading the file with a 422 error.
Setting the content-type to `text/plain` will allow the user to download
the file as a plaintext file.

Closes #45826
2018-05-13 21:49:51 -07:00
Bob Van Landuyt
39916fdfed Reuses InternalRedirect when possible
`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.
2018-05-04 13:54:43 +02:00
Bob Van Landuyt
7684217d68 Enforces terms in the web application
This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.
2018-05-04 13:54:43 +02:00
Bob Van Landuyt
12dd2b0cc0 Share collaboration check between view and presenter 2018-04-11 10:51:15 +02:00
Micaël Bergeron
44f37504fb Backport ee-40781-os-to-ce 2018-03-22 08:49:04 -04:00
Micaël Bergeron
fc6587f1f2 Add proxy_download to perform proxied sending of all files 2018-03-09 09:16:06 -05:00
Bob Van Landuyt
148816cd67 Port read_cross_project ability from EE 2018-02-22 17:11:36 +01:00
Sean McGivern
c2fc40668c Refactor IssuableFinder to extract model-specific logic
By extracting a new `filter_items` method, we can override that in the
IssuesFinder and MergeRequestsFinder separately, so we don't need checks that
the model is the correct one, because we can just use the class we're in to know
that.

We can do the same for the VALID_PARAMS constant, by making it a class method.
2018-02-21 10:31:29 +00:00
Hiroyuki Sato
16caf95ccb Fix filter by my reaction is not working 2017-11-13 18:20:02 +09:00
Jarka Kadlecova
ad6e650262 Refactor issuables index actions 2017-11-07 14:34:12 +01:00
Bob Van Landuyt
0f1d6402b9 Find the LFS-objects for a fork within a the fork network 2017-11-03 14:59:47 +01:00
Bob Van Landuyt
524f65152f Only expand ancestors when searching
Not all_groups, since that would expose groups the user does not have
access to
2017-10-09 12:02:40 +02:00
Bob Van Landuyt
ec8a7a36c0 Make sure all ancestors are loaded when searching groups 2017-10-05 11:10:57 +02:00
Bob Van Landuyt
ea4e17e2ae Search subgroups on dashboard and explore views 2017-10-04 22:49:41 +02:00
Bob Van Landuyt
3a4dc55f29 Reuse the groups tree for explore and dashboard. 2017-10-04 22:49:41 +02:00
Yorick Peterse
42062a454a
Re-use issue/MR counts for the pagination system
This changes the issue and MR index pages so the pagination system
re-uses the output of the COUNT(*) query used to calculate the number of
rows per state (opened, closed, etc). This removes the need for an
additional COUNT(*) on both pages.
2017-09-05 11:53:45 +02:00