Commit graph

21 commits

Author SHA1 Message Date
Robert Speicher
fec9fb05a5 Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
Restrict Todo API mark_as_done endpoint to the user's todos only
2018-02-09 12:16:25 -06:00
Robert Schilling
6a2ee0968e API: Use defined project requirements 2017-08-31 14:57:47 +02:00
Toon Claes
a723cba574 Avoid plucking Todo ids and use sub-queries instead
TodoService should not call `.select(&:id)` on todos, because this is
bad performance. So instead use sub-queries, which will result in a
single SQL query to the database.

https://docs.gitlab.com/ee/development/sql.html#plucking-ids
2017-08-03 16:31:05 +02:00
Stan Hu
303504df47 Revert "Merge branch 'tc-no-todo-service-select' into 'master'"
This reverts merge request !10845
2017-04-29 12:29:59 +00:00
Toon Claes
a204d14c67 Avoid plucking Todo ids and use sub-queries instead
TodoService should not call `.select(&:id)` on todos, because this is
bad performance. So instead use sub-queries, which will result in a
single SQL query to the database.

https://docs.gitlab.com/ee/development/sql.html#plucking-ids
2017-04-27 09:57:09 +02:00
Rémy Coutable
63360adeae
Add requirements: { id: %r{[^/]+} } for all projects and groups namespaced API routes
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-03-16 18:00:24 +01:00
Timothy Andrew
9ccd8b8755
Migrate the Todos API to use issuable_iid
- Instead of `issuable_id`
2017-03-07 13:55:59 +05:30
Douwe Maan
b7d8df503c Enable Style/MutableConstant 2017-02-23 09:31:56 -06:00
Robert Schilling
1ef911f0e0 API: Use POST requests to mark todos as done 2017-02-21 12:01:15 +01:00
Robert Speicher
3a5df1d8fc Merge branch 'fix-api-mr-permissions' into 'security'
Ensure that only privileged users can access merge requests in the API

See merge request !2053
2017-01-23 13:54:35 -05:00
Robert Schilling
74c8669b0a Use the pagination helper in the API 2016-12-04 18:11:19 +01:00
Robert Schilling
b927473c45 Grapify todos API 2016-10-14 09:22:50 +02:00
Paco Guzman
f8b53ba20b Recover usage of Todos counter cache
We’re being kept up to date the counter data but we’re not using it.
The only thing which is not real if is the number of projects that the 
user read changes the number of todos can be stale for some time.

The counters will be sync just after the user receives a new todo or mark any as done
2016-08-12 18:21:36 +02:00
Paco Guzman
1f2253545b Use cache for todos counter calling TodoService 2016-08-12 17:40:03 +02:00
Robert Schilling
baa9ce8480 Return the number of marked todos 2016-07-19 13:09:57 +02:00
Robert Schilling
87ac9c9850 Support creating a todo on issuables via API 2016-07-01 14:52:04 +02:00
Robert Schilling
3942621329 Expose target, filter by state as string 2016-07-01 14:52:04 +02:00
Robert Schilling
fd9cd5ae8c Add todos API documentation and changelog 2016-07-01 14:51:59 +02:00
Robert Schilling
40c685c510 pass paginated array when deleting notes 2016-07-01 10:49:34 +02:00
Robert Schilling
39e6f504fc Move to helper, no instance variables 2016-07-01 10:49:34 +02:00
Douglas Barbosa Alexandre
a1f224d3f7 Add Todos API 2016-07-01 10:49:34 +02:00