Commit graph

19 commits

Author SHA1 Message Date
Tuomo Ala-Vannesluoma
c84b60b164 Make GitLab pages support access control 2018-10-05 13:41:11 +00:00
Robert Speicher
9394678858
Add ProjectFeature check for feature flag
This will allow an explicitly-disabled feature flag to override a
feature being available for a project.

As an extreme example, we could quickly disable issues across all
projects at runtime by running `Feature.disable(:issues)`.
2018-10-04 14:08:21 -05:00
Valery Sizov
15d011d64d Geo: sync disabled wikis. Stage 2
We started syncing all the wiki regardless of the fact it's disabled or
not. We couldn't do that in one stage because of needing of smoth update
and deprecating things. This is the second stage that finally removes
unused columns in the geo_node_status table.
2018-09-25 17:49:39 +03:00
gfyoung
50abbd3e53 Enable frozen string in app/models/*.rb
Partially addresses #47424.
2018-07-26 16:55:41 -07:00
Gabriel Mazetto
c084e87ad7 Added SiteStatistics as counter cache for Projects and Wikis 2018-07-24 18:44:07 +02:00
Felipe Artur
056c42cca5 Fix project feature being deleted when updating project with invalid visibility level 2017-09-12 18:10:34 -03:00
Brian Neel
9770c57fab Re-enable SqlInjection and CommandInjection 2017-08-08 10:50:54 -04:00
http://jneen.net/
37c401433b convert all the policies to DeclarativePolicy 2017-06-27 12:44:37 -07:00
Toon Claes
b90f1098cf Add User#full_private_access? to check if user has Private access
In CE only the admin has access to all private groups & projects. In EE also an
auditor can have full private access.

To overcome merge conflicts, or accidental incorrect access rights, abstract
this out in `User#full_private_access?`.

`User#admin?` now only should be used for admin-only features. For private
access-related features `User#full_private_access?` should be used.

Backported from gitlab-org/gitlab-ee!2199
2017-06-23 11:15:35 +02:00
Yorick Peterse
73bf9413b9
Refactor Project.with_feature_available_for_user
This method used to use a UNION, which would lead to it performing the
same query twice; producing less than ideal performance. Further, in
certain cases ActiveRecord could get confused and mess up the variable
bindings, though it's not clear how/why exactly this happens.

Fortunately we can work around all of this by building some of the WHERE
conditions manually, allowing us to use a simple OR statement to get all
the data we want without any of the above problems.
2017-06-16 13:49:09 +02:00
Douwe Maan
b7d8df503c Enable Style/MutableConstant 2017-02-23 09:31:56 -06:00
Z.J. van de Weg
9d8ca60d22 issue and mergerequest slash command for mattermost
This commit includes a couple of thing:
- A chatops controller
- Mattermost::CommandService
- Mattermost::Commands::(IssueService|MergeRequestService)

The controller is the point where mattermost, and later slack will have
to fire their payload to. This in turn will execute the CommandService.

Thats where the authentication and authorization should happen. So far
this is not yet implemented. This should happen in later commits.

Per subcommand, in case of `/gitlab issue show 123` issue whould be the
subcommand, there is a service to parse the data, and fetch the
resource. The resource is passed back to the CommandService which
structures the data.
2016-11-17 21:34:23 +01:00
Z.J. van de Weg
9869c48097 Remove unneeded nil checks
The library we're using, default_value_for, is configured to interpret nil
as the default value, being ENABLED. Given the property can't be nil
this check is unneeded.
2016-11-12 11:20:06 +01:00
Douwe Maan
79d94b1679 Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000
2016-11-09 12:24:13 +01:00
Felipe Artur
da07c2e4d3 Add visibility level to project repository 2016-10-17 18:12:18 -02:00
Stan Hu
fea80aa12d Fix project deletion when feature visibility is set to private
Projects that are destroyed are put in the pending_delete state.
The ProjectDestroyWorker checks whether the current user has
access, but since the ProjectFeature class uses the default scope
of the Project, it will not be able to find the right project.

This was a regression in 8.12 that caused the following stack trace:

```
NoMethodError: undefined method `team' for nil:NilClass
  from app/models/project_feature.rb:62:in `get_permission'
  from app/models/project_feature.rb:34:in `feature_available?'
  from app/models/project.rb:21:in `feature_available?'
  from app/policies/project_policy.rb:170:in `disabled_features!'
  from app/policies/project_policy.rb:29:in `rules'
  from app/policies/base_policy.rb:82:in `block in abilities'
  from app/policies/base_policy.rb:113:in `collect_rules'
  from app/policies/base_policy.rb:82:in `abilities'
  from app/policies/base_policy.rb:50:in `abilities'
  from app/models/ability.rb:64:in `uncached_allowed'
  from app/models/ability.rb:58:in `allowed'
  from app/models/ability.rb:49:in `allowed?'
  from app/services/base_service.rb:11:in `can?'
  from lib/gitlab/metrics/instrumentation.rb:155:in `block in can?'
  from lib/gitlab/metrics/method_call.rb:23:in `measure'
  from lib/gitlab/metrics/instrumentation.rb:155:in `can?'
  from app/services/projects/destroy_service.rb:18:in `execute'
```

Closes #22948
2016-10-04 20:53:15 -07:00
Zeger-Jan van de Weg
9573001999 Remove duplicate default_value_level entry 2016-09-21 17:55:37 +00:00
Z.J. van de Weg
9747f3ef7b Add default values for ProjectFeature
Closes gitlab-org/gitlab-ce#22330
2016-09-21 15:52:25 +03:00
Felipe Artur
892dea6771 Project tools visibility level 2016-09-01 11:47:59 -03:00