Commit graph

16 commits

Author SHA1 Message Date
Bob Van Landuyt
148816cd67 Port read_cross_project ability from EE 2018-02-22 17:11:36 +01:00
Bob Van Landuyt
3a4dc55f29 Reuse the groups tree for explore and dashboard. 2017-10-04 22:49:41 +02:00
Bob Van Landuyt
39df53ff0a Use the default sort set by the Sortable concern 2017-10-04 22:49:41 +02:00
Bob Van Landuyt
1fb49b8729 Only show root groups on the dashboard
The children are lazy-loaded when expanding
2017-10-04 22:49:41 +02:00
Bob Van Landuyt
3e6dd7d88d Use same response-body in groups-dashboard as we do for group-home 2017-10-04 22:49:41 +02:00
Tiago Botelho
cfd475a45e Removes default scope from sortable 2017-09-07 13:01:59 +01:00
Douwe Maan
e56556e1fe Use group and project finders instead of direct ActiveRecord relations 2017-06-07 20:22:34 -05:00
Dmitriy Zaporozhets
5bce197b61
Serialize groups as json for Dashboard::GroupsController
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2017-05-04 23:45:02 +03:00
Dmitriy Zaporozhets
b7c30cae4e
Add filter and sorting to dashboard groups page
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2017-03-01 15:39:59 +02:00
Dmitriy Zaporozhets
2989192d1a
Store group and project full name and full path in routes table
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2017-02-08 19:14:29 +02:00
Rémy Coutable
aec3475df9
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-24 12:01:48 +02:00
Robert Speicher
085538c2bd Use the configured Kaminari "per page" default 2016-03-19 17:37:54 -04:00
Douwe Maan
26ad250989 Add a page title to every page. 2015-04-30 19:12:15 +02:00
Douwe Maan
84371de01f Move group leave action from dashboard/groups to groups/group_members. 2015-03-15 13:52:28 +01:00
Dmitriy Zaporozhets
f0cbbd70bb Use same constant for amount of items per page 2015-03-12 15:37:00 -07:00
Dmitriy Zaporozhets
9b3e156e43 Move profile groups page to dashboard 2015-03-08 17:03:30 -07:00
Renamed from app/controllers/profiles/groups_controller.rb (Browse further)