Commit graph

22 commits

Author SHA1 Message Date
Kamil Trzciński
5da2f42dc9 backport: Always proxy reports downloads
This makes to always proxy reports
2018-11-07 21:49:45 +01:00
Stan Hu
262b974123 Fix attachments not displaying inline with Google Cloud Storage
There were several issues:

1. With Google Cloud Storage, we can't override the Content-Type with
Response-Content-Type once it is set.  Setting the value to
`application/octet-stream` doesn't buy us anything. GCS defaults to
`application/octet-stream`, and AWS uses `binary/octet-stream`. Just remove
this `Content-Type` when we upload new files.

2. CarrierWave and fog-google need to support query parameters:
https://github.com/fog/fog-google/pull/409/files, https://github.com/carrierwaveuploader/carrierwave/pull/2332/files.
CarrierWave has been monkey-patched until an official release.

3. Workhorse also needs to remove the Content-Type header in the request
(ef80978ff8/internal/objectstore/object.go (L66)),
or we'll get a 403 error when uploading due to signed URLs not matching the headers.
Upgrading to Workhorse 6.1.0 for https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/297
will make Workhorse use the headers that are used by Rails.

Closes #49957
2018-09-05 17:01:54 -07:00
Stan Hu
b9cee4ba3c Set issuable_sort and diff_view cookies to secure when possible
Closes #49120
2018-09-03 22:37:36 -07:00
Bob Van Landuyt
de35c044fb Preload ancestors after pagination when filtering
We need to preload the ancestors of search results after applying
pagination limits. This way the search results itself are paginated,
but not the ancestors.

If we don't do this, we might not preload a parent group of a search
result as it has been cut off by pagination.
2018-07-06 14:09:36 +02:00
James Edwards-Jones
202bd2da16 Backport InternalRedirect#sanitize_redirect 2018-06-14 09:02:32 +10:00
Bob Van Landuyt
491e1fc905 Render a 403 when showing an access denied message
When we want to show an access denied message to a user, we don't have
to hide the resource's existence.

So in that case we render a 403, this 403 is not handled by nginx on
omnibus installs, making sure the message is visible to the user.
2018-06-05 10:29:27 +02:00
Stan Hu
0c43170630 Fix cross-origin errors when attempting to download JavaScript attachments
If you upload a file with a .js extension, Rails' cross-origin JavaScript
protection will prevent a user from downloading the file with a 422 error.
Setting the content-type to `text/plain` will allow the user to download
the file as a plaintext file.

Closes #45826
2018-05-13 21:49:51 -07:00
Bob Van Landuyt
39916fdfed Reuses InternalRedirect when possible
`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.
2018-05-04 13:54:43 +02:00
Bob Van Landuyt
7684217d68 Enforces terms in the web application
This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.
2018-05-04 13:54:43 +02:00
Bob Van Landuyt
12dd2b0cc0 Share collaboration check between view and presenter 2018-04-11 10:51:15 +02:00
Micaël Bergeron
44f37504fb Backport ee-40781-os-to-ce 2018-03-22 08:49:04 -04:00
Micaël Bergeron
fc6587f1f2 Add proxy_download to perform proxied sending of all files 2018-03-09 09:16:06 -05:00
Bob Van Landuyt
148816cd67 Port read_cross_project ability from EE 2018-02-22 17:11:36 +01:00
Sean McGivern
c2fc40668c Refactor IssuableFinder to extract model-specific logic
By extracting a new `filter_items` method, we can override that in the
IssuesFinder and MergeRequestsFinder separately, so we don't need checks that
the model is the correct one, because we can just use the class we're in to know
that.

We can do the same for the VALID_PARAMS constant, by making it a class method.
2018-02-21 10:31:29 +00:00
Hiroyuki Sato
16caf95ccb Fix filter by my reaction is not working 2017-11-13 18:20:02 +09:00
Jarka Kadlecova
ad6e650262 Refactor issuables index actions 2017-11-07 14:34:12 +01:00
Bob Van Landuyt
0f1d6402b9 Find the LFS-objects for a fork within a the fork network 2017-11-03 14:59:47 +01:00
Bob Van Landuyt
524f65152f Only expand ancestors when searching
Not all_groups, since that would expose groups the user does not have
access to
2017-10-09 12:02:40 +02:00
Bob Van Landuyt
ec8a7a36c0 Make sure all ancestors are loaded when searching groups 2017-10-05 11:10:57 +02:00
Bob Van Landuyt
ea4e17e2ae Search subgroups on dashboard and explore views 2017-10-04 22:49:41 +02:00
Bob Van Landuyt
3a4dc55f29 Reuse the groups tree for explore and dashboard. 2017-10-04 22:49:41 +02:00
Yorick Peterse
42062a454a
Re-use issue/MR counts for the pagination system
This changes the issue and MR index pages so the pagination system
re-uses the output of the COUNT(*) query used to calculate the number of
rows per state (opened, closed, etc). This removes the need for an
additional COUNT(*) on both pages.
2017-09-05 11:53:45 +02:00