Commit graph

24 commits

Author SHA1 Message Date
Nur Rony
ecea127cd1 Improve test for sort dropdown on members page 2016-12-16 20:30:27 -02:00
Douglas Barbosa Alexandre
0ef2c8dfbe Use factories to create project/group membership on specs 2016-12-16 20:28:40 -02:00
Douglas Barbosa Alexandre
3a2905f507 Sort group/project members alphabetically by default 2016-12-16 20:28:38 -02:00
Douglas Barbosa Alexandre
4b7a3d0c38 Add feature spec for sort functionality on group/project members list 2016-12-16 20:28:38 -02:00
Jacob Schatz
ffa1b67d2f Merge branch '23305-leave-project-and-leave-group-should-be-buttons' into 'master'
Remove 'Leave Project' and 'Leave Group' from settings dropdowns

## What does this MR do?

Removes `Leave Project` and `Leave Group` from the settings dropdown.

Adds it to the `views/shared/members/access_request_buttons.html.haml`.

## Are there points in the code the reviewer needs to double check?

## Why was this MR needed?

## Screenshots (if relevant)

![Screen_Shot_2016-11-19_at_15.34.26](/uploads/5c66a025513b4780a9e881f0036381e4/Screen_Shot_2016-11-19_at_15.34.26.png)
![Screen_Shot_2016-11-19_at_15.35.29](/uploads/ed74a5dfe982cf65bb49c0c4fb307061/Screen_Shot_2016-11-19_at_15.35.29.png)

## Does this MR meet the acceptance criteria?

- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?


Closes #23305

See merge request !7600
2016-12-09 19:27:09 +00:00
Dmitriy Zaporozhets
7e42c22991
Fix 404 error when visit group label edit page
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2016-12-06 18:50:48 +02:00
Jacopo
4d26ab28a9 Fix Archived project merge requests add to group's Merge Requests
counter

This is done by:
 - Extending the IssuableFinder adding the non_archived option to the params
 - Overriding the #filter_params in the MergeRequestsAction
 - Passing the non_archived param in the nav/_group.html.haml navbar
   partial from the groups/merge_requests.html.haml
2016-12-05 18:06:36 +01:00
Luke "Jared" Bennett
c47d8ab69e
Removed leave buttons from settings dropdowns
Updated specs
2016-11-26 14:27:08 +00:00
Nick Thomas
d211011698 Make access request specs explicitly enable or disable access requests as required 2016-11-11 15:45:47 +00:00
Douwe Maan
79d94b1679 Merge branch '22481-honour-issue-visibility-for-groups' into 'security'
Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000
2016-11-09 12:24:13 +01:00
Phil Hughes
999f184805 Tests update 2016-09-13 08:44:59 +01:00
Rémy Coutable
5fb436aaa4 Fix a few nitpicks
Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-07-20 14:38:21 +02:00
Felipe Artur
4d69cb9d94 Allow to disable user request access to groups/projects 2016-07-20 14:38:21 +02:00
Rémy Coutable
22ba5d8a7f
New :request_access ability to replace a ugly helper
- Group / project members cannot request access
- Group members cannot request access to a group's project

This addresses an issue where project owners could request access
to their own project, leading to UI inconsistency where their requester
status would replace their owner status.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-07-05 14:35:26 +02:00
Douwe Maan
d1c94f034b Merge branch 'explicit-requesters-scope' into 'master'
Exclude requesters from Project#members, Group#members and User#members

## What does this MR do?

It excludes requesters from the `Project#members`, `Group#members` and `User#members` associations, and adds new `Project#requesters` and `Group#requesters` associations.

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Without this, if you call `project.members`, requesters are included in the results! This is at best misleading, and at worst can lead to security issues. By excluding requesters from the `#members` associations, we avoid introducing security inadvertently since you have to call the `#requesters` association explicitly to get requesters.

## What are the relevant issue numbers?

This is something I realized while fixing the security issue #19102.

## Does this MR meet the acceptance criteria?

- [x] I don't think this needs a CHANGELOG since this is an internal change
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4946
2016-07-01 22:23:26 +00:00
Grzegorz Bizon
9e211091a8 Enable Style/EmptyLines cop, remove redundant ones 2016-07-01 21:56:17 +02:00
Rémy Coutable
bd78f5733c Exclude requesters from Project#members, Group#members and User#members
And create new Project#requesters, Group#requesters scopes.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-07-01 17:44:46 +02:00
Rémy Coutable
aec3475df9
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-24 12:01:48 +02:00
Douwe Maan
4dcf107b26 Merge branch '18871-check-improve-how-we-display-access-requesters-in-admin-area' into 'master'
Display group/project access requesters separately in admin

## What does this MR do?

It displays the access requesters in a separate list in group & project members pages.

It also harmonize the members counter UI to use `%span.badge` everywhere (in the admin & non-admin members views).

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

To not confuse access requesters with actual members.

## What are the relevant issue numbers?

Closes #18871.

## Screenshots

### Group members

| Before | After |
| --------- | ---- |
| ![group-members-before](/uploads/2f15137e073fd3a63bc2cb7b2217cb6c/group-members-before.png) | ![group-members-after](/uploads/5b643974505cfa57783fa0320d3bf8b2/group-members-after.png) |

### Project members

| Before | After |
| --------- | ---- |
| ![project-members-before](/uploads/9c48dcd3736e42de84061b1201ee0b06/project-members-before.png) | ![project-members-after](/uploads/8e04c92ef0bba3de7e2405618632b27d/project-members-after.png) |

### Admin group members

| Before | After |
| --------- | ---- |
| ![admin-group-members-before](/uploads/7fda8c2c94b697bea6655ba892ba45e7/admin-group-members-before.png) | ![admin-group-members-after](/uploads/ea25717001794f75939c679b80308c3a/admin-group-members-after.png) |

### Admin project members

| Before | After |
| --------- | ---- |
| ![admin-project-members-before](/uploads/ba9d3ec52adbda6bb3d45ad9ac5243d3/admin-project-members-before.png) | ![admin-project-members-after](/uploads/3b889a029a9756e9ed2781b45c4dd9cb/admin-project-members-after.png) |

## Does this MR meet the acceptance criteria?

- [x] No CHANGELOG since this is related to the original "request access" MR.
- [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4798
2016-06-22 01:17:08 +00:00
Rémy Coutable
00ac7ae84a
Fix specs
Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-20 16:40:35 +02:00
Rémy Coutable
909a0ff3ac
Fix and remove duplicate specs
Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-20 12:36:59 +02:00
Rémy Coutable
bf05ca88ee Add 'Leave Group' link
The link was removed in !3798, probably by mistake.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-18 06:06:35 +02:00
Rémy Coutable
515205d3c1 UI and copywriting improvements
+ Move 'Edit Project/Group' out of membership-related partial
+ Show the access request buttons only to logged-in users
+ Put the request access buttons out of in a more visible button
+ Improve the copy in the #remove_member_message helper

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-14 13:18:14 +02:00
Rémy Coutable
d26f81239a Add request access for groups
Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-14 13:07:26 +02:00