Commit graph

19 commits

Author SHA1 Message Date
Douwe Maan
6d37fe952b Merge branch 'jej-fix-missing-access-check-on-issues' into 'security'
Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
 - Permissions check tested

- [x]  app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x]  app/controllers/projects/todos_controller.rb:19

- [x] Potential double render in app/controllers/projects/todos_controller.rb

- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030
2016-11-28 21:25:46 -03:00
Alfredo Sumaran
2748a01a3a Use stage description form endpoint response 2016-11-21 13:57:10 -05:00
Alfredo Sumaran
06fd2879ee Provide stage legend on server response 2016-11-21 13:57:09 -05:00
James Lopez
a3331eee91 Updated code based on feedback 2016-11-21 17:29:07 +01:00
James Lopez
7a63021ab3 rename method 2016-11-21 17:19:18 +01:00
James Lopez
dde8fba524 Adds a flag to reflect whether or not there is data in cycle analytics 2016-11-21 17:19:18 +01:00
James Lopez
9b69168858 refactored a couple of things based on feedback 2016-11-21 14:09:26 +01:00
James Lopez
0fd397bba1 Added permissions per stage to cycle analytics endpoint 2016-11-21 10:49:05 +01:00
James Lopez
192918cde9 refactored duplicated code in controller, updated JSON array naming and fixed specs 2016-11-17 08:22:57 +01:00
James Lopez
f59b8afc82 fix module issue in cycle analytics controller 2016-11-17 08:22:57 +01:00
Timothy Andrew
244ec0a84c Implement fourth round of comments from @DouweM.
- Pluralize summary titles
- Remove the `run_query` method - always return sql strings from the
  `date_time_sql` methods
2016-09-21 09:57:14 +05:30
Timothy Andrew
a4a0ce9500 Move JSON generation (cycle analytics) into a controller method.
Helper methods are meant for views
2016-09-20 18:50:48 +05:30
Timothy Andrew
edb38d69cc Move cycle analytics JSON generation to a helper.
1. Use a new format, with each stage having a `title`, `description`,
   and `value.
2016-09-17 12:16:48 +05:30
Timothy Andrew
9901c3df41 Add a JSON version of the CycleAnalytics page. 2016-09-08 15:03:38 +05:30
Timothy Andrew
2f57eee7da Authorize access to cycle analytics.
All users with "Reporter" access (and above) to a project can see the
Cycle Analytics page.
2016-08-26 16:28:20 +05:30
Timothy Andrew
331080bca6 Fetch cycle analytics data for a specific date range.
1. Supported date ranges are 30 / 90 days ago. The default is 90 days
   ago.

2. All issues created before "x days ago" are filtered out, even if they
   have other related data (test runs, merge requests) within the filter
   range.
2016-08-26 16:28:20 +05:30
Timothy Andrew
df6c9c33b6 Scope Cycle Analytics queries to a project 2016-08-26 16:28:20 +05:30
Timothy Andrew
f932bb8e41 Add the "Plan" Cycle Analytics query.
1. Move from raw SQL to ActiveRecord.
2. Add a non-persisted `CycleAnalytics` model to store all the queries.
2016-08-26 16:27:37 +05:30
Timothy Andrew
8ccea81cba Display numbers for the "Issue (Tracker)" cycle analytics metric.
1. Code is messy and untested, but it is a start.
2016-08-26 16:27:37 +05:30