Commit graph

5 commits

Author SHA1 Message Date
Rémy Coutable
670b2eb5c0
Merge branch 'api-fix-project-group-sharing' into 'security'
API: Share projects only with groups current_user can access

Aims to address the issues here: https://gitlab.com/gitlab-org/gitlab-ce/issues/23004

* Projects can be shared with non-existent groups
* Projects can be shared with groups that the current user does not have access to read

Concerns:

The new implementation of the API endpoint allows projects to be shared with a larger range of groups than can be done via the web UI.

The form for sharing a project with a group uses the following API endpoint to index the available groups: 494269fc92/lib/api/groups.rb (L17). The groups indexed in the web form will only be those groups that the user is currently a member of.

The new implementation allows projects to be shared with any group that the authenticated user has access to view. This widens the range of groups to those that are public and internal.

See merge request !2005

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-10-11 20:36:26 +02:00
Sean McGivern
883b96ab6a Allow project group links to be expired 2016-08-18 22:45:41 +01:00
Jeroen van Baarsen
f1479b56b7
Remove the annotate gem and delete old annotations
In 8278b763d9 the default behaviour of annotation
has changes, which was causing a lot of noise in diffs. We decided in #17382
that it is better to get rid of the whole annotate gem, and instead let people
look at schema.rb for the columns in a table.

Fixes: #17382
2016-05-09 18:00:28 +02:00
Zeger-Jan van de Weg
47da013cf8 Annotate the models 2016-05-06 08:27:46 +02:00
Dmitriy Zaporozhets
ea5f4cae53
Bring ProjectGroupLink model and migrations from EE
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2016-03-11 17:47:05 +01:00