kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/lib
History
Rémy Coutable 670b2eb5c0
Merge branch 'api-fix-project-group-sharing' into 'security' 
API: Share projects only with groups current_user can access

Aims to address the issues here: https://gitlab.com/gitlab-org/gitlab-ce/issues/23004

* Projects can be shared with non-existent groups
* Projects can be shared with groups that the current user does not have access to read

Concerns:

The new implementation of the API endpoint allows projects to be shared with a larger range of groups than can be done via the web UI.

The form for sharing a project with a group uses the following API endpoint to index the available groups: 494269fc92/lib/api/groups.rb (L17). The groups indexed in the web form will only be those groups that the user is currently a member of.

The new implementation allows projects to be shared with any group that the authenticated user has access to view. This widens the range of groups to those that are public and internal.

See merge request !2005

Signed-off-by: Rémy Coutable <remy@rymai.me>
 		2016-10-11 20:36:26 +02:00
..
api Merge branch 'api-fix-project-group-sharing' into 'security' 2016-10-11 20:36:26 +02:00
assets
backup
banzai HTMLEntityFilter -> HtmlEntityFilter 2016-10-10 15:46:26 +01:00
ci
constraints
container_registry
gitlab Merge branch 'explain-0600' into 'master' 2016-10-10 15:18:46 +00:00
json_web_token
omni_auth
rouge/formatters
support
tasks Merge branch 'docs/refactor-reply-by-email' into 'master' 2016-10-11 13:27:23 +00:00
banzai.rb Add markdown cache columns to the database, but don't use them yet 2016-10-07 02:54:25 +01:00
disable_email_interceptor.rb
event_filter.rb
expand_variables.rb
extracts_path.rb Allow browsing branches that end with '.atom' 2016-10-11 13:31:12 +01:00
file_size_validator.rb
file_streamer.rb
gitlab.rb
gt_one_coercion.rb
repository_cache.rb
static_model.rb
unfold_form.rb
uploaded_file.rb
version_check.rb