[ci skip]

[ci skip]

[ci skip]

[ci skip]

Stop deploy token being used as user in ProjectPolicy and GroupPolicy

See merge request gitlab-org/security/gitlab!822

Add check for project access on deploy token check

See merge request gitlab-org/security/gitlab!818

This prevents deploy token from getting permissions for users that
happen to have the same id as the deploy token.

Steve Abrams authored 4 years ago and Jaime Martinez committed 4 years ago

When a deploy token is authenticated, project access
is checked and rejected if not allowed.

Auth spec is fixed to properly test this scenario

Update guard clause to allow nil projects to pass for registry access

Update LFS spec - now returns 401 for invalid deploy token

Fixing flaky tests

Add spec for group deploy token as well

[ci skip]

[ci skip]

2FA not enforced on /profile/applications

See merge request gitlab-org/security/gitlab!783

Małgorzata Ksionek authored 4 years ago and mksionek committed 4 years ago

Add one more spec

Add changelog entry

Fix changelog

Move concern to doorkeeper base controller

Add base metal controller

Add new controller

Fix

Remove 2FA from api-endpoints

Add if-clause block around helper method

Add controllers tests

And implement 2FA enforcement in tokens controllers

Remove obsolete let in spec

Fix

Fix

Update GitLab Runner version

See merge request gitlab-org/security/gitlab!755

Fix XSS on jobs view

See merge request gitlab-org/security/gitlab!652

Revoke OAuth grants when a user revokes an application

See merge request gitlab-org/security/gitlab!759

Add a prohibited branches system

See merge request gitlab-org/security/gitlab!663

Verify confirmed email for OAuth Authorize POST endpoint

See merge request gitlab-org/security/gitlab!741

Add refreshing projects to transfering groups

See merge request gitlab-org/security/gitlab!717

Escape milestone title in sidebar tooltip

See merge request gitlab-org/security/gitlab!734

Only support HTML tooltips for scoped labels

See merge request gitlab-org/security/gitlab!692

Add decompressed archive size validation on Project/Group Import

See merge request gitlab-org/security/gitlab!653

Stop excess logs from invite email when group no longer exists

See merge request gitlab-org/security/gitlab!721

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Currently, when a user revokes OAuth applications only
existing access tokens are revoked. If an application has already
requested a code (grant) to later redeem for an access token, the
grant may remain valid and will generate a valid access token
until expired (10 min expiry). This change ensures both access
tokens *and* grants are revoked when a user revoked the application.

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Similar to the recent change to require email confirmation/verification
for the OAuth Authorize GET (:new) endpoint, require the same
for the OAuth Authorize POST (:create) endpoint. This will prevent
forcing a POST request to authenticate to an external service
with an unconfirmed email address.

[ci skip]

[ci skip]

Prepare 13.1.5-ee release

See merge request gitlab-org/gitlab!37707

Nick Gaskill authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Fixes mixed-case anchors

See merge request gitlab-org/gitlab!36414

(cherry picked from commit 13c165bf)

9afb4acb Fixes mixed-case anchors

Amy Qualls authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Docs: Repair link anchors by lowercasing them

See merge request gitlab-org/gitlab!36344

(cherry picked from commit 57636d29)

e1285c35 Repair link anchors by lowercasing them