[ci skip]

[ci skip]

Prevent fetching repository code with unauthorized ci token

See merge request gitlab-org/security/gitlab!588

Users have ability to fetch other projects' code via gitlab-ci-token.
This permission is controlled by "build_download_code".
However, this permission is not prevented when "repository_disabled"
for the users. This commit fixes this.

Fix expired SSL cert in PagesDomain test

See merge request gitlab-org/gitlab!33462

[ci skip]

[ci skip]

Fix failing user spec

See merge request gitlab-org/security/gitlab!553

Assures that user.emails is not empty

Added data integrity check before update

See merge request gitlab-org/security/gitlab!475

Display only verified emails on notifications page

See merge request gitlab-org/security/gitlab!548

Limit resources when processing artifacts metadata - gitlab-rails

See merge request gitlab-org/security/gitlab!534

Substitute variables using gsub in Prometheus proxy API

See merge request gitlab-org/security/gitlab!471

Fix email confirmation bug when soft email confirmation is enabled

See merge request gitlab-org/security/gitlab!517

Require confirmed email address for GitLab OAuth authentication

See merge request gitlab-org/security/gitlab!538

Merge branch 'security-fix-group-domain-allowed-email-should-be-verified-12-9' into '12-9-stable-ee'

Allow only verified user to be members of group with domain restriction

See merge request gitlab-org/security/gitlab!544

Respect forked projects permissions

See merge request gitlab-org/security/gitlab!438

Do not auto-confirm email in Trial registration

See merge request gitlab-org/security/gitlab!512

Hide EKS secret key in admin integrations settings

See merge request gitlab-org/security/gitlab!547

Fix file enuming using Group Import

See merge request gitlab-org/security/gitlab!486

Fix security issue in mermaid markdown

See merge request gitlab-org/security/gitlab!477

Prevent XSS in the monitoring dashboard

See merge request gitlab-org/security/gitlab!452

Jose Ivan Vargas Lopez authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

This prevents the branch name from the duplicate
dashboard modal to execute XSS scripts

Do not expose Kubernetes cluster token

See merge request gitlab-org/security/gitlab!505

Disable caching on repo/blobs/[sha]/raw endpoint

See merge request gitlab-org/security/gitlab!398

Change the mirror user along with pull mirror settings

See merge request gitlab-org/security/gitlab!497

Instead of rendering the key and masking it from the UI,
don't render it at all.

Validate confirmation of emails for user

Add validation to notification settings

Add different condition to validation

Add possibility to pick only email in dropdown

Fix user specs file

Remove unused method

Add changelog entry

Add cr remarks

Add cr remarks

This change allows only user with a verified email to be
member of a group when the group has restricted membership
based on email domain

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Allowing users with unconfirmed/unverified email addresses to
authenticate to an external service using GitLab OAuth is not
secure. This change enforces that a user must have a confirmed
primary email address to proceed with OAuth.

This introduces a test case for the bug, and 2 changes related to
addressing it: 1) more accurately marking new email records as
confirmed and 2) un-confirming users when they change their primary
email to an un-confirmed email.

This MR prevents email addresses from being confirmed
automatically for Trial registrations.

This commit:
- Removes Copy and Show buttons
from the Kubernetes cluster details page
- Still allows to set a new token