Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • 12-9-stable
  • 12-7-stable
  • 12-6-stable
  • 12-8-stable
  • github/fork/Kloppi313/patch-1
  • 12-5-stable
  • 12-4-stable
  • github/fork/ramalokesh8477/master
  • 12-1-stable
  • 12-2-stable
  • 12-0-stable
  • 12-3-stable
  • 42-42-stable
  • github/fork/hussamgit398/patch-2
  • 12-3-auto-deploy-20190911
  • 12-3-auto-deploy-20190916
  • 12-3-auto-deploy-20190908
  • 12-3-auto-deploy-20190901
  • 12-3-auto-deploy-20190901-32664
  • v12.10.0.pre
  • v12.9.0
  • v12.9.0-rc42
  • v12.8.7
  • v12.8.6
  • v12.8.5
  • v12.8.4
  • v12.8.3
  • v12.6.8
  • v12.7.7
  • v12.8.2
  • v12.8.1
  • v12.9.0.pre
  • v12.8.0
  • v12.8.0-rc42
  • v12.5.10
  • v12.7.6
  • v12.6.7
  • v12.7.5
  • v12.5.9
40 results
Search by author
  • Any Author
  • Grant Young Grant Young grantyoung
  • Nailia Iskhakova Nailia Iskhakova niskhakova
  • gitlab-qa-bot gitlab-qa-bot gitlab-qa-bot
3 authors
  1. Jul 01, 2019
  3. Jun 30, 2019
  5. Jun 27, 2019
  7. Jun 26, 2019
  9. Jun 25, 2019
  11. Jun 21, 2019
  13. Jun 18, 2019
  15. Jun 17, 2019
    • Oswaldo Ferreir's avatar
      Persist tmp snippet uploads · 153e2999
      Oswaldo Ferreir authored 
      It persist temporary personal snippets under
user/:id namespaces temporarily while creating
a upload record to track it. If an user gets removed
while it's still a tmp upload, it also gets removed.
If the tmp upload is sent, the upload gets moved to
personal_snippets/:id as before. The upload record
also gets updated to the new model type as well.
      153e2999
  17. Jun 14, 2019
  19. Jun 13, 2019
    • Luke Duncalfe's avatar
      Authorize access before serving project template · 5351ebf8
      Luke Duncalfe authored 
      Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.

When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.

We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.

Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.

https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
      5351ebf8
  21. Jun 12, 2019
  23. Jun 07, 2019
    • Fabio Pitino's avatar
      Prevent Billion Laughs attack · 13953724
      Fabio Pitino authored 
      It keeps track of the memory being used when loading the YAML file
as well as the depth of nesting.
Track exception when YAML is too big
      13953724
  25. Jun 06, 2019
    • Markus Koller's avatar
      Correctly check permissions when creating snippet notes · a89c7c6f
      Markus Koller authored 
      In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.

This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.
      Unverified
      a89c7c6f
  27. Jun 04, 2019
  29. Jun 03, 2019