diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 85dce0db8f25410edb202505fb3c9ca5c7e05797..44c93471df4b137326f7d0e2b3276847446b9981 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -13,7 +13,7 @@ class Admin::UsersController < Admin::ApplicationController
end
def new
- @user = User.build_user
+ @user = User.new
end
def edit
@@ -37,15 +37,12 @@ class Admin::UsersController < Admin::ApplicationController
end
def create
- admin = user_params.delete("admin")
-
opts = {
force_random_password: true,
password_expires_at: Time.now
}
- @user = User.build_user(user_params.merge(opts), as: :admin)
- @user.admin = (admin && admin.to_i > 0)
+ @user = User.new(user_params.merge(opts))
@user.created_by_id = current_user.id
@user.generate_password
@user.skip_confirmation!
@@ -62,19 +59,15 @@ class Admin::UsersController < Admin::ApplicationController
end
def update
- admin = user_params.delete("admin")
-
- if user_params[:password].blank?
- user_params.delete(:password)
- user_params.delete(:password_confirmation)
- end
-
- if admin.present?
- user.admin = !admin.to_i.zero?
+ if params[:user][:password].present?
+ user_params.merge(
+ password: params[:user][:password],
+ password_confirmation: params[:user][:password_confirmation],
+ )
end
respond_to do |format|
- if user.update_attributes(user_params, as: :admin)
+ if user.update_attributes(user_params)
user.confirm!
format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
format.json { head :ok }
@@ -118,10 +111,10 @@ class Admin::UsersController < Admin::ApplicationController
def user_params
params.require(:user).permit(
- :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
+ :email, :remember_me, :bio, :name, :username,
:skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
:extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
- :projects_limit, :can_create_group,
+ :projects_limit, :can_create_group, :admin
)
end
end
diff --git a/app/controllers/profiles/emails_controller.rb b/app/controllers/profiles/emails_controller.rb
index 40c352dab0c2f9fd07570a58df02934a3c0d134e..f3f0e69b83a4ee516489662d6e45364e1f96d51b 100644
--- a/app/controllers/profiles/emails_controller.rb
+++ b/app/controllers/profiles/emails_controller.rb
@@ -7,7 +7,7 @@ class Profiles::EmailsController < ApplicationController
end
def create
- @email = current_user.emails.new(params[:email])
+ @email = current_user.emails.new(email_params)
flash[:alert] = @email.errors.full_messages.first unless @email.save
@@ -23,4 +23,10 @@ class Profiles::EmailsController < ApplicationController
format.js { render nothing: true }
end
end
+
+ private
+
+ def email_params
+ params.require(:email).permit(:email)
+ end
end
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index f7c9651d0502c31be033e7c407c658f475c35ace..e877f9b904946494885b625fc952a21f290694b5 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -14,7 +14,7 @@ class ProfilesController < ApplicationController
end
def update
- user_params.delete(:email) if @user.ldap_user?
+ user_params.except!(:email) if @user.ldap_user?
if @user.update_attributes(user_params)
flash[:notice] = "Profile was successfully updated"
diff --git a/app/controllers/projects/deploy_keys_controller.rb b/app/controllers/projects/deploy_keys_controller.rb
index 6e1a76ff4177c9ed232e9fcdd4fc84617efb4ec4..d20937ea8ea5e174282a4a160907e4199be31523 100644
--- a/app/controllers/projects/deploy_keys_controller.rb
+++ b/app/controllers/projects/deploy_keys_controller.rb
@@ -22,7 +22,7 @@ class Projects::DeployKeysController < Projects::ApplicationController
end
def create
- @key = DeployKey.new(params[:deploy_key])
+ @key = DeployKey.new(deploy_key_params)
if @key.valid? && @project.deploy_keys << @key
redirect_to project_deploy_keys_path(@project)
@@ -58,4 +58,8 @@ class Projects::DeployKeysController < Projects::ApplicationController
def available_keys
@available_keys ||= current_user.accessible_deploy_keys
end
+
+ def deploy_key_params
+ params.require(:deploy_key).permit(:key, :title)
+ end
end
diff --git a/app/models/note.rb b/app/models/note.rb
index 436b75adc5eb7f6ef75ccd7422620fa719f2293d..ed4829b2b394cc3e469c7aad9a2d5bf45fbc8f3c 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -61,13 +61,13 @@ class Note < ActiveRecord::Base
def create_status_change_note(noteable, project, author, status, source)
body = "_Status changed to #{status}#{' by ' + source.gfm_reference if source}_"
- create({
+ create(
noteable: noteable,
project: project,
author: author,
note: body,
system: true
- }, without_protection: true)
+ )
end
# +noteable+ was referenced from +mentioner+, by including GFM in either +mentioner+'s description or an associated Note.
@@ -86,7 +86,7 @@ class Note < ActiveRecord::Base
note_options.merge!(noteable: noteable)
end
- create(note_options, without_protection: true)
+ create(note_options)
end
def create_milestone_change_note(noteable, project, author, milestone)
@@ -96,13 +96,13 @@ class Note < ActiveRecord::Base
"_Milestone changed to #{milestone.title}_"
end
- create({
+ create(
noteable: noteable,
project: project,
author: author,
note: body,
system: true
- }, without_protection: true)
+ )
end
def create_assignee_change_note(noteable, project, author, assignee)
@@ -114,7 +114,7 @@ class Note < ActiveRecord::Base
author: author,
note: body,
system: true
- }, without_protection: true)
+ })
end
def discussions_from_notes(notes)
diff --git a/app/models/project.rb b/app/models/project.rb
index fde4a31ff7c860e42d67b69c413f1d8f349d36f3..c242fb0fc5f6e50294e9b1fb00c76dd4ce2a2b43 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -27,14 +27,17 @@
class Project < ActiveRecord::Base
include Gitlab::ShellAdapter
include Gitlab::VisibilityLevel
+ include Gitlab::ConfigHelper
+ extend Gitlab::ConfigHelper
extend Enumerize
default_value_for :archived, false
- default_value_for :issues_enabled, true
- default_value_for :merge_requests_enabled, true
- default_value_for :wiki_enabled, true
+ default_value_for :visibility_level, gitlab_config_features.visibility_level
+ default_value_for :issues_enabled, gitlab_config_features.issues
+ default_value_for :merge_requests_enabled, gitlab_config_features.merge_requests
+ default_value_for :wiki_enabled, gitlab_config_features.wiki
default_value_for :wall_enabled, false
- default_value_for :snippets_enabled, true
+ default_value_for :snippets_enabled, gitlab_config_features.snippets
ActsAsTaggableOn.strict_case_match = true
@@ -249,7 +252,7 @@ class Project < ActiveRecord::Base
end
def web_url
- [Gitlab.config.gitlab.url, path_with_namespace].join("/")
+ [gitlab_config.url, path_with_namespace].join("/")
end
def web_url_without_protocol
@@ -470,7 +473,7 @@ class Project < ActiveRecord::Base
end
def http_url_to_repo
- [Gitlab.config.gitlab.url, "/", path_with_namespace, ".git"].join('')
+ [gitlab_config.url, "/", path_with_namespace, ".git"].join('')
end
# Check if current branch name is marked as protected in the system
diff --git a/app/models/user.rb b/app/models/user.rb
index 6ce57f086bc10277da2b90b16fc7a531c1b4ee49..5fca392d3501543bd2f0ac483cb9a2f2c147b1be 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -50,10 +50,15 @@ require 'carrierwave/orm/activerecord'
require 'file_size_validator'
class User < ActiveRecord::Base
+ include Gitlab::ConfigHelper
+ extend Gitlab::ConfigHelper
+
default_value_for :admin, false
- default_value_for :can_create_group, true
+ default_value_for :can_create_group, gitlab_config.default_can_create_group
default_value_for :can_create_team, false
default_value_for :hide_no_ssh_key, false
+ default_value_for :projects_limit, gitlab_config.default_projects_limit
+ default_value_for :theme_id, gitlab_config.default_theme
devise :database_authenticatable, :token_authenticatable, :lockable, :async,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
@@ -211,20 +216,8 @@ class User < ActiveRecord::Base
where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
end
- def build_user(attrs = {}, options= {})
- if options[:as] == :admin
- User.new(defaults.merge(attrs.symbolize_keys), options)
- else
- User.new(attrs, options).with_defaults
- end
- end
-
- def defaults
- {
- projects_limit: Gitlab.config.gitlab.default_projects_limit,
- can_create_group: Gitlab.config.gitlab.default_can_create_group,
- theme_id: Gitlab.config.gitlab.default_theme
- }
+ def build_user(attrs = {})
+ User.new(attrs)
end
end
@@ -302,7 +295,7 @@ class User < ActiveRecord::Base
end
def can_change_username?
- Gitlab.config.gitlab.username_changing_enabled
+ gitlab_config.username_changing_enabled
end
def can_create_project?
@@ -477,7 +470,7 @@ class User < ActiveRecord::Base
def avatar_url(size = nil)
if avatar.present?
- URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
+ URI::join(gitlab_config.url, avatar.url).to_s
else
GravatarService.new.execute(email, size)
end
diff --git a/app/services/issues/update_service.rb b/app/services/issues/update_service.rb
index 169e1e95b4b9b010c28a8bfbb914be2cffeeebb3..a0e571444357e1a5e1b5d47c819b554790c1ee25 100644
--- a/app/services/issues/update_service.rb
+++ b/app/services/issues/update_service.rb
@@ -1,7 +1,7 @@
module Issues
class UpdateService < Issues::BaseService
def execute(issue)
- state = params.delete('state_event') || params.delete(:state_event)
+ state = params[:state_event]
case state
when 'reopen'
@@ -10,7 +10,7 @@ module Issues
Issues::CloseService.new(project, current_user, {}).execute(issue)
end
- if params.present? && issue.update_attributes(params)
+ if params.present? && issue.update_attributes(params.except(:state_event))
issue.reset_events_cache
if issue.previous_changes.include?('milestone_id')
diff --git a/app/services/merge_requests/update_service.rb b/app/services/merge_requests/update_service.rb
index f1aa8b73930766c298a4386cd53385df294a3342..6e416a0080c1628feef75dd1b638bce0bc99064d 100644
--- a/app/services/merge_requests/update_service.rb
+++ b/app/services/merge_requests/update_service.rb
@@ -7,10 +7,10 @@ module MergeRequests
def execute(merge_request)
# We dont allow change of source/target projects
# after merge request was created
- params.delete(:source_project_id)
- params.delete(:target_project_id)
+ params.except!(:source_project_id)
+ params.except!(:target_project_id)
- state = params.delete('state_event') || params.delete(:state_event)
+ state = params[:state_event]
case state
when 'reopen'
@@ -19,7 +19,7 @@ module MergeRequests
MergeRequests::CloseService.new(project, current_user, {}).execute(merge_request)
end
- if params.present? && merge_request.update_attributes(params)
+ if params.present? && merge_request.update_attributes(params.except(:state_event))
merge_request.reset_events_cache
if merge_request.previous_changes.include?('milestone_id')
diff --git a/app/services/milestones/update_service.rb b/app/services/milestones/update_service.rb
index 307e96a2b36c087d832cf160599bab3b13d4e278..ed64847f429590bec4962afd3343054726ec3d27 100644
--- a/app/services/milestones/update_service.rb
+++ b/app/services/milestones/update_service.rb
@@ -1,7 +1,7 @@
module Milestones
class UpdateService < Milestones::BaseService
def execute(milestone)
- state = params.delete('state_event') || params.delete(:state_event)
+ state = params[:state_event]
case state
when 'activate'
@@ -11,7 +11,7 @@ module Milestones
end
if params.present?
- milestone.update_attributes(params)
+ milestone.update_attributes(params.except(:state_event))
end
milestone
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index dfadcfd296a485204b9eb4095db36cd747e686c3..3565e4e4f70a41064ac3da14ac69119cae83db15 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -5,27 +5,13 @@ module Projects
end
def execute
- # get namespace id
- namespace_id = params.delete(:namespace_id)
+ @project = Project.new(params)
- # check that user is allowed to set specified visibility_level
+ # Reset visibility levet if is not allowed to set it
unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
- params.delete(:visibility_level)
+ @project.visibility_level = default_features.visibility_level
end
- # Load default feature settings
- default_features = Gitlab.config.gitlab.default_projects_features
-
- default_opts = {
- issues_enabled: default_features.issues,
- wiki_enabled: default_features.wiki,
- snippets_enabled: default_features.snippets,
- merge_requests_enabled: default_features.merge_requests,
- visibility_level: default_features.visibility_level
- }.stringify_keys
-
- @project = Project.new(default_opts.merge(params))
-
# Parametrize path for project
#
# Ex.
@@ -33,13 +19,14 @@ module Projects
#
@project.path = @project.name.dup.parameterize unless @project.path.present?
+ # get namespace id
+ namespace_id = params[:namespace_id]
if namespace_id
# Find matching namespace and check if it allowed
# for current user if namespace_id passed.
- if allowed_namespace?(current_user, namespace_id)
- @project.namespace_id = namespace_id
- else
+ unless allowed_namespace?(current_user, namespace_id)
+ @project.namespace_id = nil
deny_namespace
return @project
end
diff --git a/app/services/projects/transfer_service.rb b/app/services/projects/transfer_service.rb
index d115e92a10558383cdabea97ce5041d28c21b64d..e39fe882cb17e4994fe1d6f0481bccca2af4025e 100644
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -12,7 +12,7 @@ module Projects
class TransferError < StandardError; end
def execute
- namespace_id = params.delete(:namespace_id)
+ namespace_id = params[:namespace_id]
namespace = Namespace.find_by(id: namespace_id)
if allowed_transfer?(current_user, project, namespace)
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index d21bba69b51d3b98f818908571ab4139af8f9c01..36877a61679d6cb510bf763da96e521e75d9998f 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -1,23 +1,18 @@
module Projects
class UpdateService < BaseService
def execute
- params.delete(:namespace_id)
# check that user is allowed to set specified visibility_level
unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
- params.delete(:visibility_level)
+ params[:visibility_level] = project.visibility_level
end
- new_branch = params.delete(:default_branch)
+ new_branch = params[:default_branch]
if project.repository.exists? && new_branch && new_branch != project.default_branch
project.change_head(new_branch)
end
- if project.update_attributes(params)
- if project.previous_changes.include?('namespace_id')
- project.send_move_instructions
- end
-
+ if project.update_attributes(params.except(:default_branch))
if project.previous_changes.include?('path')
project.rename_repo
end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index b6a5806d64605c2e5866d450f900553a1fb4fc7f..d7d209e16f7c09aab26cff84075ae1cb6df68c1f 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -98,10 +98,14 @@ module API
def attributes_for_keys(keys)
attrs = {}
+
keys.each do |key|
- attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+ if params[key].present? or (params.has_key?(key) and params[key] == false)
+ attrs[key] = params[key]
+ end
end
- attrs
+
+ ActionController::Parameters.new(attrs).permit!
end
# error helpers
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 92dbe97f0a468b18ecb423aa324c7f7c5fd71279..6085edab5995bcf6e1cf7846d22a77b37530c6af 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -59,7 +59,7 @@ module API
authenticated_as_admin!
required_attributes! [:email, :password, :name, :username]
attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
- user = User.build_user(attrs, as: :admin)
+ user = User.build_user(attrs)
admin = attrs.delete(:admin)
user.admin = admin unless admin.nil?
if user.save
diff --git a/lib/gitlab/config_helper.rb b/lib/gitlab/config_helper.rb
new file mode 100644
index 0000000000000000000000000000000000000000..41880069e4cfc4e3fbcf2b4f69cc816122b3394a
--- /dev/null
+++ b/lib/gitlab/config_helper.rb
@@ -0,0 +1,9 @@
+module Gitlab::ConfigHelper
+ def gitlab_config_features
+ Gitlab.config.gitlab.default_projects_features
+ end
+
+ def gitlab_config
+ Gitlab.config.gitlab
+ end
+end
diff --git a/lib/gitlab/oauth/user.rb b/lib/gitlab/oauth/user.rb
index 38e33c0eee55e75ca5bd7a87af51dab4b7624ba1..94d59180e15dd8c495f33eb9a2deb7890f8a207d 100644
--- a/lib/gitlab/oauth/user.rb
+++ b/lib/gitlab/oauth/user.rb
@@ -27,7 +27,7 @@ module Gitlab
password_confirmation: password,
}
- user = model.build_user(opts, as: :admin)
+ user = model.build_user(opts)
user.skip_confirmation!
# Services like twitter and github does not return email via oauth