1. 09 Nov, 2016 1 commit
  2. 08 Nov, 2016 1 commit
  3. 03 Nov, 2016 1 commit
  4. 02 Nov, 2016 1 commit
  5. 01 Nov, 2016 3 commits
  6. 17 Oct, 2016 13 commits
  7. 11 Oct, 2016 13 commits
  8. 05 Oct, 2016 7 commits
    • Ruben Davila's avatar
      e646439e
    • Ruben Davila's avatar
      Update VERSION to 8.12.4 · ba8aeb7c
      Ruben Davila authored
      ba8aeb7c
    • Rémy Coutable's avatar
      Prepare CHANGELOG for the next patch · b7333712
      Rémy Coutable authored
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      b7333712
    • Robert Speicher's avatar
      Merge branch 'fix/import-service-issues' into 'master' · 351025ec
      Robert Speicher authored
      Fix issues importing services via Import/Export
      
      Prevents errors when initialising services that do not have any properties set yet - case that could happen when importing projects.
      
      Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/22891
      
      See merge request !6667
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      351025ec
    • Douwe Maan's avatar
      Merge branch 'fix/export-project-file-permissions' into 'security' · 1803bc26
      Douwe Maan authored
      Fix export project file permissions issue
      
      Fixes security concerns of https://gitlab.com/gitlab-org/gitlab-ce/issues/22757
      
      I have just added the permissions 0700 to the creation of any of the export paths, as @jacobvosmaer suggested in https://gitlab.com/gitlab-org/gitlab-ce/issues/22757#note_16197616
      
      After this has fixed, it could take up to 24 hours in the worse case scenario for old archives to be completely safe - This is the time `ImportExportProjectCleanupWorker` may take to remove the folders. The temporary folders will be 0700 straight away for new installations.
      
      See merge request !2003
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      1803bc26
    • Douwe Maan's avatar
      Merge branch 'fix/id-claim-import-issue' into 'master' · 04def4d8
      Douwe Maan authored
      Prevent claiming associated model IDs via import
      
      On the import side, we should be careful not to use any IDs as part of the JSON file that could have been manipulated.
      
      Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/20821
      
      Things we already do (__before__ this fix):
      
      1. Remove all primary keys
      1. **Always** reassign some of the foreign keys, such as ALL project IDs and user IDs (so it would be difficult to impersonate or try to gain access to another project)
      1. Ignore/reject attributes that do not exist in the model
      1. If someone reassigns a foreign key `submodel_id`, and that object has another json as the submodel, the new submodel will reassign the `submodel_id` to the newly created submodel ID.
      
      Things we should do:
      
      1. Remove/nullify any other foreign keys that we don't reassign (checked this, and there aren't many, fortunately. In fact, I don't think much harm can be done at all - at the moment).
      
      See merge request !1985
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      04def4d8
    • Rémy Coutable's avatar
      Merge branch 'sh-fix-project-deletion-private-visibility' into 'master' · 07602af1
      Rémy Coutable authored
      Fix project deletion when feature visibility is set to private
      
      Projects that are destroyed are put in the pending_delete state.
      The ProjectDestroyWorker checks whether the current user has
      access, but since the ProjectFeature class uses the default scope
      of the Project, it will not be able to find the right project.
      
      This was a regression in 8.12 that caused the following stack trace:
      
      ```
      NoMethodError: undefined method `team' for nil:NilClass
        from app/models/project_feature.rb:62:in `get_permission'
        from app/models/project_feature.rb:34:in `feature_available?'
        from app/models/project.rb:21:in `feature_available?'
        from app/policies/project_policy.rb:170:in `disabled_features!'
        from app/policies/project_policy.rb:29:in `rules'
        from app/policies/base_policy.rb:82:in `block in abilities'
        from app/policies/base_policy.rb:113:in `collect_rules'
        from app/policies/base_policy.rb:82:in `abilities'
        from app/policies/base_policy.rb:50:in `abilities'
        from app/models/ability.rb:64:in `uncached_allowed'
        from app/models/ability.rb:58:in `allowed'
        from app/models/ability.rb:49:in `allowed?'
        from app/services/base_service.rb:11:in `can?'
        from lib/gitlab/metrics/instrumentation.rb:155:in `block in can?'
        from lib/gitlab/metrics/method_call.rb:23:in `measure'
        from lib/gitlab/metrics/instrumentation.rb:155:in `can?'
        from app/services/projects/destroy_service.rb:18:in `execute'
      ```
      
      Closes #22948
      
      See merge request !6688
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      07602af1