1. 24 Oct, 2019 5 commits
    • GitLab Release Tools Bot's avatar
      Merge branch 'security-64519-circular-graphql-queries-12-4' into '12-4-stable' · a6adb336
      GitLab Release Tools Bot authored
      Nested GraphQL query with circular relationship can cause Denial of Service
      
      See merge request gitlab/gitlabhq!3492
      a6adb336
    • GitLab Release Tools Bot's avatar
      Merge branch 'security-33689-post-filter-search-results-ce-12-4' into '12-4-stable' · bbe85167
      GitLab Release Tools Bot authored
      Filter out search results based on permissions to avoid bugs leaking data
      
      See merge request gitlab/gitlabhq!3496
      bbe85167
    • GitLab Release Tools Bot's avatar
      Merge branch... · ddfb7160
      GitLab Release Tools Bot authored
      Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable'
      
      Improper access control allows the attacker to comment in internal commit after they are no longer admin
      
      See merge request gitlab/gitlabhq!3497
      ddfb7160
    • GitLab Release Tools Bot's avatar
      Merge branch... · 203f5b43
      GitLab Release Tools Bot authored
      Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-4' into '12-4-stable'
      
      Hide private members in project member autocomplete
      
      See merge request gitlab/gitlabhq!3503
      203f5b43
    • Aakriti Gupta's avatar
      Pick only those groups that the viewing user has access to, · 9347f47a
      Aakriti Gupta authored
      in a project members' list. Add tests for possible scenarios
      
      Re-factor and remove N + 1 queries
      
      Remove author from changelog
      
      Don't use memoisation when not needed
      
      Include users part of parents of project's group
      
      Re-factor tests
      
      Create and add users according to roles
      
      Re-use group created earlier
      
      Add incomplete test for ancestoral groups
      
      Rename method to clarify category of groups
      
      Skip pending test, remove comments not needed
      
      Remove extra line
      
      Include ancestors from invited groups as well
      
      Add specs for participants service
      
      Add more specs
      
      Add more specs
      
      use  instead of
      
      Use public group owner instead of project maintainer to test owner acess
      
      Remove tests that have now been moved into participants_service_spec
      
      Use :context instead of :all
      
      Create nested group instead of creating an ancestor separately
      
      Add comment explaining doubt on the failing spec
      
      Imrpove test setup
      
      Optimize sql queries
      
      Refactor specs file
      
      Add rubocop disablement
      
      Add special case for project owners
      
      Add small refactor
      
      Add explanation to the docs
      
      Fix wording
      
      Refactor group check
      
      Add small changes in specs
      
      Add cr remarks
      
      Add cr remarks
      
      Add specs
      
      Add small refactor
      
      Add code review remarks
      
      Refactor for better database usage
      
      Fix failing spec
      
      Remove rubocop offences
      
      Add cr remarks
      9347f47a
  2. 23 Oct, 2019 8 commits
  3. 22 Oct, 2019 3 commits
  4. 07 Oct, 2019 3 commits
  5. 02 Oct, 2019 4 commits
  6. 01 Oct, 2019 4 commits
  7. 30 Sep, 2019 1 commit
  8. 26 Sep, 2019 12 commits