delta/gitlab/gitlab-ce.git/spec/requests/lfs_http_spec.rb, branch docs/edit-rules-docs gitlab.com: gitlab-org/gitlab-ce.git Cleanup usages of `JSON.parse` in specs 2019-07-16T08:03:49+00:00 Peter Leitzen pleitzen@gitlab.com 2019-07-16T08:03:49+00:00 7b87ed14991737930eb8f353feec9e6c8af6c1ac Prefer `json_response` where applicable. 
Prefer `json_response` where applicable.
Verify that LFS upload requests are genuine 2019-01-31T15:52:48+00:00 Nick Thomas nick@gitlab.com 2019-01-08T17:57:58+00:00 5b075413d95606949a305c0c65154a81e7b8a85d LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists. 
LFS uploads are handled in concert by workhorse and rails. In normal
use, workhorse:

* Authorizes the request with rails (upload_authorize)
* Handles the upload of the file to a tempfile - disk or object storage
* Validates the file size and contents
* Hands off to rails to complete the upload (upload_finalize)

In `upload_finalize`, the LFS object is linked to the project. As LFS
objects are deduplicated across all projects, it may already exist. If
not, the temporary file is copied to the correct place, and will be
used by all future LFS objects with the same OID.

Workhorse uses the Content-Type of the request to decide to follow this
routine, as the URLs are ambiguous. If the Content-Type is anything but
"application/octet-stream", the request is proxied directly to rails,
on the assumption that this is a normal file edit request. If it's an
actual LFS request with a different content-type, however, it is routed
to the Rails `upload_finalize` action, which treats it as an LFS upload
just as it would a workhorse-modified request.

The outcome is that users can upload LFS objects that don't match the
declared size or OID. They can also create links to LFS objects they
don't really own, allowing them to read the contents of files if they
know just the size or OID.

We can close this hole by requiring requests to `upload_finalize` to be
sourced from Workhorse. The mechanism to do this already exists.
Avoid extra storage bucket perm and query 2018-12-21T18:34:05+00:00 Michael Kozono mkozono@gmail.com 2018-12-21T17:56:37+00:00 d2d85c31fea920b0e62fb600fc6de874762a71ad Specifically, the `ListAllMyBuckets` permission. This works if you know the directory exists. See more: * https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23981 * https://stackoverflow.com/a/12288581/1992201 
Specifically, the `ListAllMyBuckets` permission.

This works if you know the directory exists.

See more:

* https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23981
* https://stackoverflow.com/a/12288581/1992201
Update specs to rails5 format 2018-12-18T23:04:31+00:00 blackst0ne blackst0ne.ru@gmail.com 2018-12-17T22:52:17+00:00 b44a2c801a64fb282cea794871fcfcf81e4ec539 Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 
Updates specs to use new rails5 format.

The old format:
`get :show, { some: params }, { some: headers }`

The new format:
`get :show, params: { some: params }, headers: { some: headers }`
Fix LFS uploads not working with git-lfs 2.5.0 2018-07-31T13:15:14+00:00 Stan Hu stanhu@gmail.com 2018-07-31T13:13:01+00:00 c5645a673955d5711bf589ad60ee6607220fdc9d git-lfs 2.5.0 now sets the Content-Type header instead of hard-coding it to application/octet-stream: https://github.com/git-lfs/git-lfs/pull/3137 To avoid this issue, we explicitly tell the client to use application/octet-stream. Closes #49752 
git-lfs 2.5.0 now sets the Content-Type header instead of hard-coding it to
application/octet-stream: https://github.com/git-lfs/git-lfs/pull/3137

To avoid this issue, we explicitly tell the client to use
application/octet-stream.

Closes #49752
Resolve "Deploy Tokens failed to clone LFS repository" 2018-07-23T09:23:08+00:00 Mayra Cabrera mcabrera@gitlab.com 2018-07-23T09:23:08+00:00 f2c46672cae763bb213e8aa14253e5eea48c1064 






Resolve "Rename the `Master` role to `Maintainer`" Backend
2018-07-11T14:36:08+00:00

Mark Chao
mchao@gitlab.com

2018-07-11T14:36:08+00:00

a63bce1a4b55bc6cbafb9dec12d33028521489e9












Support presigned multipart uploads
2018-06-04T11:04:29+00:00

Kamil Trzciński
ayufan@ayufan.eu

2018-05-09T15:27:38+00:00

b8370c9f55843351b49073dafe84a2e9858c8c8a












Fix spec
2018-05-28T01:44:26+00:00

Shinya Maeda
shinya@gitlab.com

2018-05-28T01:44:26+00:00

cb2802dbbcacd867336c9d1da214a1c7a9047089












Add `direct_upload` setting for artifacts
2018-04-05T13:01:14+00:00

Kamil Trzciński
ayufan@ayufan.eu

2018-04-03T16:47:33+00:00

678620cce67cc283b19b75137f747f9415aaf942