Commit Graph

203 Commits (4a2afe49023c5d463fc6b3a3f0679066a16fbd5e)

Author SHA1 Message Date
Oliver Günther 638340e7b6 Fix rubocop issues 9 years ago
Cyril Rohr 1b29d8ec92 Move email settings out of the YAMl configuration file, and into the Settings page 9 years ago
Markus Kahl 6827c832f6 make available standard I18n's #t 9 years ago
Oliver Günther fb4bf739d9 Allow the configuration to disable APIv2 basic auth 9 years ago
Oliver Günther 82eb512450 Make session name configurable 9 years ago
Oliver Günther c7e410ef11 Warn users when OP cookie is missing 9 years ago
Jens Ulferts be21a7a504 update error message for bulk operations across multiple projects 9 years ago
Oliver Günther a6b4372b09 Always preprocess URLs with CGI.unescape 9 years ago
Oliver Günther fcd450af3f Fix redirect vulnerability 9 years ago
Oliver Günther 6eeea9d1da Avoid mutator sort on relations 9 years ago
Jens Ulferts 6e01b27f18 rename service's method to be in accordance with proc 9 years ago
Jens Ulferts c471080e08 set locale before API v3 request 9 years ago
Markus Kahl dd496297fd don't use random language as user's language 9 years ago
Oliver Günther 7ebac37c14 Repository Management - Refactoring and Preparation 9 years ago
Alex Coles 0ad3cfb4b2 Prefer do…end for controller respond_to blocks 9 years ago
Markus Kahl bcd981df5c consider X-Authentication-Scheme; opt scoped realm 10 years ago
Markus Kahl d854df5175 suppress browser prompt on authenticate failure 10 years ago
Alex Coles e02eb0181d Migrate AR finder/query methods in controllers 10 years ago
Alex Coles ec1bb39f9b Fix syntax (w/Rubocop) in (Rails) controllers 10 years ago
Alex Coles 57618b25ec Replace dynamic finder usages with #find_by, etc. 10 years ago
Alex Coles bc5abb34ab Remove explicit require_dependency of Principal 10 years ago
Markus Kahl 560d970b0f in-regex comments 10 years ago
Markus Kahl 4abd716dd6 more comments 10 years ago
Markus Kahl 52fe1da137 don't redirect back to logout 10 years ago
Alex Coles e0191e759c Update year in copyright header to 2015 10 years ago
Alex Coles 3629ded2ae Handle ActionController::ParameterMissing globally 10 years ago
Alex Coles bb0e6e6aa5 Fix syntax (w/Rubocop) in (Rails) controllers 10 years ago
Alex Coles 336446c59d Use 1.9+ Hash syntax in (Rails) controllers 10 years ago
Richard 72b6e26461 Twist redirect to back url method to work with JSON params. 10 years ago
Martin Linkhorst 8877883c63 given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 10 years ago
Marek Takac 2269f9a8ee Fixed authorization service calls 10 years ago
Martin Linkhorst 1f36d43b70 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago
Philipp Tessenow d8cb82a2e8 explicitly allow home path in back_url 11 years ago
Philipp Tessenow 0cdbaf39f6 fix protocol-relative redirection test 11 years ago
jplang 1db8642ac6 [security] fixed back url verification 11 years ago
Marek Takac 1ca62def08 Used named params in AuthorizationService constructor 11 years ago
Marek Takac bb8aa422b1 Refactored Authorization service 11 years ago
Marek Takac ac2c89c0d7 Initial foundations for API v3 11 years ago
Michael Frister 98f81665db CSRF Protection: Prevent login CSRF 11 years ago
Michael Frister ed7ffdc616 CSRF Protection: Don't attempt to catch unused InvalidAuthenticityToken 11 years ago
Michael Frister c2fdfd0f1d Fix API requests without CSRF token being rejected 11 years ago
Philipp Tessenow d3e6a5b284 better handle handle_unverified_request 11 years ago
Philipp Tessenow 3c5fb24d8c rubocopify most parts of the application controller 11 years ago
Toshi MARUYAMA 5233d6d0f0 remove Rails2 Ruby1.9 utf8nize! 11 years ago
Toshi MARUYAMA 4775f66e77 fix non-ascii attachment file name get corrupted in IE11 (#16711) 11 years ago
Richard aad7606340 Encoding filter operator values to avoid url escaping browser bullshit. 11 years ago
Richard 2f11241407 WIP. using the url params to keep state but having a nightmare with url escaping:/ 11 years ago
Jean-Philippe Lang b8ffa31e1a Potentiel data leak in "Invalid form authenticity token" error screen (#16511). 11 years ago
Martin Linkhorst a83af510cb given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 11 years ago
Martin Linkhorst dbc75d4263 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago