Filtering in front of HTTPX calls is less secure, because it's vulnerable to
DNS rebinding. In addition to that it's also duplicate work, because all affected
callsites would have to make sure to "remember" SSRF filtering.
This SSRF filter is inspired by the original HTTPX SSRF Filter, but using our custom
IP address matcher that allows to configure safe IP addresses or ranges.
- reused session caused under certain circumstances http request to fail
- reusing sessions was mandatory for persistent connections, but those
are not used anymore
* spec with correctly scoped links
* move db check into own file - fix deprecation
* basic spec for member creation service
* use constants for all notifications
* send an OP notification after member has been created
* send an OP notification after member has been updated
* mails on group member added
Depending on whether the membership existed before or not, an updated or
a created notification is send. This is done asynchronously.
* move all mail sender background jobs into namespace
* wip
* wip
* correct handling group member notifications
* add setting enable/disable mail sending on member alterations
* use services in members controller
* move Notifiable to OpenProject
* remove member after save hooks
* cleanup/testing/linting
* render member mails in receiver locale
* remove add_member! method
* use mailer layout for all mailers
* Update app/services/groups/cleanup_inherited_roles_service.rb
Co-authored-by: Oliver Günther <mail@oliverguenther.de>
* use around callback to avoid prepending
* handle nil params
Co-authored-by: Oliver Günther <mail@oliverguenther.de>
Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded.
Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013
* use cte for aggregated journal
* Revert "use cte for aggregated journal"
This reverts commit 5fedefefdd.
* add another subselect that could later on be provided from the outside
* allow passing a nukleous sql to aggregated journals
* wip - using aggregated journal for activity
* new sql for aggregated journals
* start implementing new aggregated query
* additional documentation
* consolidate activity functionality
* simplify by turing into instance methods
* move activity fetcher out of redmine
* remove verb verification made obsolete
Without catchall routes, the dispatching handles it
* remove duplicate authorize check
* refactor activities controller
* refactory activity fetcher
* cache avatar file
* sort choosable events
* remove legacy spec covered by contemporary
* speed up aggregated journals via CTE
* instance var might never have been set
* ensure the event_types are always transmitted
* correctly reset the avatar cache
* fix avatar fetcher expectation regarding wiki pages
* adapt spec
[ci skip]
Jan Sandbrink