Fixes #19789 - fix Layout/SpaceAroundOperators cop

Fixes #23487 - support namespaced controllers

Fixes #19787 - Fix Layout/SpaceAfterComma cop

Fixes #21055 - use _id attributes for host taxonomy validator

Otherwise, the error messages are not visible.

Also log the host error messages as `error` instead of `info`, as it
should be more appropriate for this case.

Fixes #23081 - Fix Style/SafeNavigation cop

Fixes #19839 - Fix Rails/Present cop

Fixes #21999,#22005 - Migrate toasts to pf-react

• Replace Alert and Toasts components with patternfly-react
• Refactor the server side flash-notification
• Allow rails-flah-notification to react-toast-notification with link

Refs #20800 - Move session timed out warning inline

Fixes #19889 - Fix Style/PerlBackrefs cop

Fixes #21099 - Replace redirect_to :back with redirect_back

Some instances of process_success/error with :back as a redirect also
need changing, and the redirect_back_or_to helper should be deprecated
and replaced throughout with redirect_back too.

Fixes #21119 - set taxonomies in API

With this we correctly set the default taxonomy for non-admin users
in API calls. Admins are not touched at all, their context remains
"any context" for API calls. This also refactors various places
where tried to set the right taxonomy and combines them into single...

Fixes #20954 - don't access MIME types via constants

Fixes #20951 - Replace render :text with :plain

Fixes #20959 - Remove :status option on 'head'

Fixes #20800 - Comply with Patternfly login page recommendations

• Move alerts inline above form
• Make submit button not show a "loading" state

Fixes #19529: Use main_app for redirect in case of plugins

Sometimes when entering the require_mail filter, the plugins context
is carried over and the route cannot be matched. Using main_app ensures
that it will resolve the path from the proper context.

Fixes #20272 - correctly rescue QueryNotSupported in production

When in production, the generic exception rescue shadows the
ScopedSearch::QueryNotSupported rescue method, preventing the correct
message being displayed on an invalid search.

fixes #19479, #10587, #19500 - two pane notifications are visible

- notification is now inside the content div, allowing two-pane server
responses to include it.
- refactored all notifications to use notification helpers (notice,
warning and error) instead of direct flash manipulation...

fixes #19035 - rewrite TopbarSweeper without rails-observers

Moves from the observer object into two mixins, one on the model and one
on the top-level controllers to observe creates/updates/destroys on
monitored models. Replaces rails-observers as it lacks Rails 5 support.

Fixes #18410 - log permission denials

Fixes #17864 - Show smart proxy errors on unattended fail

If your proxy is has some error (like misconfigured sudoers, puppet not
available, etc...) and you try to boot a host through unattended
mode [1], the exception will not show up when you try to fetch the...

Fixes #16739 - unify parameters permissions

Fixes #17084 - Add webpack on welcome and unauthorized pages

Adds webpack server to CSP headers via prepend_before_action,
to ensures it is run before welcome and authorized filters.

fixes #16892 - secureheaders expects img_src parameter

refs #16689 - expand array of eager load tables

Previously an array of tables (e.g. on Puppetclasses, SubnetsController)
triggered false positive warnings from Bullet:

| Unused Eager Loading detected
|   Subnet::Ipv4 => [[:domains, :dhcp]]

and when no tables were passed on most index pages:...

Refs #16689 - Missing DRY index action controllers

Some of the controllers that could have used the refactor in #16689 were
not added in that commit.

Additionally, I've fixed the '.includes' leftover in those controllers
from Rails 3 to be '.eager_load' now. '.includes' does not change the...

Fixes #16689 - DRY index action with search

fixes #16635 - welcome page works with scoped models

Fixes #16624 - Make AuthSourceLDAP taxable

This allows users to set organizations/locations on AuthSourceLDAP
objects. That in itself might not be that useful, but it allows us to
follow on and assign the AuthSourceLDAP taxonomies to the users
autocreated through it.

Fixes #9117 - Upgrade secure_headers to version 3.4

Any plugin that makes changes to secure headers may need to be updated
to correctly handle this upgrade, as there have been some breaking
changes to the secure_headers api.

fixes #3917 - replace protected_attrs with strong parameters

Filtering of attributes has moved from the protected_attributes gem to
strong parameters in controller concerns, to be in line with current
Rails recommendations.

Concerns are shared between UI and both API controllers and list the...

Refs #3809 - Using defaults for AndOr cop

fixes #15682 - don't save invalid attributes at login from LDAP

When a user logs in and their last_login_on attribute is updated, bypass
saving the whole model which may contain invalid, unpersisted data.

Also fixes the warning about invalid synced attributes to show during...

fixes #15720 - rename *_filter to *_action

The older 'filter' name is changing in Rails to 'action' and is being
deprecated.

Fixes #15490 - adding view_host filter and better msg

Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't...

Refs #3809 - Turning on the AndOr cop

Fixes #14410 - respond 503 when pending migration

fixes #15466 - require e-mail for current user

Refs #3809 - Turning on some rubocop cops

fixes #14050 - resolving N+1 query on hosts#index

Refs #12911 - Fixing colon method calls

Fixes #12720 - Add tabs for puppet on proxy show page

This patch adds two tabs to the proxy show page related to puppet
1. Puppet - this tab is for proxies managing a puppet master. This tab
displays information about the puppet master, such as number of classes...

Fixes #12754 - adds permission name to 403 page

Fixes #7230, #12021 - Upgrade to Rails 4.1.5

This commits upgrades Rails to Rails 4.1.5. See a description of the
changes included here, and go to the pull request in GitHub to see more
detailed explanations:

• Update gems to a Rails 4 compatible version, including dependencies...

Fixes #11924 - Substitute .scoped by .where(nil) to force return relation

On Rails 4 .scoped is deprecated. Calling .all on the model returns the
equivalent ActiveRecord relation object on Rails 4, but on Rails 3 it
returns an Array right away.

A proper replacement we can use is where(nil) - it's ugly but it returns...

Fixes #10988 - Remove 1.11 deprecations

Fixes #10782 - global host status

• OK
• WARN
• ERROR

Plugins can add their own substatuses. These are automatically...

fixes #7275 - remove welcome page and replace with docs button

Refs #3809 - Enable cop Style/MultilineTernaryOperator

Fixes #10635 - Formalize deprecation warning

Fixes #10713 - improved backtrace logging

• full trace in 500 page in production shows really the full trace
• Foreman::Logging.exception as an unified entry point for exceptions logging
• the backtrace cleaner doesn't delete the plugins
• the orchestration exceptions gets the backtrace covered by logger...

fixes #10471 - use Rails' force_ssl

Fixes #8525 - Rename "Mail" to "Email" in user preferences

Refs #3809 - Remove nested ternary and nil checking

Fixes #9674 - Handle ProxyAPI exceptions on PuppetCA controller

Refs #3809 - Remove cops for empty lines

Fixes #9099 - Upgrade rubocop to 0.28.0

Fixes #8838 - Replace HTTP error codes with human-readable symbols

Fixes #8837 - Return correctly formatted response on ajax_error

fixes #8049 - Add timezone to user

Fixes #8428 - Connecting audits to existing users

fixes #5773 - redirect to referrer URL that includes page and search

Fixes #7519 - i18n extract ajax error message

fixes #7331 - delete unassigned os default templates

fixes #7898 - ensure that format can respond to json / yaml

fixes #7805 - Add several security related HTTP headers - security hardening.

• Content Security Policy
• HTTP Strict Transport Security
• X-XSS-Protection...

Fixes #5139 - leftovers subscribe_to_all_hostgroups

Remove user_xxx unnecessary tables and notices

Update subhostgroups removed

Fixes for migration of foreign keys

Remove users from compute_resource fixture

Remove table notices after fk are removed for pg/mysql

Refs #3809 - Use parentheses in method definitions

Refs #3809 - Fix a few rubocop TODOs

fixes #4386 - gem friendly_id to simplify find by id, name, label, etc

Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)

To avoid CSRF, logout is changed to be a POST request so
protect_from_forgery checks the CSRF token. However, in Rails 3 the only
strategy available is to nullify the session of the attacker....

Fixes #4596 - Change parent of host group via AJAX

Reparenting host groups requires submitting the form to see the changes
nowadays, this fix makes the host group model inherit all properties
from the parent and show them in real time.

fixes #7218 - authorize hosts welcome page

fixes #6964 - replace default scope that hides users with explicit scope

fixes #6857 improve two-pane load times

fixes #3272 - allow 'admin' account to be removed and replaced

fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)

fixes #3592 lazy load vm with ajax in host show page.

Fixes #4884 : remove duplicate slashes from the gravatar url

The issue is that request.protocol returns http:// instead of http. The code assumed no trailing slashes

fixes #4776 - support session[:expires_at] for api requests

There are situations where the UI needs to invoke requests
on the API controllers; therefore, we need to ensure that
the session expiration accounts for them. This is a common
for plugins, such as Katello, which leverage the...

fixes #4457 - Session fixation, new session IDs are not generated on login (CVE-2014-0090)

fixes #4194, #4459 - add main_app to root_path references for isolated engines

fixes #812 - new permissions model, user group role and nest support, role filters for better granularity

• Daniel Lobato <elobatocs@gmail.com>
• Joseph Magen <jmagen@redhat.com>
• Tom McKay <thomasmckay@redhat.com>
• Greg Sutcliffe <gsutclif@redhat.com>...

fixes #3845 - user login session ending clears chosen organization

fixes #3339 - nested fact support, allow fact importers to be registered by plugins

Fixes #3753 - always use main_app to determine paths for running an isolated namespace plugin

fixes #3516 - resource names (inc. domains) are now being parametrized when used to construct urls

fixes #3141: SmartPrpxyAuth no longer calls #render_403 method defined in ApplicationController

fixes #2969 - remove all legacy api code in UI controllers, add deprecation response

fixes #2988 - merge authentication code, enables REMOTE_USER auth on new API controllers

fixes #2877: deletion of the organization or location in the context no longer breaks the session

fixes #2802 controller methods fail for name-spaced controllers

fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)

Fixes #2502 - session expiration updates

Signo now allows to transparently prolong user session which got
expired. Also when you now logout from Foreman you will end up in Signo
login form. This brings some code clean up and test changes and small
SSO method API change.

fixes #2440 remove unused files, code, unnecessary require statements

Fixes #2513 - orgs created in katello do not appear in org filtering

- topbar cache sweeper turned on for api controllers
- a bit of refactoring to get rid of repetitive expire_fragment

fixes #2511 Footer should be replaced with an about page

Fixes #2460 - session expiration fix for SSO

We set new expiration interval when user logs in successfully using any
kind of SSO. Also this patch moves logout path out of thread variable
and stores it into a session. This is more secure storage for threaded...

fixes #2444 - locale selector in user account

fixes #2420 - extract strings for i18n from JavaScript, various i18n fixes