Fixes #19789 - fix Layout/SpaceAroundOperators cop
Fixes #23487 - support namespaced controllers
Fixes #19787 - Fix Layout/SpaceAfterComma cop
Fixes #21055 - use _id attributes for host taxonomy validator
Otherwise, the error messages are not visible.
Also log the host error messages as `error` instead of `info`, as itshould be more appropriate for this case.
Fixes #23081 - Fix Style/SafeNavigation cop
Fixes #19839 - Fix Rails/Present cop
Fixes #21999,#22005 - Migrate toasts to pf-react
Refs #20800 - Move session timed out warning inline
Fixes #19889 - Fix Style/PerlBackrefs cop
Fixes #21099 - Replace redirect_to :back with redirect_back
Some instances of process_success/error with :back as a redirect alsoneed changing, and the redirect_back_or_to helper should be deprecatedand replaced throughout with redirect_back too.
Fixes #21119 - set taxonomies in API
With this we correctly set the default taxonomy for non-admin usersin API calls. Admins are not touched at all, their context remains"any context" for API calls. This also refactors various placeswhere tried to set the right taxonomy and combines them into single...
Fixes #20954 - don't access MIME types via constants
Fixes #20951 - Replace render :text with :plain
Fixes #20959 - Remove :status option on 'head'
Fixes #20800 - Comply with Patternfly login page recommendations
Fixes #19529: Use main_app for redirect in case of plugins
Sometimes when entering the require_mail filter, the plugins contextis carried over and the route cannot be matched. Using main_app ensuresthat it will resolve the path from the proper context.
Fixes #20272 - correctly rescue QueryNotSupported in production
When in production, the generic exception rescue shadows theScopedSearch::QueryNotSupported rescue method, preventing the correctmessage being displayed on an invalid search.
fixes #19479, #10587, #19500 - two pane notifications are visible
- notification is now inside the content div, allowing two-pane serverresponses to include it.- refactored all notifications to use notification helpers (notice,warning and error) instead of direct flash manipulation...
fixes #19035 - rewrite TopbarSweeper without rails-observers
Moves from the observer object into two mixins, one on the model and oneon the top-level controllers to observe creates/updates/destroys onmonitored models. Replaces rails-observers as it lacks Rails 5 support.
Fixes #18410 - log permission denials
Fixes #17864 - Show smart proxy errors on unattended fail
If your proxy is has some error (like misconfigured sudoers, puppet notavailable, etc...) and you try to boot a host through unattendedmode [1], the exception will not show up when you try to fetch the...
Fixes #16739 - unify parameters permissions
Fixes #17084 - Add webpack on welcome and unauthorized pages
Adds webpack server to CSP headers via prepend_before_action,to ensures it is run before welcome and authorized filters.
fixes #16892 - secureheaders expects img_src parameter
refs #16689 - expand array of eager load tables
Previously an array of tables (e.g. on Puppetclasses, SubnetsController)triggered false positive warnings from Bullet:
| Unused Eager Loading detected | Subnet::Ipv4 => [[:domains, :dhcp]]
and when no tables were passed on most index pages:...
Refs #16689 - Missing DRY index action controllers
Some of the controllers that could have used the refactor in #16689 werenot added in that commit.
Additionally, I've fixed the '.includes' leftover in those controllersfrom Rails 3 to be '.eager_load' now. '.includes' does not change the...
Fixes #16689 - DRY index action with search
fixes #16635 - welcome page works with scoped models
Fixes #16624 - Make AuthSourceLDAP taxable
This allows users to set organizations/locations on AuthSourceLDAPobjects. That in itself might not be that useful, but it allows us tofollow on and assign the AuthSourceLDAP taxonomies to the usersautocreated through it.
Fixes #9117 - Upgrade secure_headers to version 3.4
Any plugin that makes changes to secure headers may need to be updatedto correctly handle this upgrade, as there have been some breakingchanges to the secure_headers api.
fixes #3917 - replace protected_attrs with strong parameters
Filtering of attributes has moved from the protected_attributes gem tostrong parameters in controller concerns, to be in line with currentRails recommendations.
Concerns are shared between UI and both API controllers and list the...
Refs #3809 - Using defaults for AndOr cop
fixes #15682 - don't save invalid attributes at login from LDAP
When a user logs in and their last_login_on attribute is updated, bypasssaving the whole model which may contain invalid, unpersisted data.
Also fixes the warning about invalid synced attributes to show during...
fixes #15720 - rename *_filter to *_action
The older 'filter' name is changing in Rails to 'action' and is beingdeprecated.
Fixes #15490 - adding view_host filter and better msg
Users who are logged in with permissions to view some hosts are able topreview provisioning templates for any host by specifying its hostnamein the URL, as the specific view_hosts permissions and filters aren't...
Refs #3809 - Turning on the AndOr cop
Fixes #14410 - respond 503 when pending migration
fixes #15466 - require e-mail for current user
Refs #3809 - Turning on some rubocop cops
fixes #14050 - resolving N+1 query on hosts#index
Refs #12911 - Fixing colon method calls
Fixes #12720 - Add tabs for puppet on proxy show page
This patch adds two tabs to the proxy show page related to puppet1. Puppet - this tab is for proxies managing a puppet master. This tabdisplays information about the puppet master, such as number of classes...
Fixes #12754 - adds permission name to 403 page
Fixes #7230, #12021 - Upgrade to Rails 4.1.5
This commits upgrades Rails to Rails 4.1.5. See a description of thechanges included here, and go to the pull request in GitHub to see moredetailed explanations:
Fixes #11924 - Substitute .scoped by .where(nil) to force return relation
On Rails 4 .scoped is deprecated. Calling .all on the model returns theequivalent ActiveRecord relation object on Rails 4, but on Rails 3 itreturns an Array right away.
A proper replacement we can use is where(nil) - it's ugly but it returns...
Fixes #10988 - Remove 1.11 deprecations
Fixes #10782 - global host status
Plugins can add their own substatuses. These are automatically...
fixes #7275 - remove welcome page and replace with docs button
Refs #3809 - Enable cop Style/MultilineTernaryOperator
Fixes #10635 - Formalize deprecation warning
Fixes #10713 - improved backtrace logging
fixes #10471 - use Rails' force_ssl
Fixes #8525 - Rename "Mail" to "Email" in user preferences
Refs #3809 - Remove nested ternary and nil checking
Fixes #9674 - Handle ProxyAPI exceptions on PuppetCA controller
Refs #3809 - Remove cops for empty lines
Fixes #9099 - Upgrade rubocop to 0.28.0
Fixes #8838 - Replace HTTP error codes with human-readable symbols
Fixes #8837 - Return correctly formatted response on ajax_error
fixes #8049 - Add timezone to user
Fixes #8428 - Connecting audits to existing users
fixes #5773 - redirect to referrer URL that includes page and search
Fixes #7519 - i18n extract ajax error message
fixes #7331 - delete unassigned os default templates
fixes #7898 - ensure that format can respond to json / yaml
fixes #7805 - Add several security related HTTP headers - security hardening.
Fixes #5139 - leftovers subscribe_to_all_hostgroups
Remove user_xxx unnecessary tables and notices
Update subhostgroups removed
Fixes for migration of foreign keys
Remove users from compute_resource fixture
Remove table notices after fk are removed for pg/mysql
Refs #3809 - Use parentheses in method definitions
Refs #3809 - Fix a few rubocop TODOs
fixes #4386 - gem friendly_id to simplify find by id, name, label, etc
Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)
To avoid CSRF, logout is changed to be a POST request soprotect_from_forgery checks the CSRF token. However, in Rails 3 the onlystrategy available is to nullify the session of the attacker....
Fixes #4596 - Change parent of host group via AJAX
Reparenting host groups requires submitting the form to see the changesnowadays, this fix makes the host group model inherit all propertiesfrom the parent and show them in real time.
fixes #7218 - authorize hosts welcome page
fixes #6964 - replace default scope that hides users with explicit scope
fixes #6857 improve two-pane load times
fixes #3272 - allow 'admin' account to be removed and replaced
fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)
fixes #3592 lazy load vm with ajax in host show page.
Fixes #4884 : remove duplicate slashes from the gravatar url
The issue is that request.protocol returns http:// instead of http. The code assumed no trailing slashes
fixes #4776 - support session[:expires_at] for api requests
There are situations where the UI needs to invoke requestson the API controllers; therefore, we need to ensure thatthe session expiration accounts for them. This is a commonfor plugins, such as Katello, which leverage the...
fixes #4457 - Session fixation, new session IDs are not generated on login (CVE-2014-0090)
fixes #4194, #4459 - add main_app to root_path references for isolated engines
fixes #812 - new permissions model, user group role and nest support, role filters for better granularity
fixes #3845 - user login session ending clears chosen organization
fixes #3339 - nested fact support, allow fact importers to be registered by plugins
Fixes #3753 - always use main_app to determine paths for running an isolated namespace plugin
fixes #3516 - resource names (inc. domains) are now being parametrized when used to construct urls
fixes #3141: SmartPrpxyAuth no longer calls #render_403 method defined in ApplicationController
fixes #2969 - remove all legacy api code in UI controllers, add deprecation response
fixes #2988 - merge authentication code, enables REMOTE_USER auth on new API controllers
fixes #2877: deletion of the organization or location in the context no longer breaks the session
fixes #2802 controller methods fail for name-spaced controllers
fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)
Fixes #2502 - session expiration updates
Signo now allows to transparently prolong user session which gotexpired. Also when you now logout from Foreman you will end up in Signologin form. This brings some code clean up and test changes and smallSSO method API change.
fixes #2440 remove unused files, code, unnecessary require statements
Fixes #2513 - orgs created in katello do not appear in org filtering
- topbar cache sweeper turned on for api controllers- a bit of refactoring to get rid of repetitive expire_fragment
fixes #2511 Footer should be replaced with an about page
Fixes #2460 - session expiration fix for SSO
We set new expiration interval when user logs in successfully using anykind of SSO. Also this patch moves logout path out of thread variableand stores it into a session. This is more secure storage for threaded...
fixes #2444 - locale selector in user account
fixes #2420 - extract strings for i18n from JavaScript, various i18n fixes