| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
As of Gerrit 2.0.4 we encrypt the contact information for a user
account, limiting the amount of data we capture and store. This
is an important to mention when describing how we manage private
user information.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
| |
This is an important feature in our security design, as it helps to
reduce the attack surface available due to the use of OpenID.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
The SafeHtmlBuilder utility is much easier to keep clean content with,
as the objects use (some) Java type safety to help protect the safe
strings from unsafe ones.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
01a89f7d04a785005776a52574eaf772c1c02f66 was bad, it used the
wrong row number for the bottom border, crashing the UI setup
for the settings screen.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
Its also under the Apache License.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
By using ".cache.css" as our CSS suffix browsers can aggressively
cache this rather large content locally, but we need to keep track
of the version number ourselves anytime we make edits.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
All of this code has been refactored into the non-application specific
package gwtexpui. Instead of keeping our own copies lets use the more
common package version of it.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
If the browser doesn't have flash installed, just don't even
offer the clippy support, and instead rely on the native JS
based text box.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
We prefer to indent with two spaces, not four.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the replication only partially initialized and then threw an
exception, we may find that the underlying JSch connection is only
partially initialized. Calling tn.close() from our finally block
may throw a NullPointerException from within JSch, as JSch tries
to cleanup uninitialized resources.
By wrapping our close call in a try/catch we can ensure that any
close failure is logged and then ignored, so that if the close was
execting becaues an exception was thrown that the original exception
can propagate to our exception handle and also be logged.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Another great idea stolen from github.com. If the user single-clicks
on a label that is marked as copyable we convert the label to a text
box and select everything, so the user only needs to use Ctrl-C to
copy the text onto their clipboard. A keyboard binding converts the
field back to a label after the copy completes, and a focus listener
also does the same if focus is lost on the input box.
This is a nice workaround for browsers which do not have a flash
plugin installed or enabled.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
If the administrator edits account records, such as merging two
accounts into a single identity while Gerrit is running, we may
need to dump the SSH keys in order to ensure all future incoming
connections go to the correct account identity.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
If we don't put gerrit/src/main/java onto the classpath of the JRE
then the hosted mode debugger cannot launch the application. I'm
not sure why this is necessary on Mac OS X but not on Linux, but it
seems to fix things for debugging on my laptop.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
I'm often trying to copy the permalink of a change. Its much
easier to just hit the copy button on clippy then it is to
right click, copy in a browser in order to grab that URL from
the hyperlink.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This just makes it that much easier to quickly download one patch
from an existing change. Thanks to GitHub for their MIT licensed
SWF that makes this easily possible.
Unfortunately we have to build the HTML up as a string and install
it with innerHTML in order to work around a bug in ie6. Any other
browser allowed us to build this up using standard DOM objects, but
in ie6 the SWF "movie" doesn't load unless we create the <object>
tag through assignment to innerHTML on a container <div>.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
Instead of logging an error in the server log, give a
message to the client letting them know that the usage
wasn't correct.
Bug: GERRIT-79
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
Otherwise the border may not draw correctly.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
If a user's provider is untrusted, we show them it in the new
status column, so they can take steps to join a trusted site
and link that identity, then remove the untrusted one. This
may be necessary to upgrade the user's effective groups to
their actual memberships.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Not all OpenID provider operators may be trusted by a Gerrit site
administrator. The OpenID protocol is open to man-in-the-middle
attacks, and the security of a user's account is only as good as
the claimed id's host, or its delegate provider. These provide
an attacker many avenues with which to enter a Gerrit instance
and try to abuse an account's privileges.
Gerrit sites relying on OpenID authentication can now require
that an account which has been granted permissions beyond those
that are given to anyone (aka anonymous and registered users)
use only trusted OpenID providers, as configured by the site's
administrator in the database.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
This way we can always setup a direct if the JIRA server
moves hosts, or if we were to move off of JIRA to another
issue tracking product.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
I hacked this in by hand into the pom.xml when debugging the ie6
issues earlier. So lets document it and make it easier to get by
way of the command line.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
Although we tend to manage Gerrit with repo, we don't actually
need it as the dependencies are all available via Maven. This
makes it a lot easier for someone to just clone Gerrit and do
a build on their local system.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
gwtjsonrpc 1.0.2 contains a bug fix necessary to make Gerrit
run correctly under ie6 and later.
Bug: GERRIT-62
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Microsoft Internet Explorer 6 and later won't permit JavaScript to
set the innerHTML property of a tbody element to arbitrary text,
yet every other major browser supports this just fine.
To support IE we need to build our HTML inside of a dummy table,
and then move the DOM node for the new tbody over to the old table.
This requires reaching into the guts of HTMLTable and changing its
private final bodyElem field, not something we really should be
doing, but it works "well enough" in GWT 1.5.3 that we can get
away with it. For now.
The better fix is to completely rewrite our FancyFlexTable such
that it better supports bulk rendering modes and isn't so tied
to the stock HTMLTable GWT implementation.
Bug: GERRIT-62
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
Otherwise the borders won't draw correctly in some parts of the table
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A user may desire to delete an OpenID identity they had previously
stored into their account, such as if they no longer trust that
provider, or are no longer affiliated with that provider.
To prevent the user from locking themselves out of their own user
account in Gerrit we forbid deleting the identity they last used
to login to the site under.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
This way users can see and manage additional mailto: links.
However, we hide the "Link Another Identity" button as it
is not supported unless OpenID is available.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the row that was our current row has been deleted from the table
and currentRow is now out of range don't throw an exception, but
instead ignore the error and just position on the new current row.
This is caused by bugs in table users, where they removed rows but
didn't refocus onto an existing row as the current row, confusing
the table state.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
This is some black magic necessary to inform Jetty that the connection
is actually an https:// connection, and not a http://. Without this
special configuration Gerrit will send redirects from https:// to a
normal http:// connection, dropping the user out of a secure channel.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Mostly you need Maven and PostgreSQL to setup a development
environment. SSHD is less necessary, unless you need to
hack on its source.
Also added a download link for PostgreSQL to make it easier
to grab the source or a binary.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
We actually use our own Maven repository for it.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For our needs within Gerrit we can mostly stick to a known version
of these two dependencies.
JGit now has a more recent snapshot, but named with an exact version
number off `git describe`, so we know rely on that so its clear from
the JAR file name in our WAR exactly what version of code was used.
For SSHD we tag the version with a suffix of "-r$SVNREVISION",
but we also put the JARs into our own Gerrit Maven repository,
as they aren't available from any other public Maven repository.
This simplifies the new developer installation guide, as most
users only need to use our own project and can get the rest
off Maven repositories.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A security review strongly suggested moving the personal contact
details for an account out of the database and into an encrypted
data store that is stored separately from the rest of Gerrit's
metadata. The rationale being that the contact information is
really quite personal, and just doesn't need to be accessed,
except in the most extreme circumstances, like if a court has
issued a valid subpoena to the Gerrit administrators to turn
over contact information for a specific account.
Any captured contact information is now encrypted using GnuPG, and
fired off via SSL protected HTTP POST to another system. That other
system could be "gerrit-contactstore", running on Google App Engine,
or it could be a very simple CGI which stores the encrypted data
to files on disk. With this change, Gerrit only has the user's
contact information transiently in memory while it is encrypting
the message for long-term storage.
Only the GnuPG public key needs to be available, so Gerrit
reads an ASCII armored key, e.g. "gpg --export -a KEY >pub",
simplifying the installation of Gerrit.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
If we don't call WorkQueue.terminate() the thread pool will stay
running, pegging the JVM open until the user hits Contrl-C in the
tty to break it out.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
| |
I've heard from some users running Siteminder that the header
length on some of their cookies is longer than what Jetty can
accept by default. Upping the limit seems to fix their problem,
so suggest it in the docs.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
Someone tried (by mistake it would seem) to use Jetty 6.1.3, and
failed to get Gerrit running. Point out that 6.1.14 was tested
and is known to have worked for folks.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
Like double quote, its safer to escape single quotes too, in case
they are being used to wrap an attribute value and the returned
string is being included inside of the attribute value.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
| |
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
| |
Its much more current than anything we can say here
in the documentation.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
| |
These have either been met, or are rather moot to talk about.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the client has broken off the network connection and that is why
we are throwing an exception up at the caller, its not really an
exception to be logged for the administrator. Its a fairly harmless
case where the client started the network transfer, then just died.
We should consider sending a patch upstream to MINA SSHD to try and
use a more specific exception type here than just IOException, e.g.
EOFException, or modify read to return -1. This might improve how
we trap the exception, and eventually ignore it.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
Its an unusual name for software. More often than not, a person
is named "Gerrit". We should explain that is in fact where the
name came from, and what Gerrit2 is about.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
| |
|
|
|
|
|
|
| |
Branches can now be created on the web, and through the SSH daemon.
There isn't much need to do raw SQL inserts in order to register a
branch, so we shouldn't document that implementation detail anymore.
Signed-off-by: Shawn O. Pearce <sop@google.com>
|
