Backport !7967 and !8189 to `8-13-stable`

See merge request !8991

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Accept environment variables from the `pre-receive` script

1. Starting version 2.11, git changed the way the pre-receive flow works.
  - Previously, the new potential objects would be added to the main repo. If the pre-receive passes, the new objects stay in the repo but are linked up. If the pre-receive fails, the new objects stay orphaned in the repo, and are cleaned up during the next `git gc`.
  - In 2.11, the new potential objects are added to a temporary "alternate object directory", that git creates for this purpose. If the pre-receive passes, the objects from the alternate object directory are migrated to the main repo. If the pre-receive fails the alternate object directory is simply deleted.
2. In our workflow, the pre-recieve script (in `gitlab-shell`) calls the
   `/allowed` endpoint, which calls out directly to git to perform
   various checks. These direct calls to git do _not_ have the necessary
   environment variables set which allow access to the "alternate object
   directory" (explained above). Therefore these calls to git are not able to
   access any of the new potential objects to be added during this push.

3. We fix this by accepting the relevant environment variables
   (`GIT_ALTERNATE_OBJECT_DIRECTORIES`, `GIT_OBJECT_DIRECTORY`, and
   `GIT_QUARANTINE_PATH`) on the `/allowed` endpoint, and then include
   these environment variables while calling out to git.

4. This commit includes these environment variables while making the "force
   push" check.

See https://gitlab.com/gitlab-org/gitlab-shell/merge_requests/120



Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

The `parent` namespace concept didn't exist until 8.15, so this was
causing a `NoMethodError`.

Upgrade OmniAuth Ruby gem to 1.3.2

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/26813

See merge request !2056

Prevent users from creating notes on resources they can't access

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054

Ensure that only privileged users can access merge requests in the API

See merge request !2053

Fix export files not removed when a user takes over a namespace

See merge request !2051

Fix users being able to delete instance public deployment keys

See merge request !2049

[ci skip]

Updated Turbolinks to patched version of turbolinks-classic

See merge request !2048

Update the gitlab-markup gem to the version `1.5.1`

See merge request !8509

[ci skip]

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Filter `incoming_email_token` and `runners_token` parameters

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676

See merge request !2045



Signed-off-by: Rémy Coutable <remy@rymai.me>

Issue#visible_to_user moved to IssuesFinder

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.

See merge request !2039



Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing Note access checks in by moving Note#search to updated NoteFinder

See merge request !2035



Signed-off-by: Rémy Coutable <remy@rymai.me>

API: Memoize the current_user so that the sudo can work properly

Closes #25482

See merge request !8017



Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin.

Closes #24537

See merge request !7615



Signed-off-by: Rémy Coutable <remy@rymai.me>

Make the `downtime_check` task happy

See merge request !7845



Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
✅ - Permissions check tested

### MR lookup from project

- [x] 💣  app/finders/notes_finder.rb:17
- [x] ⚠  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] 💣  app/controllers/concerns/creates_commit.rb:84
- [x] 🚥  app/controllers/projects/commits_controller.rb:24
- [x] 🚥  app/controllers/projects/compare_controller.rb:56
- [x] 🚦  app/controllers/projects/discussions_controller.rb:29
- [x] ✅  app/controllers/projects/todos_controller.rb:27
- [x] 🚦  app/models/commit.rb:268
- [x] ✅ lib/gitlab/search_results.rb:71

### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033

[ci skip]

Create tag after running pre-hooks and pass updated SHA to post-hooks

Closes #24813

See merge request !7700



Signed-off-by: Rémy Coutable <remy@rymai.me>

Douwe Maan authored Nov 30, 2016 and Alejandro Rodriguez committed Dec 02, 2016

Ensure state param has a valid value when filtering issuables.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064

This fix makes sure we only call safe methods on issuable when filtering by state.

See merge request !2038

[ci skip]

Update grape-entity to 0.6.0

See merge request !7491



Signed-off-by: Rémy Coutable <remy@rymai.me>