Merge branch '4-0-stable' into stable

app/assets/stylesheets/sections/votes.scss

+.votes {
+  font-size: 13px;
+  line-height: 15px;
+  .progress {
+    height: 4px;
+    margin: 0;
+    .bar {
+      float: left;
+      height: 100%;
+    }
+    .bar-success {
+      @include linear-gradient(#62C462, #51A351);
+      background-color: #468847;
+    }
+    .bar-danger {
+      @include linear-gradient(#EE5F5B, #BD362F);
+      background-color: #B94A48;
+    }
+  }
+  .upvotes {
+    display: inline-block;
+    color: #468847;
+  }
+  .downvotes {
+    display: inline-block;
+    color: #B94A48;
+  }
+}
+.votes-block {
+  margin: 14px 6px 6px 0;
+  .downvotes {
+    float: right;
+  }
+}
+.votes-inline {
+  display: inline-block;
+  margin: 0 8px;
+  .progress {
+    display: inline-block;
+    padding: 0 0 2px;
+    width: 45px;
+  }
+}

app/assets/stylesheets/themes/ui_basic.scss

@@ -4,18 +4,6 @@
  *
  */
 .ui_basic {
-  /*
-   * Common styles
-   *
-   */
-  a {
-    color: $link_color;
-    &:hover {
-      text-decoration:none;
-      color: $blue_link;
-    }
-  }
-
   .app_logo {
     .separator {
       margin-left: 0;

app/assets/stylesheets/themes/ui_mars.scss

@@ -47,17 +47,17 @@
       a {
         h1 {
           background: url('logo_white.png') no-repeat 0px 2px;
-          color:#eee;
+          color: #eee;
           text-shadow: 0 1px 1px #111;
         }
       }
       .separator {
-        display:none;
+        display: none;
       }
     }
     .project_name {
-      color:#eee;
+      color: #eee;
       text-shadow: 0 1px 1px #111;
     }
   }

app/contexts/notes/load_context.rb

@@ -19,8 +19,6 @@ module Notes
                when "wall"
                  # this is the only case, where the order is DESC
                  project.common_notes.order("created_at DESC, id DESC").limit(50)
-               when "wiki"
-                 project.wiki_notes.limit(20)
                end
       @notes = if after_id

app/contexts/project_update_context.rb

+class ProjectUpdateContext < BaseContext
+  def execute(role = :default)
+    namespace_id = params[:project].delete(:namespace_id)
+
+    allowed_transfer = can?(current_user, :change_namespace, project) || role == :admin
+
+    if allowed_transfer && namespace_id.present?
+      if namespace_id == Namespace.global_id
+        if project.namespace.present?
+          # Transfer to global namespace from anyone
+          project.transfer(nil)
+        end
+      elsif namespace_id.to_i != project.namespace_id
+        # Transfer to someone namespace
+        namespace = Namespace.find(namespace_id)
+        project.transfer(namespace)
+      end
+    end
+
+    project.update_attributes(params[:project], as: role)
+  end
+end
+

app/controllers/admin/groups_controller.rb

@@ -2,7 +2,7 @@ class Admin::GroupsController < AdminController
   before_filter :group, only: [:edit, :show, :update, :destroy, :project_update]
   def index
-    @groups = Group.scoped
+    @groups = Group.order('name ASC')
     @groups = @groups.search(params[:name]) if params[:name].present?
     @groups = @groups.page(params[:page]).per(20)
   end
@@ -11,6 +11,7 @@ class Admin::GroupsController < AdminController
     @projects = Project.scoped
     @projects = @projects.not_in_group(@group) if @group.projects.present?
     @projects = @projects.all
+    @projects.reject!(&:empty_repo?)
   end
   def new
@@ -22,6 +23,7 @@ class Admin::GroupsController < AdminController
   def create
     @group = Group.new(params[:group])
+    @group.path = @group.name.dup.parameterize if @group.name
     @group.owner = current_user
     if @group.save
@@ -48,15 +50,17 @@ class Admin::GroupsController < AdminController
   def project_update
     project_ids = params[:project_ids]
-    Project.where(id: project_ids).update_all(group_id: @group.id)
+
+    Project.where(id: project_ids).each do |project|
+      project.transfer(@group)
+    end
     redirect_to :back, notice: 'Group was successfully updated.'
   end
   def remove_project
     @project = Project.find(params[:project_id])
-    @project.group_id = nil
-    @project.save
+    @project.transfer(nil)
     redirect_to :back, notice: 'Group was successfully updated.'
   end
@@ -70,6 +74,6 @@ class Admin::GroupsController < AdminController
   private
   def group
-    @group = Group.find_by_code(params[:id])
+    @group = Group.find_by_path(params[:id])
   end
 end

app/controllers/admin/projects_controller.rb

 class Admin::ProjectsController < AdminController
-  before_filter :admin_project, only: [:edit, :show, :update, :destroy, :team_update]
+  before_filter :project, only: [:edit, :show, :update, :destroy, :team_update]
   def index
-    @admin_projects = Project.scoped
-    @admin_projects = @admin_projects.search(params[:name]) if params[:name].present?
-    @admin_projects = @admin_projects.order("name ASC").page(params[:page]).per(20)
+    @projects = Project.scoped
+    @projects = @projects.where(namespace_id: params[:namespace_id]) if params[:namespace_id].present?
+    @projects = @projects.where(namespace_id: nil) if params[:namespace_id] == Namespace.global_id
+    @projects = @projects.search(params[:name]) if params[:name].present?
+    @projects = @projects.includes(:namespace).order("namespaces.path, projects.name ASC").page(params[:page]).per(20)
   end
   def show
-    @users = User.scoped
-    @users = @users.not_in_project(@admin_project) if @admin_project.users.present?
+    @users = User.active
+    @users = @users.not_in_project(@project) if @project.users.present?
     @users = @users.all
   end
-  def new
-    @admin_project = Project.new
-  end
-
   def edit
   end
   def team_update
-    @admin_project.add_users_ids_to_team(params[:user_ids], params[:project_access])
-
-    redirect_to [:admin, @admin_project], notice: 'Project was successfully updated.'
-  end
-
-  def create
-    @admin_project = Project.new(params[:project])
-    @admin_project.owner = current_user
-    if @admin_project.save
-      redirect_to [:admin, @admin_project], notice: 'Project was successfully created.'
-    else
-      render action: "new"
-    end
+    @project.add_users_ids_to_team(params[:user_ids], params[:project_access])
+    redirect_to [:admin, @project], notice: 'Project was successfully updated.'
   end
   def update
-    owner_id = params[:project].delete(:owner_id)
-    if owner_id
-      @admin_project.owner = User.find(owner_id)
-    end
-
-    if @admin_project.update_attributes(params[:project])
-      redirect_to [:admin, @admin_project], notice: 'Project was successfully updated.'
+    status = ProjectUpdateContext.new(project, current_user, params).execute(:admin)
+    if status
+      redirect_to [:admin, @project], notice: 'Project was successfully updated.'
     else
       render action: "edit"
     end
   end
   def destroy
-    @admin_project.destroy
-    redirect_to admin_projects_url, notice: 'Project was successfully deleted.'
+    @project.destroy
+    redirect_to admin_projects_path, notice: 'Project was successfully deleted.'
   end
-  private
-  def admin_project
-    @admin_project = Project.find_by_code(params[:id])
+  protected
+
+  def project
+    id = params[:project_id] || params[:id]
+    @project = Project.find_with_namespace(id)
+    @project || render_404
   end
 end

app/controllers/admin/users_controller.rb

@@ -3,7 +3,7 @@ class Admin::UsersController < AdminController
     @admin_users = User.scoped
     @admin_users = @admin_users.filter(params[:filter])
     @admin_users = @admin_users.search(params[:name]) if params[:name].present?
-    @admin_users = @admin_users.order("updated_at DESC").page(params[:page])
+    @admin_users = @admin_users.order("name ASC").page(params[:page])
   end
   def show
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
   def new
-    @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin)
+    @admin_user = User.new({ projects_limit: Gitlab.config.gitlab.default_projects_limit }, as: :admin)
   end
   def edit

app/controllers/application_controller.rb

@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
   before_filter :authenticate_user!
   before_filter :reject_blocked!
   before_filter :set_current_user_for_observers
+  before_filter :add_abilities
   before_filter :dev_tools if Rails.env == 'development'
   protect_from_forgery
@@ -34,7 +35,7 @@ class ApplicationController < ActionController::Base
   def reject_blocked!
     if current_user && current_user.blocked
       sign_out current_user
-      flash[:alert] = "Your account was blocked"
+      flash[:alert] = "Your account is blocked. Retry when an admin unblock it."
       redirect_to new_user_session_path
     end
   end
@@ -42,7 +43,7 @@ class ApplicationController < ActionController::Base
   def after_sign_in_path_for resource
     if resource.is_a?(User) && resource.respond_to?(:blocked) && resource.blocked
       sign_out resource
-      flash[:alert] = "Your account was blocked"
+      flash[:alert] = "Your account is blocked. Retry when an admin unblock it."
       new_user_session_path
     else
       super
@@ -63,11 +64,19 @@ class ApplicationController < ActionController::Base
   end
   def project
-    @project ||= current_user.projects.find_by_code(params[:project_id] || params[:id])
-    @project || render_404
+    id = params[:project_id] || params[:id]
+
+    @project = Project.find_with_namespace(id)
+
+    if @project and can?(current_user, :read_project, @project)
+      @project
+    else
+      @project = nil
+      render_404
+    end
   end
-  def add_project_abilities
+  def add_abilities
     abilities << Ability
   end
@@ -103,6 +112,10 @@ class ApplicationController < ActionController::Base
     render file: Rails.root.join("public", "404"), layout: false, status: "404"
   end
+  def render_403
+    render file: Rails.root.join("public", "403"), layout: false, status: "403"
+  end
+
   def require_non_empty_project
     redirect_to @project if @project.empty_repo?
   end

app/controllers/commit_controller.rb

@@ -26,7 +26,8 @@ class CommitController < ProjectResourceController
         end
       end
-      format.patch
+      format.diff  { render text: @commit.to_diff }
+      format.patch { render text: @commit.to_patch }
     end
   end
 end

app/controllers/dashboard_controller.rb

 class DashboardController < ApplicationController
   respond_to :html
+  before_filter :projects
   before_filter :event_filter, only: :index
   def index
-    @groups = Group.where(id: current_user.projects.pluck(:group_id))
-    @projects = current_user.projects_sorted_by_activity
+    @groups = current_user.authorized_groups
+
+    @has_authorized_projects = @projects.count > 0
+
+    @projects = case params[:scope]
+                when 'personal' then
+                  @projects.personal(current_user)
+                when 'joined' then
+                  @projects.joined(current_user)
+                else
+                  @projects
+                end
+
     @projects = @projects.page(params[:page]).per(30)
     @events = Event.in_projects(current_user.project_ids)
@@ -23,15 +35,16 @@ class DashboardController < ApplicationController
   # Get authored or assigned open merge requests
   def merge_requests
-    @projects = current_user.projects.all
-    @merge_requests = current_user.cared_merge_requests.recent.page(params[:page]).per(20)
+    @merge_requests = current_user.cared_merge_requests
+    @merge_requests = dashboard_filter(@merge_requests)
+    @merge_requests = @merge_requests.recent.page(params[:page]).per(20)
   end
   # Get only assigned issues
   def issues
-    @projects = current_user.projects.all
-    @user   = current_user
-    @issues = current_user.assigned_issues.opened.recent.page(params[:page]).per(20)
+    @issues = current_user.assigned_issues
+    @issues = dashboard_filter(@issues)
+    @issues = @issues.recent.page(params[:page]).per(20)
     @issues = @issues.includes(:author, :project)
     respond_to do |format|
@@ -40,7 +53,32 @@ class DashboardController < ApplicationController
     end
   end
+  protected
+
+  def projects
+    @projects = current_user.authorized_projects.sorted_by_activity
+  end
+
   def event_filter
     @event_filter ||= EventFilter.new(params[:event_filter])
   end
+
+  def dashboard_filter items
+    if params[:project_id]
+      items = items.where(project_id: params[:project_id])
+    end
+
+    if params[:search].present?
+      items = items.search(params[:search])
+    end
+
+    case params[:status]
+    when 'closed'
+      items.closed
+    when 'all'
+      items
+    else
+      items.opened
+    end
+  end
 end

app/controllers/groups_controller.rb

@@ -5,6 +5,9 @@ class GroupsController < ApplicationController
   before_filter :group
   before_filter :projects
+  # Authorize
+  before_filter :authorize_read_group!
+
   def show
     @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0)
     @last_push = current_user.recent_push
@@ -18,7 +21,7 @@ class GroupsController < ApplicationController
   # Get authored or assigned open merge requests
   def merge_requests
-    @merge_requests = current_user.cared_merge_requests
+    @merge_requests = current_user.cared_merge_requests.opened
     @merge_requests = @merge_requests.of_group(@group).recent.page(params[:page]).per(20)
   end
@@ -44,20 +47,33 @@ class GroupsController < ApplicationController
   end
   def people
-    @users = group.users.all
+    @project = group.projects.find(params[:project_id]) if params[:project_id]
+    @users = @project ? @project.users : group.users
+    @users.sort_by!(&:name)
+
+    if @project
+      @team_member = @project.users_projects.new
+    end
   end
   protected
   def group
-    @group ||= Group.find_by_code(params[:id])
+    @group ||= Group.find_by_path(params[:id])
   end
   def projects
-    @projects ||= current_user.projects_sorted_by_activity.where(group_id: @group.id)
+    @projects ||= group.projects.authorized_for(current_user).sorted_by_activity
   end
   def project_ids
     projects.map(&:id)
   end
+
+  # Dont allow unauthorized access to group
+  def authorize_read_group!
+    unless projects.present? or can?(current_user, :manage_group, @group)
+      return render_404
+    end
+  end
 end

app/controllers/issues_controller.rb

 class IssuesController < ProjectResourceController
   before_filter :module_enabled
-  before_filter :issue, only: [:edit, :update, :destroy, :show]
+  before_filter :issue, only: [:edit, :update, :show]
   # Allow read any issue
   before_filter :authorize_read_issue!
@@ -11,9 +11,6 @@ class IssuesController < ProjectResourceController
   # Allow modify issue
   before_filter :authorize_modify_issue!, only: [:edit, :update]
-  # Allow destroy issue
-  before_filter :authorize_admin_issue!, only: [:destroy]
-
   respond_to :js, :html
   def index
@@ -77,15 +74,6 @@ class IssuesController < ProjectResourceController
     end
   end
-  def destroy
-    @issue.destroy
-
-    respond_to do |format|
-      format.html { redirect_to project_issues_path }
-      format.js { render nothing: true }
-    end
-  end
-
   def sort
     return render_404 unless can?(current_user, :admin_issue, @project)

app/controllers/merge_requests_controller.rb

 class MergeRequestsController < ProjectResourceController
   before_filter :module_enabled
-  before_filter :merge_request, only: [:edit, :update, :destroy, :show, :commits, :diffs, :automerge, :automerge_check, :raw]
-  before_filter :validates_merge_request, only: [:show, :diffs, :raw]
+  before_filter :merge_request, only: [:edit, :update, :show, :commits, :diffs, :automerge, :automerge_check, :ci_status]
+  before_filter :validates_merge_request, only: [:show, :diffs]
   before_filter :define_show_vars, only: [:show, :diffs]
   # Allow read any merge_request
@@ -13,10 +13,6 @@ class MergeRequestsController < ProjectResourceController
   # Allow modify merge_request
   before_filter :authorize_modify_merge_request!, only: [:close, :edit, :update, :sort]
-  # Allow destroy merge_request
-  before_filter :authorize_admin_merge_request!, only: [:destroy]
-
-
   def index
     @merge_requests = MergeRequestsLoadContext.new(project, current_user, params).execute
   end
@@ -25,11 +21,10 @@ class MergeRequestsController < ProjectResourceController
     respond_to do |format|
       format.html
       format.js
-    end
-  end
-  def raw
-    send_file @merge_request.to_raw
+      format.diff  { render text: @merge_request.to_diff }
+      format.patch { render text: @merge_request.to_patch }
+    end
   end
   def diffs
@@ -87,14 +82,6 @@ class MergeRequestsController < ProjectResourceController
     end
   end
-  def destroy
-    @merge_request.destroy
-
-    respond_to do |format|
-      format.html { redirect_to project_merge_requests_url(@project) }
-    end
-  end
-
   def branch_from
     @commit = project.commit(params[:ref])
     @commit = CommitDecorator.decorate(@commit)
@@ -105,6 +92,13 @@ class MergeRequestsController < ProjectResourceController
     @commit = CommitDecorator.decorate(@commit)
   end
+  def ci_status
+    status = project.gitlab_ci_service.commit_status(merge_request.last_commit.sha)
+    response = { status: status }
+
+    render json: response
+  end
+
   protected
   def merge_request

app/controllers/milestones_controller.rb

@@ -12,11 +12,12 @@ class MilestonesController < ProjectResourceController
   def index
     @milestones = case params[:f]
-                  when 'all'; @project.milestones
-                  else @project.milestones.active
+                  when 'all'; @project.milestones.order("closed, due_date DESC")
+                  when 'closed'; @project.milestones.closed.order("due_date DESC")
+                  else @project.milestones.active.order("due_date ASC")
                   end
-    @milestones = @milestones.includes(:project).order("due_date")
+    @milestones = @milestones.includes(:project)
     @milestones = @milestones.page(params[:page]).per(20)
   end
@@ -42,6 +43,7 @@ class MilestonesController < ProjectResourceController
   def create
     @milestone = @project.milestones.new(params[:milestone])
+    @milestone.author_id_of_changes = current_user.id
     if @milestone.save
       redirect_to project_milestone_path(@project, @milestone)
@@ -51,7 +53,7 @@ class MilestonesController < ProjectResourceController
   end
   def update
-    @milestone.update_attributes(params[:milestone])
+    @milestone.update_attributes(params[:milestone].merge(author_id_of_changes: current_user.id))
     respond_to do |format|
       format.js

app/controllers/omniauth_callbacks_controller.rb

 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
-  Gitlab.config.omniauth_providers.each do |provider|
+  Gitlab.config.omniauth.providers.each do |provider|
     define_method provider['name'] do
       handle_omniauth
     end

app/controllers/profile_controller.rb → app/controllers/profiles_controller.rb

-class ProfileController < ApplicationController
+class ProfilesController < ApplicationController
   before_filter :user
+  layout 'profile'
   def show
   end
@@ -7,8 +8,15 @@ class ProfileController < ApplicationController
   def design
   end
+  def account
+  end
+
   def update
-    @user.update_attributes(params[:user])
+    if @user.update_attributes(params[:user])
+      flash[:notice] = "Profile was successfully updated"
+    else
+      flash[:alert] = "Failed to update profile"
+    end
     respond_to do |format|
       format.html { redirect_to :back }
@@ -19,7 +27,7 @@ class ProfileController < ApplicationController
   def token
   end
-  def password_update
+  def update_password
     params[:user].reject!{ |k, v| k != "password" && k != "password_confirmation"}
     if @user.update_attributes(params[:user])
@@ -31,14 +39,25 @@ class ProfileController < ApplicationController
   end
   def reset_private_token
-    current_user.reset_authentication_token!
-    redirect_to profile_account_path
+    if current_user.reset_authentication_token!
+      flash[:notice] = "Token was successfully updated"
+    end
+
+    redirect_to account_profile_path
   end
   def history
     @events = current_user.recent_events.page(params[:page]).per(20)
   end
+  def update_username
+    @user.update_attributes(username: params[:user][:username])
+
+    respond_to do |format|
+      format.js
+    end
+  end
+
   private
   def user

app/controllers/project_resource_controller.rb

 class ProjectResourceController < ApplicationController
   before_filter :project
-  # Authorize
-  before_filter :add_project_abilities
 end

app/controllers/projects_controller.rb

@@ -34,8 +34,11 @@ class ProjectsController < ProjectResourceController
   end
   def update
+    status = ProjectUpdateContext.new(project, current_user, params).execute
+
     respond_to do |format|
-      if project.update_attributes(params[:project])
+      if status
+        flash[:notice] = 'Project was successfully updated.'
         format.html { redirect_to edit_project_path(project), notice: 'Project was successfully updated.' }
         format.js
       else
@@ -43,6 +46,10 @@ class ProjectsController < ProjectResourceController
         format.js
       end
     end
+
+  rescue Project::TransferError => ex
+    @error = ex
+    render :update_failed
   end
   def show
@@ -51,12 +58,12 @@ class ProjectsController < ProjectResourceController
     respond_to do |format|
       format.html do
-         unless @project.empty_repo?
-           @last_push = current_user.recent_push(@project.id)
-           render :show
-         else
-           render "projects/empty"
-         end
+        unless @project.empty_repo?
+          @last_push = current_user.recent_push(@project.id)
+          render :show
+        else
+          render "projects/empty"
+        end
       end
       format.js
     end
@@ -80,12 +87,18 @@ class ProjectsController < ProjectResourceController
   end
   def graph
-    graph = Gitlab::Graph::JsonBuilder.new(project)
-
-    @days_json, @commits_json = graph.days_json, graph.commits_json
+    respond_to do |format|
+      format.html
+      format.json do
+        graph = Gitlab::Graph::JsonBuilder.new(project)
+        render :json => graph.to_json
+      end
+    end
   end
   def destroy
+    return access_denied! unless can?(current_user, :remove_project, project)
+
     # Disable the UsersProject update_repository call, otherwise it will be
     # called once for every person removed from the project
     UsersProject.skip_callback(:destroy, :after, :update_repository)

app/controllers/snippets_controller.rb

@@ -16,7 +16,7 @@ class SnippetsController < ProjectResourceController
   respond_to :html
   def index
-    @snippets = @project.snippets
+    @snippets = @project.snippets.fresh
   end
   def new
@@ -60,7 +60,7 @@ class SnippetsController < ProjectResourceController
     redirect_to project_snippets_path(@project)
   end
-  def raw 
+  def raw
     send_data(
       @snippet.content,
       type: "text/plain",