Add latest changes from gitlab-org/gitlab@master

Gemfile

@@ -26,7 +26,7 @@ gem 'marginalia', '~> 1.8.0'
 # Authentication libraries
 gem 'devise', '~> 4.6'
-gem 'doorkeeper', '~> 4.3'
+gem 'doorkeeper', '~> 4.4.3'
 gem 'doorkeeper-openid_connect', '~> 1.5'
 gem 'omniauth', '~> 1.8'
 gem 'omniauth-auth0', '~> 2.0.0'

Gemfile.lock

@@ -231,7 +231,7 @@ GEM
     docile (1.3.1)
     domain_name (0.5.20180417)
       unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (4.3.2)
+    doorkeeper (4.4.3)
       railties (>= 4.2)
     doorkeeper-openid_connect (1.5.0)
       doorkeeper (~> 4.3)
@@ -1180,7 +1180,7 @@ DEPENDENCIES
   diff_match_patch (~> 0.1.0)
   diffy (~> 3.1.0)
   discordrb-webhooks-blackst0ne (~> 3.3)
-  doorkeeper (~> 4.3)
+  doorkeeper (~> 4.4.3)
   doorkeeper-openid_connect (~> 1.5)
   ed25519 (~> 1.2)
   elasticsearch-api (~> 6.8)

app/assets/javascripts/self_monitor/index.js

@@ -4,15 +4,12 @@ import SelfMonitorForm from './components/self_monitor_form.vue';
 export default () => {
   const el = document.querySelector('.js-self-monitoring-settings');
-  let selfMonitorProjectCreated;
   if (el) {
-    selfMonitorProjectCreated = el.dataset.selfMonitoringProjectExists;
     // eslint-disable-next-line no-new
     new Vue({
       el,
       store: store({
-        projectEnabled: selfMonitorProjectCreated,
         ...el.dataset,
       }),
       render(createElement) {

app/assets/javascripts/self_monitor/store/actions.js

@@ -52,7 +52,7 @@ export const requestCreateProjectStatus = ({ dispatch, state }, jobId) => {
     });
 };
-export const requestCreateProjectSuccess = ({ commit }, selfMonitorData) => {
+export const requestCreateProjectSuccess = ({ commit, dispatch }, selfMonitorData) => {
   commit(types.SET_LOADING, false);
   commit(types.SET_PROJECT_URL, selfMonitorData.project_full_path);
   commit(types.SET_ALERT_CONTENT, {
@@ -62,6 +62,7 @@ export const requestCreateProjectSuccess = ({ commit }, selfMonitorData) => {
   });
   commit(types.SET_SHOW_ALERT, true);
   commit(types.SET_PROJECT_CREATED, true);
+  dispatch('setSelfMonitor', true);
 };
 export const requestCreateProjectError = ({ commit }, error) => {

app/assets/javascripts/self_monitor/store/state.js

 import { parseBoolean } from '~/lib/utils/common_utils';
 export default (initialState = {}) => ({
-  projectEnabled: parseBoolean(initialState.projectEnabled) || false,
-  projectCreated: parseBoolean(initialState.selfMonitorProjectCreated) || false,
+  projectEnabled: parseBoolean(initialState.selfMonitoringProjectExists) || false,
+  projectCreated: parseBoolean(initialState.selfMonitoringProjectExists) || false,
   createProjectEndpoint: initialState.createSelfMonitoringProjectPath || '',
   deleteProjectEndpoint: initialState.deleteSelfMonitoringProjectPath || '',
   createProjectStatusEndpoint: initialState.statusCreateSelfMonitoringProjectPath || '',

app/controllers/admin/applications_controller.rb

@@ -55,6 +55,8 @@ class Admin::ApplicationsController < Admin::ApplicationController
   # Only allow a trusted parameter "white list" through.
   def application_params
-    params.require(:doorkeeper_application).permit(:name, :redirect_uri, :trusted, :scopes)
+    params
+      .require(:doorkeeper_application)
+      .permit(:name, :redirect_uri, :trusted, :scopes, :confidential)
   end
 end

app/controllers/groups/registry/repositories_controller.rb

@@ -7,13 +7,13 @@ module Groups
       before_action :feature_flag_group_container_registry_browser!
       def index
-        track_event(:list_repositories)
-
         respond_to do |format|
           format.html
           format.json do
             @images = group.container_repositories.with_api_entity_associations
+            track_event(:list_repositories)
+
             render json: ContainerRepositoriesSerializer
               .new(current_user: current_user)
               .represent_read_only(@images)

app/controllers/projects/registry/repositories_controller.rb

@@ -7,12 +7,13 @@ module Projects
       before_action :ensure_root_container_repository!, only: [:index]
       def index
-        @images = project.container_repositories
-        track_event(:list_repositories)
-
         respond_to do |format|
           format.html
           format.json do
+            @images = project.container_repositories
+
+            track_event(:list_repositories)
+
             render json: ContainerRepositoriesSerializer
               .new(project: project, current_user: current_user)
               .represent(@images)

app/models/user.rb

@@ -101,6 +101,7 @@ class User < ApplicationRecord
   # Groups
   has_many :members
+  has_one  :max_access_level_membership, -> { select(:id, :user_id, :access_level).order(access_level: :desc).readonly }, class_name: 'Member'
   has_many :group_members, -> { where(requested_at: nil) }, source: 'GroupMember'
   has_many :groups, through: :group_members
   has_many :owned_groups, -> { where(members: { access_level: Gitlab::Access::OWNER }) }, through: :group_members, source: :group
@@ -1027,7 +1028,7 @@ class User < ApplicationRecord
   end
   def highest_role
-    members.maximum(:access_level) || Gitlab::Access::NO_ACCESS
+    max_access_level_membership&.access_level || Gitlab::Access::NO_ACCESS
   end
   def accessible_deploy_keys

app/views/admin/applications/_form.html.haml

@@ -30,6 +30,14 @@
       %span.form-text.text-muted
         Trusted applications are automatically authorized on GitLab OAuth flow.
+  = content_tag :div, class: 'form-group row' do
+    .col-sm-2.col-form-label.pt-0
+      = f.label :confidential
+    .col-sm-10
+      = f.check_box :confidential
+      %span.form-text.text-muted
+        = _('The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.')
+
   .form-group.row
     .col-sm-2.col-form-label.pt-0
       = f.label :scopes

app/views/admin/applications/index.html.haml

@@ -12,6 +12,7 @@
       %th Callback URL
       %th Clients
       %th Trusted
+      %th Confidential
       %th
       %th
   %tbody.oauth-applications
@@ -21,6 +22,7 @@
         %td= application.redirect_uri
         %td= @application_counts[application.id].to_i
         %td= application.trusted? ? 'Y': 'N'
+        %td= application.confidential? ? 'Y': 'N'
         %td= link_to 'Edit', edit_admin_application_path(application), class: 'btn btn-link'
         %td= render 'delete_form', application: application
 = paginate @applications, theme: 'gitlab'

app/views/admin/applications/show.html.haml

@@ -36,6 +36,12 @@
       %td
         = @application.trusted? ? 'Y' : 'N'
+    %tr
+      %td
+        Confidential
+      %td
+        = @application.confidential? ? 'Y' : 'N'
+
     = render "shared/tokens/scopes_list", token: @application
 .form-actions

app/views/doorkeeper/applications/_form.html.haml

@@ -15,6 +15,12 @@
       %span.form-text.text-muted
         = _('Use <code>%{native_redirect_uri}</code> for local tests').html_safe % { native_redirect_uri: Doorkeeper.configuration.native_redirect_uri }
+  .form-group.form-check
+    = f.check_box :confidential, class: 'form-check-input'
+    = f.label :confidential, class: 'label-bold form-check-label'
+    %span.form-text.text-muted
+      = _('The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.')
+
   .form-group
     = f.label :scopes, class: 'label-bold'
     = render 'shared/tokens/scopes_form', prefix: 'doorkeeper_application', token: application, scopes: @scopes

app/views/doorkeeper/applications/show.html.haml

@@ -34,6 +34,12 @@
           %div
             %span.monospace= uri
+    %tr
+      %td
+        = _('Confidential')
+      %td
+        = @application.confidential? ? _('Yes') : _('No')
+
     = render "shared/tokens/scopes_list", token: @application
 .form-actions

changelogs/unreleased/118487-no-limits-on-size-of-diffs-returned-by-the-projects-id-repository-.yml

+---
+title: Limit size of diffs returned by /projects/:id/repository/compare API endpoint
+merge_request: 22658
+author:
+type: fixed

changelogs/unreleased/198042-argumenterror-wrong-number-of-arguments-given-1-expected-2.yml

+---
+title: Fixes AutoMergeProcessWorker failing when merge train service is not available
+  for a merge request
+merge_request: 23407
+author:
+type: fixed

changelogs/unreleased/ab-tie-breaker-order.yml

+---
+title: Let tie breaker order follow primary sort direction (API)
+merge_request: 22795
+author:
+type: changed

changelogs/unreleased/expose_is_using_seat_for_group_members.yml

+---
+title: Expose is_using_seat attribute for Member in API
+merge_request: 21496
+author:
+type: added

changelogs/unreleased/jhyson-doorkeeper_upgrade.yml

+---
+title: Upgrade Doorkeeper to 4.4.3 to address CVE-2018-1000211
+merge_request: 20953
+author:
+type: security

config/initializers/doorkeeper.rb

@@ -118,8 +118,8 @@ end
 # app created does not match the complete list of scopes of the configured app.
 # It also prevents the OAuth authorize application window to appear every time.
-# Remove after we upgrade the doorkeeper gem from version 4.3.2
-if Doorkeeper.gem_version > Gem::Version.new('4.3.2')
+# Remove after we upgrade the doorkeeper gem from version 4.x
+if Doorkeeper.gem_version > Gem::Version.new('5.0.0')
   raise "Doorkeeper was upgraded, please remove the monkey patch in #{__FILE__}"
 end