Merge remote-tracking branch 'upstream/master' into qa-clone-with-deploy-key

* upstream/master: (69 commits)
  Change issue show page to group MRs by projects and namespaces
  Merge branch 'master-i18n' into 'master'
  Update sidekiq_style_guide.md
  Document all_queues.yml in sidekiq_style_guide.md
  Fix artifact creation
  Fix Error 500s creating merge requests with external issue tracker
  Addressed mr observations
  Clean new Flash() and stop disabling no-new (eslint) when possible
  Disable query limiting warnings for now on GitLab.com
  Dry up spec
  Add changelog entry
  Schedule PopulateUntrackedUploads if needed
  Fix orphan temp table untracked_files_for_uploads
  Fix last batch size equals max batch size error
  Revert "Merge branch 'rd-40552-gitlab-should-check-if-keys-are-valid-before-saving' into 'master'"
  Fix warning messages for promoting labels and milestones
  Fixed missing js selector for the realtime pipelines commit comp
  Reuse getter Add loading button for better UX
  Honour workhorse provided file name
  Fix a transient failure in db/post_migrate/20170717111152_cleanup_move_system_upload_folder_symlink.rb where symlink already exists
  ...

app/assets/stylesheets/pages/environments.scss

@@ -121,6 +121,10 @@
       width: 100%;
       text-align: left;
     }
+
+    .environment-child-row {
+      padding-left: 20px;
+    }
   }
 }

app/assets/stylesheets/pages/issues.scss

@@ -181,11 +181,6 @@ ul.related-merge-requests > li {
 }
 .create-mr-dropdown-wrap {
-  .branch-message,
-  .ref-message {
-    display: none;
-  }
-
   .ref::selection {
     color: $placeholder-text-color;
   }
@@ -216,6 +211,17 @@ ul.related-merge-requests > li {
     transform: translateY(0);
     display: none;
     margin-top: 4px;
+
+    // override dropdown item styles
+    .btn.btn-success {
+      @include btn-default;
+      @include btn-green;
+
+      border-style: solid;
+      border-width: 1px;
+      line-height: $line-height-base;
+      width: auto;
+    }
   }
   .create-merge-request-dropdown-toggle {
@@ -225,66 +231,6 @@ ul.related-merge-requests > li {
       margin-left: 0;
     }
   }
-
-  .droplab-item-ignore {
-    pointer-events: auto;
-  }
-
-  .create-item {
-    cursor: pointer;
-    margin: 0 1px;
-
-    &:hover,
-    &:focus {
-      background-color: $dropdown-item-hover-bg;
-      color: $gl-text-color;
-    }
-  }
-
-  li.divider {
-    margin: 8px 10px;
-  }
-
-  li:not(.divider) {
-    padding: 8px 9px;
-
-    &:last-child {
-      padding-bottom: 8px;
-    }
-
-    &.droplab-item-selected {
-      .icon-container {
-        i {
-          visibility: visible;
-        }
-      }
-
-      .description {
-        display: block;
-      }
-    }
-
-    &.droplab-item-ignore {
-      padding-top: 8px;
-    }
-
-    .icon-container {
-      float: left;
-
-      i {
-        visibility: hidden;
-      }
-    }
-
-    .description {
-      padding-left: 22px;
-    }
-
-    input,
-    span {
-      margin: 4px 0 0;
-    }
-  }
 }
 .discussion-reply-holder .note-edit-form {

app/controllers/import/base_controller.rb

@@ -2,26 +2,16 @@ class Import::BaseController < ApplicationController
   private
   def find_or_create_namespace(names, owner)
-    return current_user.namespace if names == owner
-    return current_user.namespace unless current_user.can_create_group?
-
     names = params[:target_namespace].presence || names
-    full_path_namespace = Namespace.find_by_full_path(names)
-    return full_path_namespace if full_path_namespace
-    names.split('/').inject(nil) do |parent, name|
-      begin
-        namespace = Group.create!(name: name,
-                                  path: name,
-                                  owner: current_user,
-                                  parent: parent)
-        namespace.add_owner(current_user)
-        namespace
-      rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
-        Namespace.where(parent: parent).find_by_path_or_name(name)
-      end
-    end
+    return current_user.namespace if names == owner
+
+    group = Groups::NestedCreateService.new(current_user, group_path: names).execute
+    group.errors.any? ? current_user.namespace : group
+  rescue => e
+    Gitlab::AppLogger.error(e)
+    current_user.namespace
   end
 end

app/controllers/import/bitbucket_controller.rb

@@ -37,24 +37,30 @@ class Import::BitbucketController < Import::BaseController
   def create
     bitbucket_client = Bitbucket::Client.new(credentials)
-    @repo_id = params[:repo_id].to_s
-    name = @repo_id.gsub('___', '/')
+    repo_id = params[:repo_id].to_s
+    name = repo_id.gsub('___', '/')
     repo = bitbucket_client.repo(name)
-    @project_name = params[:new_name].presence || repo.name
+    project_name = params[:new_name].presence || repo.name
     repo_owner = repo.owner
     repo_owner = current_user.username if repo_owner == bitbucket_client.user.username
     namespace_path = params[:new_namespace].presence || repo_owner
-    @target_namespace = find_or_create_namespace(namespace_path, current_user)
-
-    if current_user.can?(:create_projects, @target_namespace)
+    target_namespace = find_or_create_namespace(namespace_path, current_user)
+    if current_user.can?(:create_projects, target_namespace)
       # The token in a session can be expired, we need to get most recent one because
       # Bitbucket::Connection class refreshes it.
       session[:bitbucket_token] = bitbucket_client.connection.token
-      @project = Gitlab::BitbucketImport::ProjectCreator.new(repo, @project_name, @target_namespace, current_user, credentials).execute
+
+      project = Gitlab::BitbucketImport::ProjectCreator.new(repo, project_name, target_namespace, current_user, credentials).execute
+
+      if project.persisted?
+        render json: ProjectSerializer.new.represent(project)
+      else
+        render json: { errors: project.errors.full_messages }, status: :unprocessable_entity
+      end
     else
-      render 'unauthorized'
+      render json: { errors: 'This namespace has already been taken! Please choose another one.' }, status: :unprocessable_entity
     end
   end

app/controllers/import/fogbugz_controller.rb

@@ -58,17 +58,17 @@ class Import::FogbugzController < Import::BaseController
   end
   def create
-    @repo_id = params[:repo_id]
-    repo = client.repo(@repo_id)
+    repo = client.repo(params[:repo_id])
     fb_session = { uri: session[:fogbugz_uri], token: session[:fogbugz_token] }
-    @target_namespace = current_user.namespace
-    @project_name = repo.name
-
-    namespace = @target_namespace
-
     umap = session[:fogbugz_user_map] || client.user_map
-    @project = Gitlab::FogbugzImport::ProjectCreator.new(repo, fb_session, namespace, current_user, umap).execute
+    project = Gitlab::FogbugzImport::ProjectCreator.new(repo, fb_session, current_user.namespace, current_user, umap).execute
+
+    if project.persisted?
+      render json: ProjectSerializer.new.represent(project)
+    else
+      render json: { errors: project.errors.full_messages }, status: :unprocessable_entity
+    end
   end
   private

app/controllers/import/github_controller.rb

@@ -36,16 +36,21 @@ class Import::GithubController < Import::BaseController
   end
   def create
-    @repo_id = params[:repo_id].to_i
-    repo = client.repo(@repo_id)
-    @project_name = params[:new_name].presence || repo.name
+    repo = client.repo(params[:repo_id].to_i)
+    project_name = params[:new_name].presence || repo.name
     namespace_path = params[:target_namespace].presence || current_user.namespace_path
-    @target_namespace = find_or_create_namespace(namespace_path, current_user.namespace_path)
-    if can?(current_user, :create_projects, @target_namespace)
-      @project = Gitlab::LegacyGithubImport::ProjectCreator.new(repo, @project_name, @target_namespace, current_user, access_params, type: provider).execute
+    target_namespace = find_or_create_namespace(namespace_path, current_user.namespace_path)
+    if can?(current_user, :create_projects, target_namespace)
+      project = Gitlab::LegacyGithubImport::ProjectCreator.new(repo, project_name, target_namespace, current_user, access_params, type: provider).execute
+
+      if project.persisted?
+        render json: ProjectSerializer.new.represent(project)
+      else
+        render json: { errors: project.errors.full_messages }, status: :unprocessable_entity
+      end
     else
-      render 'unauthorized'
+      render json: { errors: 'This namespace has already been taken! Please choose another one.' }, status: :unprocessable_entity
     end
   end

app/controllers/import/gitlab_controller.rb

@@ -24,15 +24,19 @@ class Import::GitlabController < Import::BaseController
   end
   def create
-    @repo_id = params[:repo_id].to_i
-    repo = client.project(@repo_id)
-    @project_name = repo['name']
-    @target_namespace = find_or_create_namespace(repo['namespace']['path'], client.user['username'])
-    if current_user.can?(:create_projects, @target_namespace)
-      @project = Gitlab::GitlabImport::ProjectCreator.new(repo, @target_namespace, current_user, access_params).execute
+    repo = client.project(params[:repo_id].to_i)
+    target_namespace = find_or_create_namespace(repo['namespace']['path'], client.user['username'])
+    if current_user.can?(:create_projects, target_namespace)
+      project = Gitlab::GitlabImport::ProjectCreator.new(repo, target_namespace, current_user, access_params).execute
+
+      if project.persisted?
+        render json: ProjectSerializer.new.represent(project)
+      else
+        render json: { errors: project.errors.full_messages }, status: :unprocessable_entity
+      end
     else
-      render 'unauthorized'
+      render json: { errors: 'This namespace has already been taken! Please choose another one.' }, status: :unprocessable_entity
     end
   end

app/controllers/import/google_code_controller.rb

@@ -85,16 +85,16 @@ class Import::GoogleCodeController < Import::BaseController
   end
   def create
-    @repo_id = params[:repo_id]
-    repo = client.repo(@repo_id)
-    @target_namespace = current_user.namespace
-    @project_name = repo.name
-
-    namespace = @target_namespace
-
+    repo = client.repo(params[:repo_id])
     user_map = session[:google_code_user_map]
-    @project = Gitlab::GoogleCodeImport::ProjectCreator.new(repo, namespace, current_user, user_map).execute
+    project = Gitlab::GoogleCodeImport::ProjectCreator.new(repo, current_user.namespace, current_user, user_map).execute
+
+    if project.persisted?
+      render json: ProjectSerializer.new.represent(project)
+    else
+      render json: { errors: project.errors.full_messages }, status: :unprocessable_entity
+    end
   end
   private

app/controllers/projects/issues_controller.rb

@@ -122,8 +122,7 @@ class Projects::IssuesController < Projects::ApplicationController
   end
   def referenced_merge_requests
-    @merge_requests = @issue.referenced_merge_requests(current_user)
-    @closed_by_merge_requests = @issue.closed_by_merge_requests(current_user)
+    @merge_requests, @closed_by_merge_requests = ::Issues::FetchReferencedMergeRequestsService.new(project, current_user).execute(issue)
     respond_to do |format|
       format.json do

app/finders/snippets_finder.rb

+# Snippets Finder
+#
+# Used to filter Snippets collections by a set of params
+#
+# Arguments.
+#
+# current_user - The current user, nil also can be used.
+# params:
+#   visibility (integer) - Individual snippet visibility: Public(20), internal(10) or private(0).
+#   project (Project) - Project related.
+#   author (User) - Author related.
+#
+# params are optional
 class SnippetsFinder < UnionFinder
-  attr_accessor :current_user, :params
+  include Gitlab::Allowable
+  attr_accessor :current_user, :params, :project
   def initialize(current_user, params = {})
     @current_user = current_user
     @params = params
+    @project = params[:project]
   end
   def execute
     items = init_collection
-    items = by_project(items)
     items = by_author(items)
     items = by_visibility(items)
@@ -18,25 +32,42 @@ class SnippetsFinder < UnionFinder
   private
   def init_collection
-    items = Snippet.all
-    accessible(items)
+    if project.present?
+      authorized_snippets_from_project
+    else
+      authorized_snippets
+    end
+  end
+  def authorized_snippets_from_project
+    if can?(current_user, :read_project_snippet, project)
+      if project.team.member?(current_user)
+        project.snippets
+      else
+        project.snippets.public_to_user(current_user)
+      end
+    else
+      Snippet.none
+    end
   end
-  def accessible(items)
-    segments = []
-    segments << items.public_to_user(current_user)
-    segments << authorized_to_user(items)  if current_user
-    find_union(segments, Snippet.includes(:author))
+  def authorized_snippets
+    Snippet.where(feature_available_projects.or(not_project_related)).public_or_visible_to_user(current_user)
+  end
+  def feature_available_projects
+    projects = Project.public_or_visible_to_user(current_user)
+      .with_feature_available_for_user(:snippets, current_user).select(:id)
+    arel_query = Arel::Nodes::SqlLiteral.new(projects.to_sql)
+    table[:project_id].in(arel_query)
   end
-  def authorized_to_user(items)
-    items.where(
-      'author_id = :author_id
-       OR project_id IN (:project_ids)',
-       author_id: current_user.id,
-       project_ids: current_user.authorized_projects.select(:id))
+  def not_project_related
+    table[:project_id].eq(nil)
+  end
+
+  def table
+    Snippet.arel_table
   end
   def by_visibility(items)
@@ -53,12 +84,6 @@ class SnippetsFinder < UnionFinder
     items.where(author_id: params[:author].id)
   end
-  def by_project(items)
-    return items unless params[:project]
-
-    items.where(project_id: params[:project].id)
-  end
-
   def visibility_from_scope
     case params[:scope].to_s
     when 'are_private'

app/models/key.rb

@@ -33,8 +33,9 @@ class Key < ActiveRecord::Base
   after_destroy :refresh_user_cache
   def key=(value)
-    write_attribute(:key, value.present? ? Gitlab::SSHPublicKey.sanitize(value) : nil)
-
+    value&.delete!("\n\r")
+    value.strip! unless value.blank?
+    write_attribute(:key, value)
     @public_key = nil
   end
@@ -96,7 +97,7 @@ class Key < ActiveRecord::Base
   def generate_fingerprint
     self.fingerprint = nil
-    return unless public_key.valid?
+    return unless self.key.present?
     self.fingerprint = public_key.fingerprint
   end

app/models/project.rb

@@ -1589,8 +1589,11 @@ class Project < ActiveRecord::Base
   end
   def protected_for?(ref)
-    ProtectedBranch.protected?(self, ref) ||
+    if repository.branch_exists?(ref)
+      ProtectedBranch.protected?(self, ref)
+    elsif repository.tag_exists?(ref)
       ProtectedTag.protected?(self, ref)
+    end
   end
   def deployment_variables

app/models/snippet.rb

@@ -74,6 +74,27 @@ class Snippet < ActiveRecord::Base
     @link_reference_pattern ||= super("snippets", /(?<snippet>\d+)/)
   end
+  # Returns a collection of snippets that are either public or visible to the
+  # logged in user.
+  #
+  # This method does not verify the user actually has the access to the project
+  # the snippet is in, so it should be only used on a relation that's already scoped
+  # for project access
+  def self.public_or_visible_to_user(user = nil)
+    if user
+      authorized = user
+        .project_authorizations
+        .select(1)
+        .where('project_authorizations.project_id = snippets.project_id')
+
+      levels = Gitlab::VisibilityLevel.levels_for_user(user)
+
+      where('EXISTS (?) OR snippets.visibility_level IN (?) or snippets.author_id = (?)', authorized, levels, user.id)
+    else
+      public_to_user
+    end
+  end
+
   def to_reference(from = nil, full: false)
     reference = "#{self.class.reference_prefix}#{id}"

app/policies/project_policy.rb

@@ -119,7 +119,6 @@ class ProjectPolicy < BasePolicy
     enable :create_note
     enable :upload_file
     enable :read_cycle_analytics
-    enable :read_project_snippet
   end
   rule { can?(:reporter_access) }.policy do

app/serializers/project_serializer.rb

+class ProjectSerializer < BaseSerializer
+  entity ProjectEntity
+end

app/services/groups/nested_create_service.rb

@@ -11,8 +11,8 @@ module Groups
     def execute
       return nil unless group_path
-      if group = Group.find_by_full_path(group_path)
-        return group
+      if namespace = namespace_or_group(group_path)
+        return namespace
       end
       if group_path.include?('/') && !Group.supports_nested_groups?
@@ -40,10 +40,14 @@ module Groups
         )
         new_params[:visibility_level] ||= Gitlab::CurrentSettings.current_application_settings.default_group_visibility
-        last_group = Group.find_by_full_path(partial_path) || Groups::CreateService.new(current_user, new_params).execute
+        last_group = namespace_or_group(partial_path) || Groups::CreateService.new(current_user, new_params).execute
       end
       last_group
     end
+
+    def namespace_or_group(group_path)
+      Namespace.find_by_full_path(group_path)
+    end
   end
 end