Merge branch '11-9-stable-prepare-rc6' into '11-9-stable'

Prepare 11.9.0-rc6 release See merge request gitlab-org/gitlab-ce!26105

Merge branch '11-9-stable-prepare-rc6' into '11-9-stable'
697b4c62 · John Jarvis · d40b9c49 · 5841ecb7 · 697b4c62 · 697b4c62
Commit 697b4c62 authored 5 years ago by John Jarvis
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-1.26.0
+1.27.0
--- a/app/assets/javascripts/emoji/index.js
+++ b/app/assets/javascripts/emoji/index.js
@@ -33,10 +33,7 @@ export function initEmojiMap() {
      }
  
      axiosInstance
-        .get(
-          `${gon.asset_host || ''}${gon.relative_url_root ||
-            ''}/-/emojis/${EMOJI_VERSION}/emojis.json`,
-        )
+        .get(`${gon.relative_url_root || ''}/-/emojis/${EMOJI_VERSION}/emojis.json`)
        .then(({ data }) => {
          emojiMap = data;
          validEmojiNames = [...Object.keys(emojiMap), ...Object.keys(emojiAliases)];

--- a/app/assets/javascripts/pipelines/pipeline_details_mediator.js
+++ b/app/assets/javascripts/pipelines/pipeline_details_mediator.js
@@ -19,6 +19,7 @@ export default class pipelinesMediator {
    this.poll = new Poll({
      resource: this.service,
      method: 'getPipeline',
+      data: this.store.state.expandedPipelines ? this.getExpandedParameters() : undefined,
      successCallback: this.successCallback.bind(this),
      errorCallback: this.errorCallback.bind(this),
    });
@@ -56,6 +57,19 @@ export default class pipelinesMediator {
      .getPipeline()
      .then(response => this.successCallback(response))
      .catch(() => this.errorCallback())
-      .finally(() => this.poll.restart());
+      .finally(() =>
+        this.poll.restart(
+          this.store.state.expandedPipelines ? this.getExpandedParameters() : undefined,
+        ),
+      );
+  }
+
+  /**
+   * Backend expects paramets in the following format: `expanded[]=id&expanded[]=id`
+   */
+  getExpandedParameters() {
+    return {
+      expanded: this.store.state.expandedPipelines,
+    };
  }
 }
--- a/app/assets/javascripts/pipelines/services/pipeline_service.js
+++ b/app/assets/javascripts/pipelines/services/pipeline_service.js
@@ -5,8 +5,8 @@ export default class PipelineService {
    this.pipeline = endpoint;
  }
  
-  getPipeline() {
-    return axios.get(this.pipeline);
+  getPipeline(params) {
+    return axios.get(this.pipeline, { params });
  }
  
  // eslint-disable-next-line class-methods-use-this

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -26,7 +26,7 @@ class GroupPolicy < BasePolicy
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
  
  condition(:has_projects) do
-    GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any?
+    GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true, only_owned: true }).execute.any?
  end
  
  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
@@ -55,6 +55,7 @@ class GroupPolicy < BasePolicy
  rule { has_projects }.policy do
    enable :read_list
    enable :read_label
+    enable :read_group
  end
  
  rule { has_access }.enable :read_namespace

--- a/changelogs/unreleased/modify_group_policy.yml
+++ b/changelogs/unreleased/modify_group_policy.yml
+---
+title: Allow project members to see private group if the project is in the group namespace
+merge_request:
+author:
+type: fixed
--- a/changelogs/unreleased/sh-fix-blank-codeowners-ce.yml
+++ b/changelogs/unreleased/sh-fix-blank-codeowners-ce.yml
+---
+title: Fix 500 error caused by CODEOWNERS with no matches
+merge_request: 26072
+author:
+type: fixed
--- a/changelogs/unreleased/sh-revert-rack-request-health-checks.yml
+++ b/changelogs/unreleased/sh-revert-rack-request-health-checks.yml
+---
+title: Fix health checks not working behind load balancers
+merge_request: 26055
+author:
+type: fixed
--- a/changelogs/unreleased/sh-rugged-commit-tree-entry.yml
+++ b/changelogs/unreleased/sh-rugged-commit-tree-entry.yml
+---
+title: Bring back Rugged implementation of commit_tree_entry
+merge_request: 25896
+author:
+type: other
--- a/config/application.rb
+++ b/config/application.rb
@@ -94,6 +94,7 @@ module Gitlab
    # - Webhook URLs (:hook)
    # - Sentry DSN (:sentry_dsn)
    # - File content from Web Editor (:content)
+    # - Jira shared secret (:sharedSecret)
    #
    # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
    #       introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
@@ -108,6 +109,7 @@ module Gitlab
      trace
      variables
      content
+      sharedSecret
    )
  
    # Enable escaping HTML in JSON.

--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -168,20 +168,21 @@ Alternatively, you can [lock the sharing with group feature](#share-with-group-l
 In GitLab Enterprise Edition it is possible to manage GitLab group memberships using LDAP groups.
 See [the GitLab Enterprise Edition documentation](../../integration/ldap.md) for more information.
  
-## Transfer groups to another group
+## Transferring groups
  
-From 10.5 there are two different ways to transfer a group:
+From GitLab 10.5, groups can be transferred in the following ways:
  
- Either by transferring a group into another group (making it a subgroup of that group).
- Or by converting a subgroup into a root group (a group with no parent).
+- Top-level groups can be transferred to a group, converting them into subgroups.
+- Subgroups can be transferred to a new parent group.
+- Subgroups can be transferred out from a parent group, converting them into top-level groups.
  
-Please make sure to understand that:
+When transferring groups, note:
  
- Changing a group's parent can have unintended side effects. See [Redirects when changing repository paths](https://docs.gitlab.com/ce/user/project/index.html#redirects-when-changing-repository-paths)
- You can only transfer the group to a group you manage.
+- Changing a group's parent can have unintended side effects. See [Redirects when changing repository paths](../project/index.md#redirects-when-changing-repository-paths).
+- You can only transfer groups to groups you manage.
 - You will need to update your local repositories to point to the new location.
- If the parent group's visibility is lower than the group current visibility, visibility levels for subgroups and projects will be changed to match the new parent group's visibility.
- Only explicit group membership is transferred, not the inherited membership. If this would leave the group without an owner, the transferring user is added as owner instead.
+- If the parent group's visibility is lower than the group's current visibility, visibility levels for subgroups and projects will be changed to match the new parent group's visibility.
+- Only explicit group membership is transferred, not inherited membership. If the group's owners have only inherited membership, this would leave the group without an owner. In this case, the user transferring the group becomes the group's owner.
  
 ## Group settings
  

--- a/lib/gitlab/git/commit.rb
+++ b/lib/gitlab/git/commit.rb
@@ -314,11 +314,16 @@ module Gitlab
      def tree_entry(path)
        return unless path.present?
  
+        commit_tree_entry(path)
+      end
+
+      def commit_tree_entry(path)
        # We're only interested in metadata, so limit actual data to 1 byte
        # since Gitaly doesn't support "send no data" option.
        entry = @repository.gitaly_commit_client.tree_entry(id, path, 1)
        return unless entry
  
+        # To be compatible with the rugged format
        entry = entry.to_h
        entry.delete(:data)
        entry[:name] = File.basename(path)

--- a/lib/gitlab/git/rugged_impl/commit.rb
+++ b/lib/gitlab/git/rugged_impl/commit.rb
@@ -43,6 +43,30 @@ module Gitlab
          end
        end
  
+        override :commit_tree_entry
+        def commit_tree_entry(path)
+          if Feature.enabled?(:rugged_commit_tree_entry)
+            rugged_tree_entry(path)
+          else
+            super
+          end
+        end
+
+        # Is this the same as Blob.find_entry_by_path ?
+        def rugged_tree_entry(path)
+          rugged_commit.tree.path(path)
+        rescue Rugged::TreeError
+          nil
+        end
+
+        def rugged_commit
+          @rugged_commit ||= if raw_commit.is_a?(Rugged::Commit)
+                               raw_commit
+                             else
+                               @repository.rev_parse_target(id)
+                             end
+        end
+
        def init_from_rugged(commit)
          author = commit.author
          committer = commit.committer

--- a/lib/gitlab/git/rugged_impl/repository.rb
+++ b/lib/gitlab/git/rugged_impl/repository.rb
@@ -12,7 +12,7 @@ module Gitlab
      module Repository
        extend ::Gitlab::Utils::Override
  
-        FEATURE_FLAGS = %i(rugged_find_commit rugged_tree_entries rugged_tree_entry rugged_commit_is_ancestor).freeze
+        FEATURE_FLAGS = %i(rugged_find_commit rugged_tree_entries rugged_tree_entry rugged_commit_is_ancestor rugged_commit_tree_entry).freeze
  
        def alternate_object_directories
          relative_object_directories.map { |d| File.join(path, d) }

--- a/lib/gitlab/middleware/basic_health_check.rb
+++ b/lib/gitlab/middleware/basic_health_check.rb
@@ -24,7 +24,13 @@ module Gitlab
      def call(env)
        return @app.call(env) unless env['PATH_INFO'] == HEALTH_PATH
  
-        request = ActionDispatch::Request.new(env)
+        # We should be using ActionDispatch::Request instead of
+        # Rack::Request to be consistent with Rails, but due to a Rails
+        # bug described in
+        # https://gitlab.com/gitlab-org/gitlab-ce/issues/58573#note_149799010
+        # hosts behind a load balancer will only see 127.0.0.1 for the
+        # load balancer's IP.
+        request = Rack::Request.new(env)
  
        return OK_RESPONSE if client_ip_whitelisted?(request)
  

--- a/lib/gitlab/request_context.rb
+++ b/lib/gitlab/request_context.rb
@@ -13,7 +13,13 @@ module Gitlab
    end
  
    def call(env)
-      req = ActionDispatch::Request.new(env)
+      # We should be using ActionDispatch::Request instead of
+      # Rack::Request to be consistent with Rails, but due to a Rails
+      # bug described in
+      # https://gitlab.com/gitlab-org/gitlab-ce/issues/58573#note_149799010
+      # hosts behind a load balancer will only see 127.0.0.1 for the
+      # load balancer's IP.
+      req = Rack::Request.new(env)
  
      Gitlab::SafeRequestStore[:client_ip] = req.ip
  

--- a/lib/gitlab/user_extractor.rb
+++ b/lib/gitlab/user_extractor.rb
@@ -16,6 +16,7 @@ module Gitlab
  
    def users
      return User.none unless @text.present?
+      return User.none if references.empty?
  
      @users ||= User.from_union(union_relations)
    end

--- a/qa/qa/specs/features/browser_ui/1_manage/project/add_project_member_spec.rb
+++ b/qa/qa/specs/features/browser_ui/1_manage/project/add_project_member_spec.rb
@@ -19,7 +19,7 @@ module QA
          page.add_member(user.username)
        end
  
-        expect(page).to have_content("#{user.name} @#{user.username} Given access")
+        expect(page).to have_content(/#{user.name} (. )?@#{user.username} Given access/)
      end
    end
  end

--- a/spec/factories/ci/pipelines.rb
+++ b/spec/factories/ci/pipelines.rb
@@ -82,6 +82,12 @@ FactoryBot.define do
        end
      end
  
+      trait :with_job do
+        after(:build) do |pipeline, evaluator|
+          pipeline.builds << build(:ci_build, pipeline: pipeline, project: pipeline.project)
+        end
+      end
+
      trait :auto_devops_source do
        config_source { Ci::Pipeline.config_sources[:auto_devops_source] }
      end

--- a/spec/features/security/group/private_access_spec.rb
+++ b/spec/features/security/group/private_access_spec.rb
@@ -27,7 +27,7 @@ describe 'Private Group access' do
    it { is_expected.to be_allowed_for(:developer).of(group) }
    it { is_expected.to be_allowed_for(:reporter).of(group) }
    it { is_expected.to be_allowed_for(:guest).of(group) }
-    it { is_expected.to be_denied_for(project_guest) }
+    it { is_expected.to be_allowed_for(project_guest) }
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
@@ -42,7 +42,7 @@ describe 'Private Group access' do
    it { is_expected.to be_allowed_for(:developer).of(group) }
    it { is_expected.to be_allowed_for(:reporter).of(group) }
    it { is_expected.to be_allowed_for(:guest).of(group) }
-    it { is_expected.to be_denied_for(project_guest) }
+    it { is_expected.to be_allowed_for(project_guest) }
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
@@ -58,7 +58,7 @@ describe 'Private Group access' do
    it { is_expected.to be_allowed_for(:developer).of(group) }
    it { is_expected.to be_allowed_for(:reporter).of(group) }
    it { is_expected.to be_allowed_for(:guest).of(group) }
-    it { is_expected.to be_denied_for(project_guest) }
+    it { is_expected.to be_allowed_for(project_guest) }
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
@@ -73,7 +73,7 @@ describe 'Private Group access' do
    it { is_expected.to be_allowed_for(:developer).of(group) }
    it { is_expected.to be_allowed_for(:reporter).of(group) }
    it { is_expected.to be_allowed_for(:guest).of(group) }
-    it { is_expected.to be_denied_for(project_guest) }
+    it { is_expected.to be_allowed_for(project_guest) }
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }
@@ -96,6 +96,7 @@ describe 'Private Group access' do
  
  describe 'GET /groups/:path for shared projects' do
    let(:project) { create(:project, :public) }
+
    before do
      Projects::GroupLinks::CreateService.new(
        project,