Add latest changes from gitlab-org/gitlab@master

Gemfile

@@ -420,7 +420,7 @@ end
 gem 'octokit', '~> 4.15'
 # https://gitlab.com/gitlab-org/gitlab/issues/207207
-gem 'gitlab-mail_room', '~> 0.0.2', require: 'mail_room'
+gem 'gitlab-mail_room', '~> 0.0.3', require: 'mail_room'
 gem 'email_reply_trimmer', '~> 0.1'
 gem 'html2text'

Gemfile.lock

@@ -388,7 +388,7 @@ GEM
       opentracing (~> 0.4)
       redis (> 3.0.0, < 5.0.0)
     gitlab-license (1.0.0)
-    gitlab-mail_room (0.0.2)
+    gitlab-mail_room (0.0.3)
     gitlab-markup (1.7.0)
     gitlab-net-dns (0.9.1)
     gitlab-puma (4.3.1.gitlab.2)
@@ -1235,7 +1235,7 @@ DEPENDENCIES
   gitlab-chronic (~> 0.10.5)
   gitlab-labkit (= 0.10.0)
   gitlab-license (~> 1.0)
-  gitlab-mail_room (~> 0.0.2)
+  gitlab-mail_room (~> 0.0.3)
   gitlab-markup (~> 1.7.0)
   gitlab-net-dns (~> 0.9.1)
   gitlab-puma (~> 4.3.1.gitlab.2)

app/controllers/application_controller.rb

@@ -34,6 +34,7 @@ class ApplicationController < ActionController::Base
   before_action :check_impersonation_availability
   before_action :required_signup_info
+  around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
   around_action :set_current_context
   around_action :set_locale
   around_action :set_session_storage

app/controllers/concerns/sessionless_authentication.rb

@@ -5,12 +5,6 @@
 # Controller concern to handle PAT, RSS, and static objects token authentication methods
 #
 module SessionlessAuthentication
-  extend ActiveSupport::Concern
-
-  included do
-    before_action :enable_admin_mode!, if: :sessionless_user?
-  end
-
   # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
   def authenticate_sessionless_user!(request_format)
     user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)
@@ -32,9 +26,9 @@ module SessionlessAuthentication
     end
   end
-  def enable_admin_mode!
-    return unless Feature.enabled?(:user_mode_in_session)
-    current_user_mode.enable_sessionless_admin_mode!
+  def sessionless_bypass_admin_mode!(&block)
+    return yield unless Feature.enabled?(:user_mode_in_session)
+    Gitlab::Auth::CurrentUserMode.bypass_session!(current_user.id, &block)
   end
 end

app/controllers/graphql_controller.rb

@@ -15,6 +15,11 @@ class GraphqlController < ApplicationController
   before_action :authorize_access_api!
   before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
+  # Since we deactivate authentication from the main ApplicationController and
+  # defer it to :authorize_access_api!, we need to override the bypass session
+  # callback execution order here
+  around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
+
   def execute
     result = multiplex? ? execute_multiplex : execute_query

app/controllers/groups_controller.rb

@@ -195,7 +195,8 @@ class GroupsController < Groups::ApplicationController
       :require_two_factor_authentication,
       :two_factor_grace_period,
       :project_creation_level,
-      :subgroup_creation_level
+      :subgroup_creation_level,
+      :default_branch_protection
     ]
   end

app/models/deployment.rb

@@ -135,7 +135,7 @@ class Deployment < ApplicationRecord
   end
   def create_ref
-    project.repository.create_ref(ref, ref_path)
+    project.repository.create_ref(sha, ref_path)
   end
   def invalidate_cache
@@ -280,12 +280,12 @@ class Deployment < ApplicationRecord
     errors.add(:ref, _('The branch or tag does not exist'))
   end
-  private
-
   def ref_path
     File.join(environment.ref_path, 'deployments', iid.to_s)
   end
+  private
+
   def legacy_finished_at
     self.created_at if success? && !read_attribute(:finished_at)
   end

app/models/environment.rb

@@ -193,15 +193,6 @@ class Environment < ApplicationRecord
     folder_name == "production"
   end
-  def first_deployment_for(commit_sha)
-    ref = project.repository.ref_name_for_sha(ref_path, commit_sha)
-
-    return unless ref
-
-    deployment_iid = ref.split('/').last
-    deployments.find_by(iid: deployment_iid)
-  end
-
   def ref_path
     "refs/#{Repository::REF_ENVIRONMENTS}/#{slug}"
   end

app/models/namespace.rb

@@ -139,6 +139,10 @@ class Namespace < ApplicationRecord
     end
   end
+  def default_branch_protection
+    super || Gitlab::CurrentSettings.default_branch_protection
+  end
+
   def visibility_level_field
     :visibility_level
   end

app/models/project.rb

@@ -2359,6 +2359,12 @@ class Project < ApplicationRecord
     Gitlab::Routing.url_helpers.revoke_project_deploy_token_path(self, token)
   end
+  def default_branch_protected?
+    branch_protection = Gitlab::Access::BranchProtection.new(self.namespace.default_branch_protection)
+
+    branch_protection.fully_protected? || branch_protection.developer_can_merge?
+  end
+
   private
   def closest_namespace_setting(name)

app/models/protected_branch.rb

@@ -11,7 +11,8 @@ class ProtectedBranch < ApplicationRecord
   def self.protected_ref_accessible_to?(ref, user, project:, action:, protected_refs: nil)
     # Maintainers, owners and admins are allowed to create the default branch
-    if default_branch_protected? && project.empty_repo?
+
+    if project.empty_repo? && project.default_branch_protected?
       return true if user.admin? || project.team.max_member_access(user.id) > Gitlab::Access::DEVELOPER
     end
@@ -20,7 +21,7 @@ class ProtectedBranch < ApplicationRecord
   # Check if branch name is marked as protected in the system
   def self.protected?(project, ref_name)
-    return true if project.empty_repo? && default_branch_protected?
+    return true if project.empty_repo? && project.default_branch_protected?
     self.matching(ref_name, protected_refs: protected_refs(project)).present?
   end
@@ -33,11 +34,6 @@ class ProtectedBranch < ApplicationRecord
     end
   end
-  def self.default_branch_protected?
-    Gitlab::CurrentSettings.default_branch_protection == Gitlab::Access::PROTECTION_FULL ||
-      Gitlab::CurrentSettings.default_branch_protection == Gitlab::Access::PROTECTION_DEV_CAN_MERGE
-  end
-
   def self.protected_refs(project)
     project.protected_branches
   end

app/services/issues/import_csv_service.rb

@@ -21,8 +21,19 @@ module Issues
     def process_csv
       csv_data = @csv_io.open(&:read).force_encoding(Encoding::UTF_8)
-      CSV.new(csv_data, col_sep: detect_col_sep(csv_data.lines.first), headers: true).each.with_index(2) do |row, line_no|
-        issue = Issues::CreateService.new(@project, @user, title: row[0], description: row[1]).execute
+      csv_parsing_params = {
+        col_sep: detect_col_sep(csv_data.lines.first),
+        headers: true,
+        header_converters: :symbol
+      }
+
+      CSV.new(csv_data, csv_parsing_params).each.with_index(2) do |row, line_no|
+        issue_attributes = {
+          title:       row[:title],
+          description: row[:description]
+        }
+
+        issue = Issues::CreateService.new(@project, @user, issue_attributes).execute
         if issue.persisted?
           @results[:success] += 1

app/services/projects/protect_default_branch_service.rb

@@ -11,7 +11,7 @@ module Projects
       @project = project
       @default_branch_protection = Gitlab::Access::BranchProtection
-        .new(Gitlab::CurrentSettings.default_branch_protection)
+        .new(project.namespace.default_branch_protection)
     end
     def execute

app/views/admin/application_settings/_visibility_and_access.html.haml

@@ -2,9 +2,8 @@
   = form_errors(@application_setting)
   %fieldset
-    .form-group
-      = f.label :default_branch_protection, class: 'label-bold'
-      = f.select :default_branch_protection, options_for_select(Gitlab::Access.protection_options, @application_setting.default_branch_protection), {}, class: 'form-control'
+    = render 'shared/default_branch_protection', f: f, selected_level: @application_setting.default_branch_protection
+
     .form-group
       = f.label s_('ProjectCreationLevel|Default project creation protection'), class: 'label-bold'
       = f.select :default_project_creation, options_for_select(Gitlab::Access.project_creation_options, @application_setting.default_project_creation), {}, class: 'form-control'

app/views/groups/settings/_permissions.html.haml

@@ -33,6 +33,7 @@
     = render_if_exists 'groups/settings/ip_restriction', f: f, group: @group
     = render_if_exists 'groups/settings/allowed_email_domain', f: f, group: @group
     = render 'groups/settings/lfs', f: f
+    = render 'shared/default_branch_protection', f: f, selected_level: @group.default_branch_protection
     = render 'groups/settings/project_creation_level', f: f, group: @group
     = render 'groups/settings/subgroup_creation_level', f: f, group: @group
     = render 'groups/settings/two_factor_auth', f: f

app/views/shared/_default_branch_protection.html.haml

+.form-group
+  = f.label :default_branch_protection, class: 'label-bold'
+  = f.select :default_branch_protection, options_for_select(Gitlab::Access.protection_options, selected_level), {}, class: 'form-control'

changelogs/unreleased/193170-fix-deployment-ref-validation.yml

+---
+title: Use of sha instead of ref when creating a new ref on deployment creation.
+merge_request: 23170
+author:
+type: fixed

changelogs/unreleased/207927-validate-actor-user-against-codeowners.yml

+---
+title: Validate actor against CODEOWNERS entries
+merge_request:
+author:
+type: fixed

changelogs/unreleased/208151-code-review-analytics-shows-no-data-for-mrs-in-review-for-less-tha.yml

+---
+title: 'Code Review Analytics: Fix review time display'
+merge_request: 26057
+author:
+type: fixed

changelogs/unreleased/7583-developer-cannot-push-to-projects-they-create-in-groups.yml

+---
+title: Introduce default branch protection at the group level
+merge_request: 24426
+author:
+type: added