Add latest changes from gitlab-org/gitlab@master

c8f773a8 · GitLab Bot · 929b887e · c8f773a8 · c8f773a8 · c8f773a8
Commit c8f773a8 authored 5 years ago by GitLab Bot
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -545,7 +545,8 @@ class Note < ApplicationRecord
      # if they are not equal, then there are private/confidential references as well
      user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count
    else
-      referenced_mentionables(user).any?
+      refs = all_references(user)
+      refs.all.any? && refs.stateful_not_visible_counter == 0
    end
  end
  

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2366,6 +2366,10 @@ class Project < ApplicationRecord
    end
  end
  
+  def template_source?
+    false
+  end
+
  private
  
  def closest_namespace_setting(name)

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -21,6 +21,14 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:deactivated) { @user&.deactivated? }
  
+  desc "User email is unconfirmed or user account is locked"
+  with_options scope: :user, score: 0
+  condition(:inactive) do
+    Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&
+      @user &&
+      !@user&.active_for_authentication?
+  end
+
  with_options scope: :user, score: 0
  condition(:external_user) { @user.nil? || @user.external? }
  

--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -36,6 +36,13 @@ class GlobalPolicy < BasePolicy
    enable :use_slash_commands
  end
  
+  rule { inactive }.policy do
+    prevent :log_in
+    prevent :access_api
+    prevent :access_git
+    prevent :use_slash_commands
+  end
+
  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api

--- a/app/presenters/event_presenter.rb
+++ b/app/presenters/event_presenter.rb
@@ -3,6 +3,18 @@
 class EventPresenter < Gitlab::View::Presenter::Delegated
  presents :event
  
+  def initialize(subject, **attributes)
+    super
+
+    @visible_to_user_cache = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  # Caching `visible_to_user?` method in the presenter beause it might be called multiple times.
+  def visible_to_user?(user = nil)
+    @visible_to_user_cache.fetch(user&.id) { super(user) }
+  end
+
+  # implement cache here
  def resource_parent_name
    resource_parent&.full_name || ''
  end

--- a/app/services/compare_service.rb
+++ b/app/services/compare_service.rb
@@ -18,7 +18,7 @@ class CompareService
    return unless raw_compare && raw_compare.base && raw_compare.head
  
    Compare.new(raw_compare,
-                target_project,
+                start_project,
                base_sha: base_sha,
                straight: straight)
  end

--- a/app/services/projects/group_links/destroy_service.rb
+++ b/app/services/projects/group_links/destroy_service.rb
@@ -6,6 +6,12 @@ module Projects
      def execute(group_link)
        return false unless group_link
  
+        if group_link.project.private?
+          TodosDestroyer::ProjectPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, project.id)
+        else
+          TodosDestroyer::ConfidentialIssueWorker.perform_in(Todo::WAIT_FOR_DELETE, nil, project.id)
+        end
+
        group_link.destroy
      end
    end

--- a/app/services/projects/import_export/export_service.rb
+++ b/app/services/projects/import_export/export_service.rb
@@ -4,6 +4,12 @@ module Projects
  module ImportExport
    class ExportService < BaseService
      def execute(after_export_strategy = nil, options = {})
+        unless project.template_source? || can?(current_user, :admin_project, project)
+          raise ::Gitlab::ImportExport::Error.new(
+            "User with ID: %s does not have permission to Project %s with ID: %s." %
+              [current_user.id, project.name, project.id])
+        end
+
        @shared = project.import_export_shared
  
        save_all!

--- a/app/views/projects/settings/operations/_grafana_integration.html.haml
+++ b/app/views/projects/settings/operations/_grafana_integration.html.haml
 .js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
-  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token, enabled: grafana_integration_enabled?.to_s } } }
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_masked_token, enabled: grafana_integration_enabled?.to_s } } }
--- a/changelogs/unreleased/199211-fix-user-popover-glitch.yml
+++ b/changelogs/unreleased/199211-fix-user-popover-glitch.yml
+---
+title: Fix user popover glitch
+merge_request: 23904
+author:
+type: fixed
--- a/changelogs/unreleased/nicolasdular-broadcast-type-api.yml
+++ b/changelogs/unreleased/nicolasdular-broadcast-type-api.yml
+---
+title: Add broadcast type to API
+merge_request:
+author:
+type: changed
--- a/changelogs/unreleased/sarnold-197129-graphql-feature-flag.yml
+++ b/changelogs/unreleased/sarnold-197129-graphql-feature-flag.yml
+---
+title: Add ability to hide GraphQL fields using GitLab Feature flags
+merge_request: 23563
+author:
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -959,9 +959,9 @@ production: &base
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
-    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+    #   #   This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data.
    #   #   'encryption' must also be set in order for this to have any effect.
-    #   # encryption_key: '<base64 key>'
+    #   # encryption_key: '<key>'
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
  

--- a/doc/api/broadcast_messages.md
+++ b/doc/api/broadcast_messages.md
@@ -35,7 +35,8 @@ Example response:
        "font":"#FFFFFF",
        "id":1,
        "active": false,
-        "target_path": "*/welcome"
+        "target_path": "*/welcome",
+        "broadcast_type": "banner"
    }
 ]
 ```
@@ -71,7 +72,8 @@ Example response:
    "font":"#FFFFFF",
    "id":1,
    "active":false,
-    "target_path": "*/welcome"
+    "target_path": "*/welcome",
+    "broadcast_type": "banner"
 }
 ```
  
@@ -92,6 +94,8 @@ Parameters:
 | `ends_at`   | datetime | no       | Ending time (defaults to one hour from current time). |
 | `color`     | string   | no       | Background color hex code.                            |
 | `font`      | string   | no       | Foreground color hex code.                            |
+| `target_path`| string  | no       | Target path of the broadcast message.                 |
+| `broadcast_type`| string | no     | Appearance type (defaults to banner)                  |
  
 Example request:
  
@@ -110,7 +114,8 @@ Example response:
    "font":"#FFFFFF",
    "id":1,
    "active": true,
-    "target_path": "*/welcome"
+    "target_path": "*/welcome",
+    "broadcast_type": "notification",
 }
 ```
  
@@ -132,6 +137,8 @@ Parameters:
 | `ends_at`   | datetime | no       | Ending time.                       |
 | `color`     | string   | no       | Background color hex code.         |
 | `font`      | string   | no       | Foreground color hex code.         |
+| `target_path`| string  | no       | Target path of the broadcast message. |
+| `broadcast_type`| string | no     | Appearance type (defaults to banner) |
  
 Example request:
  
@@ -150,7 +157,8 @@ Example response:
    "font":"#FFFFFF",
    "id":1,
    "active": true,
-    "target_path": "*/welcome"
+    "target_path": "*/welcome",
+    "broadcast_type": "notification",
 }
 ```
  

--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -2658,9 +2658,9 @@ type GrafanaIntegration {
  id: ID!
  
  """
-  API token for the Grafana integration
+  API token for the Grafana integration. Field is permanently masked.
  """
-  token: String!
+  token: String! @deprecated(reason: "Plain text token has been masked for security reasons")
  
  """
  Timestamp of the issue's last activity

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -17380,7 +17380,7 @@
            },
            {
              "name": "token",
-              "description": "API token for the Grafana integration",
+              "description": "API token for the Grafana integration. Field is permanently masked.",
              "args": [
  
              ],
@@ -17393,8 +17393,8 @@
                  "ofType": null
                }
              },
-              "isDeprecated": false,
-              "deprecationReason": null
+              "isDeprecated": true,
+              "deprecationReason": "Plain text token has been masked for security reasons"
            },
            {
              "name": "updatedAt",

--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -403,7 +403,7 @@ Autogenerated return type of EpicTreeReorder
 | `enabled` | Boolean! | Indicates whether Grafana integration is enabled |
 | `grafanaUrl` | String! | Url for the Grafana host for the Grafana integration |
 | `id` | ID! | Internal ID of the Grafana integration |
-| `token` | String! | API token for the Grafana integration |
+| `token` | String! | API token for the Grafana integration. Field is permanently masked. |
 | `updatedAt` | Time! | Timestamp of the issue's last activity |
  
 ## Group

--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -266,8 +266,8 @@ You can enable profile syncing from selected OmniAuth providers and for all or f
 When authenticating using LDAP, the user's name and email are always synced.
  
 ```ruby
-gitlab_rails['sync_profile_from_provider'] = ['twitter', 'google_oauth2']
-gitlab_rails['sync_profile_attributes'] = ['name', 'email', 'location']
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['twitter', 'google_oauth2']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email', 'location']
 ```
  
 **For installations from source**

--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -355,10 +355,10 @@ For installations from source:
         # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
         # encryption: 'AES256'
         # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
-         #   This should be set to the base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+         #   This should be set to the encryption key for Amazon S3 to use to encrypt or decrypt your data.
         #   'encryption' must also be set in order for this to have any effect.
         #   To avoid storing the key on disk, the key can also be specified via the `GITLAB_BACKUP_ENCRYPTION_KEY` environment variable.
-         # encryption_key: '<base64 key>'
+         # encryption_key: '<key>'
         # Specifies Amazon S3 storage class to use for backups, this is optional
         # storage_class: 'STANDARD'
   ```

--- a/doc/user/asciidoc.md
+++ b/doc/user/asciidoc.md
@@ -221,6 +221,11 @@ include::basics.adoc[]
 include::https://example.org/installation.adoc[]
 ```
  
+To guarantee good system performance and prevent malicious documents causing
+problems, GitLab enforces a **maximum limit** on the number of include directives
+processed in any one document. Currently a total of 32 documents can be
+included, a number that is inclusive of transitive dependencies.
+
 ### Blocks
  
 ```asciidoc