Whenever we already deal with a User object, let's use the more specific
method avatar_icon_for_user.

Replaces all the explicit include metadata syntax in the specs (tag:
true) into the implicit one (:tag).
Added a cop to prevent future errors and handle autocorrection.

This was caused by the `@projects` value being empty when the current
user does not have any personal projects.

Whenever you push to a branch GitLab will show a button to create a
merge request (should one not exist already). The underlying code to
display this data was quite inefficient. For example, it involved
multiple slow queries just to figure out what the most recent push event
was.

This commit changes the way this data is retrieved so it's much faster.
This is achieved by caching the ID of the last push event on every push,
which is then retrieved when loading certain pages. Database queries are
only executed if necessary and the cached data is removed automatically
once a merge request has been created, or 2 hours after being stored.

A trade-off of this approach is that we _only_ track the last event.
Previously if you were to push to branch A and B then create a merge
request for branch B we'd still show the widget for branch A. As of this
commit this is no longer the case, instead we will only show the widget
for the branch you pushed to most recently. Once a merge request exists
the widget is no longer displayed. Alternative solutions are either too
complex and/or too slow, hence the decision was made to settle for this
trade-off.

Performance Impact
------------------

In the best case scenario (= a user didn't push anything for more than 2
hours) we perform a single Redis GET per page. Should there be cached
data we will run a single (and lightweight) SQL query to get the
event data from the database. If a merge request already exists we will
run an additional DEL to remove the cache key.

The difference in response timings can vary a bit per project. On
GitLab.com the 99th percentile of time spent in User#recent_push hovers
between 100 milliseconds and 1 second, while the mean hovers around 50
milliseconds. With the changes in this MR the expected time spent in
User#recent_push is expected to be reduced down to just a few
milliseconds.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/35990

In some cases we pass an Array to this method which would previously
fail since Array does not respond to "limit_value".

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/3646

In various places we check if the same relation would return projects.
This is done using "any?" which will run a COUNT query with any
LIMIT/OFFSET values still applied.

To work around all this we introduce 2 helper methods that take care of
doing the right thing. This leads to the produced queries being simpler
and fewer queries being executed.

When sign-in is disabled:
 - skip password expiration checks
 - prevent password reset requests
 - don’t show Password tab in User Settings
 - don’t allow login with username/password for Git over HTTP requests
 - render 404 on requests to Profiles::PasswordsController

If internal auth is disabled and user is not an LDAP user, present
the user with an alert to create a personal access token if he does
not have one already.

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Fix for path disclosure in project import/export

See merge request !2080

https://gitlab.com/gitlab-org/gitlab-ce/issues/24007

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Projects::ForkService delegates to this service almost entirely, but needed
one small change so it would propagate create errors correctly.

CreateService#execute needs significant refactoring; it is now right at the
complexity limit set by Rubocop. I avoided doing so in this commit to keep the
diff as small as possible.

Several tests depend on the insecure behaviour of ForkService, so fi them up at
the same time.