Only render fixed number of mermaid blocks

See merge request gitlab/gitlabhq!3413

Hide disabled project milestones in project settings on group level

See merge request gitlab/gitlabhq!3416

Redirect user to root path after unsubscribing from private resource

See merge request gitlab/gitlabhq!3418

Add policy check if cross reference system notes are accessible

See merge request gitlab/gitlabhq!3428

Cancel all running CI jobs when user is blocked

See merge request gitlab/gitlabhq!3438

Filter not accessible label events

See merge request gitlab/gitlabhq!3442

Add argument to catch

See merge request gitlab-org/gitlab-ee!15911

Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.

This prevents a MITM attack where attacker could
still access Git repository if any jobs were
running long enough.

If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.

https://gitlab.com/gitlab-org/gitlab-ce/issues/64938

[ci skip]

[ci skip]

Prepare 12.1.10 release

See merge request gitlab-org/gitlab-foss!32979

Mayra Cabrera authored 5 years ago and John Jarvis committed 5 years ago

Fix order-dependent spec failures with reCAPTCHA

Closes #67133

See merge request gitlab-org/gitlab-ce!32771

[12-1-stable] Re-add ignore_column for import columns

See merge request gitlab-org/gitlab-foss!32977

This `ignore_column` was present for a while but recently removed, but
to ensure we don't get error 500s let's keep it for a while.

[ci skip]

Set max-age and secure flag for pages auth cookies

See merge request gitlab/gitlabhq!3380

[ci skip]

Jan Provaznik authored 5 years ago and John Skarbek committed 5 years ago

Merge branch '66641-broken-master-real-http-connections-are-disabled-unregistered-request' into 'master'

Use `stub_full_request` to fix spec failure

Closes #66641

See merge request gitlab-org/gitlab-ce!32259

This reverts commit 4f6293e2.

Return NO_ACCESS if user is nil

See merge request gitlab/gitlabhq!3389

Heinrich Lee Yu authored 5 years ago and Patrick Derichs committed 5 years ago

Also change test URL sequest to .test TLD

[ci skip]

Avoid exposing unaccessible repo data upon GFM post processing

See merge request gitlab/gitlabhq!3383

When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.

This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.

Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.

Prevent disclosure of merge request id via email

See merge request gitlab/gitlabhq!3351

Send TODOs for comments on commits correctly

See merge request gitlab/gitlabhq!3366

Require a captcha after unique failed logins from the same IP

See merge request gitlab/gitlabhq!3295