To make it more clear to developers that the entity exposes the
application secret, define a separate entity that only should be used
when the secret is needed (probably only on creation).

Search query is especially slow if a user searches a generic string
which matches many records, in such case search can take tens of
seconds or time out. To speed up the search query, we search only for
first 1000 records, if there is >1000 matching records we just display
"1000+" instead of precise total count supposing that with such amount
the exact count is not so important for the user.

Because for issues even limited search was not fast enough, 2-phase
approach is used for issues: first we use simpler/faster query to get
all public issues, if this exceeds the limit, we just return the limit.
If the amount of matching results is lower than limit, we re-run more
complex search query (which includes also confidential issues).
Re-running the complex query should be fast enough in such case because the
amount of matching issues is lower than limit.

Because exact total_count is now limited, this patch also switches to
to "prev/next" pagination.

Related #40540

Jan Christophersen authored 7 years ago and James Lopez committed 7 years ago

Resolve "Projects API: filter 'with_issues_enabled=true' returns projects with 'issues_enabled=false'"

Adds sorting to deployments API through the `order_by` and sort
`fields`.

[10.3] Migrate `can_push` column from `keys` to `deploy_keys_project`

See merge request gitlab/gitlabhq!2276

(cherry picked from commit f6ca52d31bac350a23938e0aebf717c767b4710c)

1f2bd3c0 Backport to 10.3

Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3'

Filter out sensitive fields from the project services API

See merge request gitlab/gitlabhq!2281

(cherry picked from commit 476f2576444632f2a9a61b4cead9c1077f2c81d7)

2bcbbda0 Filter out sensitive fields from the project services API

Enables project milestone deletion via DELETE /projects/:id/milestones/:milestone_id

see https://gitlab.com/gitlab-org/gitlab-ce/issues/42025

The N+1 issue was caused by loading the job_artifacts_archive for each
job (build) individually. Including that in the builds
AssociationRelation fixed the issue.

This will enable admins to identify who actually made the API request.

Relates to #36960

Add find key by base64 key or fingerprint to the internal API

See merge request !250

Squashed changes:
Add unique index to fingerprint
Add new index to schema
Add internal api to get ssh key by fingerprint
Change API endpoint to authorized_keys
Add InsecureKeyFingerprint that calculates the fingerprint without shelling out
Add require for gitlab key fingerprint
Remove uniqueness of fingerprint index
Remove unique option from migration
Fix spec style in fingerprint test
Fix rubocop complain
Extract insecure key fingerprint to separate file
Change migration to support building index concurrently
Remove those hideous tabs

This removes all usage of soft removals except for the "pending delete"
system implemented for projects. This in turn simplifies all the query
plans of the models that used soft removals. Since we don't really use
soft removals for anything useful there's no point in keeping it around.

This _does_ mean that hard removals of issues (which only admins can do
if I'm not mistaken) can influence the "iid" values, but that code is
broken to begin with. More on this (and how to fix it) can be found in
https://gitlab.com/gitlab-org/gitlab-ce/issues/31114.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/37447

In some cases is prefered to manually create a ProjectWiki over using
Project#wiki. This is because Project#wiki always uses the #owner (which
is a User sometimes) as the
author of the wiki changes but sometimes the owner is a Group and it
doesn't respond to #username

On GitLab.com, there are write deploy keys with no associated users.
Pushes with these deploy keys end with an Error 500 since we attempt
to look up redirect message. If there is no user, don't attempt
to display a redirect message.

Closes #41466

+ Add support for the new separate channel and events settings
* Dry up chat notifications in the service properties definitions

Signed-off-by: Rémy Coutable <remy@rymai.me>

- Ensure that unwanted params are no passed to actual finder classes

Previously, this would include the entire User record in the update
hash, which was rendered in the response using `to_json`, erroneously
exposing every attribute of that record, including their (now removed)
private token.

Now we only include the user ID, and perform the lookup on-demand.