[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.11.3-ee release

See merge request gitlab-org/gitlab!60669

Andrew Fontaine authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix Instance-level Project Integration Management page for GitLab FOSS [RUN ALL RSPEC] [RUN-AS-IF-FOSS]

See merge request gitlab-org/gitlab!60354

(cherry picked from commit 8ff4aa03)

037ce621 Initialize Integrations table for admins on FOSS

John Jarvis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Revert "Merge branch 'update-auto-build-image-to-0-6-0' into 'master'"

See merge request gitlab-org/gitlab!59775

(cherry picked from commit 9bc0602b)

822f39db Revert "Merge branch 'update-auto-build-image-to-0-6-0' into 'master'"

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Do not expose pull mirror username and password

See merge request gitlab-org/security/gitlab!1365

Merge branch 'security-disallow-changing-timestamps-on-issue-create-update-13-11' into '13-11-stable-ee'

Prevent non-owners to set system_note_timestamp

See merge request gitlab-org/security/gitlab!1358

Merge branch 'security-322500-disable-gitaly-branch-pagination-ff-by-default-13-11' into '13-11-stable-ee'

Disable keyset pagination for branches by default

See merge request gitlab-org/security/gitlab!1366

Restrict the dependency proxy auth service

See merge request gitlab-org/security/gitlab!1369

Bump Carrierwave gem to v1.3.2

See merge request gitlab-org/security/gitlab!1357

Merge branch 'security-327155-prevent-mutation-execution-with-read-api-tokens-13-11' into '13-11-stable-ee'

Prevent mutation execution with read api tokens

See merge request gitlab-org/security/gitlab!1374

Verify that read_api tokens cannot run mutations.

Also: adds tests use of OAuth tokens for GraphQL

We make some changes to the sessionless_authentication module
in order to capture the request_authenticator, so that we can access
the token scopes, without making any extra queries.

We ensure we always authorize the mutation, which, like all resolvers,
needs to opt in to the check.

Unlike resolvers, mutations should always raise. So
`BaseMutation.authorized?` raises on failure.

Logic for handling scopes is pushed down to the `ObjectAuthorization`
class, and encapsulated in the `ScopeValidator`, which limits the
methods that can be called by resolvers.

Any objects other than `User` (such as `DeployToken`) are not allowed

Changelog: security

It seems that with this feature flag enabled, pagination doesn't work
correctly in conjunction with a search. The FF is already disabled on
GitLab.com, but disabling it in the YAML file means that self-managed
instances will also be protected from the security issue (unless they
explicitly opt-in to some beta code, of course).

Changelog: security

When an issue is created or updated though API for import
purposes we allow providing created_at and updated_at params
these would then be reflected also in system notes. Only admins
and project owners should be able to set these dates.

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/230864

* Remove password value from the pull mirror form
* Hide username from mirror url

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.11.1-ee release

See merge request gitlab-org/gitlab!60045

Ash McKenzie authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Change search string that does not return results

See merge request gitlab-org/gitlab!59945

(cherry picked from commit ed19a0bd)

7d838b6c Change search string that does not return results

Craig Norris authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix Rake command for Pages deploys to object storage

See merge request gitlab-org/gitlab!59764

(cherry picked from commit 3e2e8138)

ec83c25f Fix Rake command for Pages deploys to object storage

Achilleas Pipinellis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Add docs about project upload API size enforcement

See merge request gitlab-org/gitlab!59692

(cherry picked from commit 617741a3)

7bb39e1b Add docs about project upload API size enforcement
17c3a619 Apply 1 suggestion(s) to 1 file(s)

Enrique Alcántara authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix zero count of vulnerability severity count

See merge request gitlab-org/gitlab!59680

(cherry picked from commit d74aba3c)

394998df Fix zero count of vulnerability severity count

Michael Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix Geo replication for incident metrics uploads

See merge request gitlab-org/gitlab!59674

(cherry picked from commit 74b7b3c3)

3806f085 Fix Geo replication for incident metrics uploads

Russell Dickenson authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix DAST_AUTH_VERIFICATION_URL docs

See merge request gitlab-org/gitlab!59661

(cherry picked from commit e3a22f2d)

35daacff Fix DAST_AUTH_VERIFICATION_URL docs

Achilleas Pipinellis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Documentation about Pages Deployment migration

See merge request gitlab-org/gitlab!59475

(cherry picked from commit 155e66fc)

836bf7bf Added docs about Pages Deployment migration
c02a9ec6 Apply 2 suggestion(s) to 1 file(s)

Natalia Tepluhina authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Remove legacy storage key from notification check

See merge request gitlab-org/gitlab!59199

(cherry picked from commit 4e6b6761)

ebc6e0d9 Remove legacy storage key from notification check
d5f47942 Create What's New entry for 13.11
733223b3 Update 202104220001_13_11.yml
7a89f7a7 Make Core entries Free
8a360163 Update 202104220001_13_11.yml

Gabriel Mazetto authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Change unsubscribe language for email campaign

See merge request gitlab-org/gitlab!59121

(cherry picked from commit 6defe730)

03efae83 Change unsubscribe language for email campaign
ec3b64f2 Check if text is empty and not just nil
15db49f3 Use marketing preference link
0faad983 Move current series info up
d58aa096 Use to_param for preference link

[merge-train skip]

[ci skip]

[ci skip]