Merge remote-tracking branch 'ce/master' into ce-to-ee

app/assets/stylesheets/pages/merge_conflicts.scss

@@ -228,7 +228,6 @@ $colors: (
       position: absolute;
       right: 10px;
       padding: 0;
-      outline: none;
       color: #fff;
       width: 75px; // static width to make 2 buttons have same width
       height: 19px;

app/assets/stylesheets/pages/search.scss

@@ -31,7 +31,6 @@
     padding-right: 20px;
     border: none;
     font-size: 14px;
-    outline: none;
     padding: 0;
     margin-left: 5px;
     line-height: 25px;
@@ -229,6 +228,5 @@
   &:hover,
   &:focus {
     color: $gl-link-color;
-    outline: none;
   }
 }

app/controllers/jwt_controller.rb

@@ -12,7 +12,7 @@ class JwtController < ApplicationController
     return head :not_found unless service
     result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
-      execute(authentication_abilities: @authentication_result.authentication_abilities || [])
+      execute(authentication_abilities: @authentication_result.authentication_abilities)
     render json: result, status: result[:http_status]
   end
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
   private
   def authenticate_project_or_user
-    @authentication_result = Gitlab::Auth::Result.new
+    @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities)
     authenticate_with_http_basic do |login, password|
       @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)

app/controllers/projects_controller.rb

@@ -327,7 +327,11 @@ class ProjectsController < Projects::ApplicationController
   def project_params
     params.require(:project)
+<<<<<<< HEAD
       .permit(project_params_ce << project_params_ee)
+=======
+      .permit(project_params_ce)
+>>>>>>> ce/master
   end
   def project_params_ce
@@ -364,6 +368,7 @@ class ProjectsController < Projects::ApplicationController
         wiki_access_level
       ]
     ]
+<<<<<<< HEAD
   end
   def project_params_ee
@@ -380,6 +385,8 @@ class ProjectsController < Projects::ApplicationController
       repository_size_limit
       reset_approvals_on_push
     ]
+=======
+>>>>>>> ce/master
   end
   def repo_exists?

app/controllers/users_controller.rb

@@ -104,8 +104,7 @@ class UsersController < ApplicationController
   end
   def contributions_calendar
-    @contributions_calendar ||= Gitlab::ContributionsCalendar.
-      new(contributed_projects, user)
+    @contributions_calendar ||= Gitlab::ContributionsCalendar.new(user, current_user)
   end
   def load_events

app/finders/issuable_finder.rb

@@ -62,31 +62,26 @@ class IssuableFinder
   def project
     return @project if defined?(@project)
-    if project?
-      @project = Project.find(params[:project_id])
-      unless Ability.allowed?(current_user, :read_project, @project)
-        @project = nil
-      end
-    else
-      @project = nil
-    end
-
-    @project
+    project = Project.find(params[:project_id])
+    project = nil unless Ability.allowed?(current_user, :"read_#{klass.to_ability_name}", project)
+    @project = project
   end
   def projects
     return @projects if defined?(@projects)
-    if project?
-      @projects = project
-    elsif current_user && params[:authorized_only].presence && !current_user_related?
-      @projects = current_user.authorized_projects.reorder(nil)
-    elsif group
-      @projects = GroupProjectsFinder.new(group).execute(current_user).reorder(nil)
-    else
-      @projects = ProjectsFinder.new.execute(current_user).reorder(nil)
-    end
+    return @projects = project if project?
+    projects =
+      if current_user && params[:authorized_only].presence && !current_user_related?
+        current_user.authorized_projects
+      elsif group
+        GroupProjectsFinder.new(group).execute(current_user)
+      else
+        ProjectsFinder.new.execute(current_user)
+      end
+
+    @projects = projects.with_feature_available_for_user(klass, current_user).reorder(nil)
   end
   def search

app/helpers/application_helper.rb

@@ -154,7 +154,6 @@ module ApplicationHelper
   # time       - Time object
   # placement  - Tooltip placement String (default: "top")
   # html_class - Custom class for `time` element (default: "time_ago")
-  # skip_js    - When true, exclude the `script` tag (default: false)
   #
   # By default also includes a `script` element with Javascript necessary to
   # initialize the `timeago` jQuery extension. If this method is called many
@@ -166,22 +165,19 @@ module ApplicationHelper
   # `html_class` argument is provided.
   #
   # Returns an HTML-safe String
-  def time_ago_with_tooltip(time, placement: 'top', html_class: '', skip_js: false, short_format: false)
+  def time_ago_with_tooltip(time, placement: 'top', html_class: '', short_format: false)
     css_classes = short_format ? 'js-short-timeago' : 'js-timeago'
     css_classes << " #{html_class}" unless html_class.blank?
-    css_classes << ' js-timeago-pending' unless skip_js
     element = content_tag :time, time.to_s,
       class: css_classes,
-      datetime: time.to_time.getutc.iso8601,
       title: time.to_time.in_time_zone.to_s(:medium),
-      data: { toggle: 'tooltip', placement: placement, container: 'body' }
-
-    unless skip_js
-      element << javascript_tag(
-        "$('.js-timeago-pending').removeClass('js-timeago-pending').timeago()"
-      )
-    end
+      datetime: time.to_time.getutc.iso8601,
+      data: {
+        toggle: 'tooltip',
+        placement: placement,
+        container: 'body'
+      }
     element
   end

app/helpers/builds_helper.rb

@@ -5,4 +5,14 @@ module BuildsHelper
     build_class += ' retried' if build.retried?
     build_class
   end
+
+  def javascript_build_options
+    {
+      page_url: namespace_project_build_url(@project.namespace, @project, @build),
+      build_url: namespace_project_build_url(@project.namespace, @project, @build, :json),
+      build_status: @build.status,
+      build_stage: @build.stage,
+      state1: @build.trace_with_state[:state]
+    }
+  end
 end

app/helpers/diff_helper.rb

@@ -51,12 +51,11 @@ module DiffHelper
     html.html_safe
   end
-  def diff_line_content(line, line_type = nil)
+  def diff_line_content(line)
     if line.blank?
-      "  ".html_safe
+      " ".html_safe
     else
-      line[0] = ' ' if %w[new old].include?(line_type)
-      line
+      line.sub(/^[\-+ ]/, '').html_safe
     end
   end

app/helpers/notifications_helper.rb

@@ -74,4 +74,13 @@ module NotificationsHelper
     return unless notification_setting.source_type
     hidden_field_tag "#{notification_setting.source_type.downcase}_id", notification_setting.source_id
   end
+
+  def notification_event_name(event)
+    case event
+    when :success_pipeline
+      'Successful pipeline'
+    else
+      event.to_s.humanize
+    end
+  end
 end

app/mailers/emails/pipelines.rb

 module Emails
   module Pipelines
-    def pipeline_success_email(pipeline, to)
-      pipeline_mail(pipeline, to, 'succeeded')
+    def pipeline_success_email(pipeline, recipients)
+      pipeline_mail(pipeline, recipients, 'succeeded')
     end
-    def pipeline_failed_email(pipeline, to)
-      pipeline_mail(pipeline, to, 'failed')
+    def pipeline_failed_email(pipeline, recipients)
+      pipeline_mail(pipeline, recipients, 'failed')
     end
     private
-    def pipeline_mail(pipeline, to, status)
+    def pipeline_mail(pipeline, recipients, status)
       @project = pipeline.project
       @pipeline = pipeline
       @merge_request = pipeline.merge_requests.first
       add_headers
-      mail(to: to, subject: pipeline_subject(status), skip_premailer: true) do |format|
+      # We use bcc here because we don't want to generate this emails for a
+      # thousand times. This could be potentially expensive in a loop, and
+      # recipients would contain all project watchers so it could be a lot.
+      mail(bcc: recipients,
+           subject: pipeline_subject(status),
+           skip_premailer: true) do |format|
         format.html { render layout: false }
         format.text
       end

app/models/ci/pipeline.rb

@@ -81,6 +81,12 @@ module Ci
           PipelineHooksWorker.perform_async(id)
         end
       end
+
+      after_transition any => [:success, :failed] do |pipeline|
+        pipeline.run_after_commit do
+          PipelineNotificationWorker.perform_async(pipeline.id)
+        end
+      end
     end
     # ref can't be HEAD or SHA, can only be branch/tag name
@@ -109,6 +115,11 @@ module Ci
       project.id
     end
+    # For now the only user who participates is the user who triggered
+    def participants(_current_user = nil)
+      Array(user)
+    end
+
     def valid_commit_sha
       if self.sha == Gitlab::Git::BLANK_SHA
         self.errors.add(:sha, " cant be 00000000 (branch removal)")

app/models/concerns/issuable.rb

@@ -186,6 +186,10 @@ module Issuable
       grouping_columns
     end
+
+    def to_ability_name
+      model_name.singular
+    end
   end
   def today?
@@ -247,7 +251,7 @@ module Issuable
   #   issuable.class           # => MergeRequest
   #   issuable.to_ability_name # => "merge_request"
   def to_ability_name
-    self.class.to_s.underscore
+    self.class.to_ability_name
   end
   # Returns a Hash of attributes to be used for Twitter card metadata

app/models/event.rb

@@ -54,6 +54,7 @@ class Event < ActiveRecord::Base
         update_all(updated_at: Time.now)
     end
+    # Update Gitlab::ContributionsCalendar#activity_dates if this changes
     def contributions
       where("action = ? OR (target_type in (?) AND action in (?))",
             Event::PUSHED, ["MergeRequest", "Issue"],
@@ -67,7 +68,7 @@ class Event < ActiveRecord::Base
   def visible_to_user?(user = nil)
     if push?
-      true
+      Ability.allowed?(user, :download_code, project)
     elsif membership_changed?
       true
     elsif created_project?

app/models/issue.rb

@@ -264,29 +264,9 @@ class Issue < ActiveRecord::Base
   # Returns `true` if the current issue can be viewed by either a logged in User
   # or an anonymous user.
   def visible_to_user?(user = nil)
-    user ? readable_by?(user) : publicly_visible?
-  end
-
-  # Returns `true` if the given User can read the current Issue.
-  def readable_by?(user)
-    if user.admin?
-      true
-    elsif project.owner == user
-      true
-    elsif confidential?
-      author == user ||
-        assignee == user ||
-        project.team.member?(user, Gitlab::Access::REPORTER)
-    else
-      project.public? ||
-        project.internal? && !user.external? ||
-        project.team.member?(user)
-    end
-  end
-  # Returns `true` if this Issue is visible to everybody.
-  def publicly_visible?
-    project.public? && !confidential?
+    return false unless project.feature_available?(:issues, user)
+    user ? readable_by?(user) : publicly_visible?
   end
   def overdue?
@@ -311,4 +291,32 @@ class Issue < ActiveRecord::Base
       end
     end
   end
+
+  private
+
+  # Returns `true` if the given User can read the current Issue.
+  #
+  # This method duplicates the same check of issue_policy.rb
+  # for performance reasons, check commit: 002ad215818450d2cbbc5fa065850a953dc7ada8
+  # Make sure to sync this method with issue_policy.rb
+  def readable_by?(user)
+    if user.admin?
+      true
+    elsif project.owner == user
+      true
+    elsif confidential?
+      author == user ||
+        assignee == user ||
+        project.team.member?(user, Gitlab::Access::REPORTER)
+    else
+      project.public? ||
+        project.internal? && !user.external? ||
+        project.team.member?(user)
+    end
+  end
+
+  # Returns `true` if this Issue is visible to everybody.
+  def publicly_visible?
+    project.public? && !confidential?
+  end
 end

app/models/notification_setting.rb

@@ -32,7 +32,9 @@ class NotificationSetting < ActiveRecord::Base
     :reopen_merge_request,
     :close_merge_request,
     :reassign_merge_request,
-    :merge_merge_request
+    :merge_merge_request,
+    :failed_pipeline,
+    :success_pipeline
   ]
   store :events, accessors: EMAIL_EVENTS, coder: JSON

app/models/project.rb

@@ -223,9 +223,44 @@ class Project < ActiveRecord::Base
   scope :with_push, -> { joins(:events).where('events.action = ?', Event::PUSHED) }
   scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct }
+<<<<<<< HEAD
   scope :with_builds_enabled, -> { joins('LEFT JOIN project_features ON projects.id = project_features.project_id').where('project_features.builds_access_level IS NULL or project_features.builds_access_level > 0') }
   scope :with_issues_enabled, -> { joins('LEFT JOIN project_features ON projects.id = project_features.project_id').where('project_features.issues_access_level IS NULL or project_features.issues_access_level > 0') }
   scope :with_wiki_enabled, -> { joins('LEFT JOIN project_features ON projects.id = project_features.project_id').where('project_features.wiki_access_level IS NULL or project_features.wiki_access_level > 0') }
+=======
+  scope :with_project_feature, -> { joins('LEFT JOIN project_features ON projects.id = project_features.project_id') }
+
+  # "enabled" here means "not disabled". It includes private features!
+  scope :with_feature_enabled, ->(feature) {
+    access_level_attribute = ProjectFeature.access_level_attribute(feature)
+    with_project_feature.where(project_features: { access_level_attribute => [nil, ProjectFeature::PRIVATE, ProjectFeature::ENABLED] })
+  }
+
+  # Picks a feature where the level is exactly that given.
+  scope :with_feature_access_level, ->(feature, level) {
+    access_level_attribute = ProjectFeature.access_level_attribute(feature)
+    with_project_feature.where(project_features: { access_level_attribute => level })
+  }
+
+  scope :with_builds_enabled, -> { with_feature_enabled(:builds) }
+  scope :with_issues_enabled, -> { with_feature_enabled(:issues) }
+
+  # project features may be "disabled", "internal" or "enabled". If "internal",
+  # they are only available to team members. This scope returns projects where
+  # the feature is either enabled, or internal with permission for the user.
+  def self.with_feature_available_for_user(feature, user)
+    return with_feature_enabled(feature) if user.try(:admin?)
+
+    unconditional = with_feature_access_level(feature, [nil, ProjectFeature::ENABLED])
+    return unconditional if user.nil?
+
+    conditional = with_feature_access_level(feature, ProjectFeature::PRIVATE)
+    authorized = user.authorized_projects.merge(conditional.reorder(nil))
+
+    union = Gitlab::SQL::Union.new([unconditional.select(:id), authorized.select(:id)])
+    where(arel_table[:id].in(Arel::Nodes::SqlLiteral.new(union.to_sql)))
+  end
+>>>>>>> ce/master
   scope :active, -> { joins(:issues, :notes, :merge_requests).order('issues.created_at, notes.created_at, merge_requests.created_at DESC') }
   scope :abandoned, -> { where('projects.last_activity_at < ?', 6.months.ago) }

app/models/project_feature.rb

@@ -20,6 +20,15 @@ class ProjectFeature < ActiveRecord::Base
   FEATURES = %i(issues merge_requests wiki snippets builds repository)
+  class << self
+    def access_level_attribute(feature)
+      feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name)
+      raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature)
+
+      "#{feature}_access_level".to_sym
+    end
+  end
+
   # Default scopes force us to unscope here since a service may need to check
   # permissions for a project in pending_delete
   # http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to
@@ -35,9 +44,8 @@ class ProjectFeature < ActiveRecord::Base
   default_value_for :repository_access_level,     value: ENABLED, allows_nil: false
   def feature_available?(feature, user)
-    raise ArgumentError, 'invalid project feature' unless FEATURES.include?(feature)
-
-    get_permission(user, public_send("#{feature}_access_level"))
+    access_level = public_send(ProjectFeature.access_level_attribute(feature))
+    get_permission(user, access_level)
   end
   def builds_enabled?

app/models/project_services/pipelines_email_service.rb

 class PipelinesEmailService < Service
   prop_accessor :recipients
-  boolean_accessor :add_pusher
   boolean_accessor :notify_only_broken_pipelines
-  validates :recipients,
-    presence: true,
-    if: ->(s) { s.activated? && !s.add_pusher? }
+  validates :recipients, presence: true, if: :activated?
   def initialize_properties
     self.properties ||= { notify_only_broken_pipelines: true }
@@ -34,8 +31,8 @@ class PipelinesEmailService < Service
     return unless all_recipients.any?
-    pipeline = Ci::Pipeline.find(data[:object_attributes][:id])
-    Ci::SendPipelineNotificationService.new(pipeline).execute(all_recipients)
+    pipeline_id = data[:object_attributes][:id]
+    PipelineNotificationWorker.new.perform(pipeline_id, all_recipients)
   end
   def can_test?
@@ -57,9 +54,6 @@ class PipelinesEmailService < Service
       { type: 'textarea',
         name: 'recipients',
         placeholder: 'Emails separated by comma' },
-      { type: 'checkbox',
-        name: 'add_pusher',
-        label: 'Add pusher to recipients list' },
       { type: 'checkbox',
         name: 'notify_only_broken_pipelines' },
     ]
@@ -85,12 +79,6 @@ class PipelinesEmailService < Service
   end
   def retrieve_recipients(data)
-    all_recipients = recipients.to_s.split(',').reject(&:blank?)
-
-    if add_pusher? && data[:user].try(:[], :email)
-      all_recipients << data[:user][:email]
-    end
-
-    all_recipients
+    recipients.to_s.split(',').reject(&:blank?)
   end
 end

app/policies/ci/build_policy.rb

@@ -5,7 +5,7 @@ module Ci
       # If we can't read build we should also not have that
       # ability when looking at this in context of commit_status
-      %w(read create update admin).each do |rule|
+      %w[read create update admin].each do |rule|
         cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
       end
     end