Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested
### Issue lookup with access check
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] ✅ lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`]
### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
This new global setting will allow admins to specify if HTML emails should be sent or not,
this is basically useful when system administrators want to save some disk space by avoiding
emails in HTML format and using only the Plain Text version.
Refresh project authorizations using a Redis lease
This MR changes `User#refresh_authorized_projects` so it uses a Redis lease instead of relying on serializable transactions. See the commit message(s) for more details.
See merge request !7733
When I proposed using serializable transactions I was hoping we would be
able to refresh data of individual users concurrently. Unfortunately
upon closer inspection it was revealed this was not the case. This could
result in a lot of queries failing due to serialization errors,
overloading the database in the process (given enough workers trying to
update the target table).
To work around this we're now using a Redis lease that is cancelled upon
completion. This ensures we can update the data of different users
concurrently without overloading the database.
The code will try to obtain the lease until it succeeds, waiting at
least 1 second between retries. This is necessary as we may otherwise
end up _not_ updating the data which is not an option.
Don't convert data which already is the target type
With Grape's DSL we already enforce data types. We don't need to explicitly convert to string if there is already one.
See merge request !7740
Fix IID filter for merge requests and milestones
I updated the example in the docs and added a test. The milestones API was also broken for the same reason.
Related to !7358 and !7373
See merge request !7648
Fix undefined error in CI linter
## What does this MR do?
This MR fixes undefined error in CI linter.
## Does this MR meet the acceptance criteria?
- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] Tests added for this feature/bug
## What are the relevant issue numbers?
Closes#24759
See merge request !7650
Rémy Coutable
Robert Schilling
Grzegorz Bizon
Sean McGivern
Kamil Trzciński
Douwe Maan
Ruben Davila
Yorick Peterse
Z.J. van de Weg
Valery Sizov
Lin Jen-Shin
Dmitriy Zaporozhets
James Lopez