Replace issue access checks with use of IssuableFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested
### Issue lookup with access check
Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).
- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] ✅ lib/api/issues.rb:112 [`visible_to_user`]
- CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`]
### Previous discussions
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87
See merge request !2031
Fix IID filter for merge requests and milestones
I updated the example in the docs and added a test. The milestones API was also broken for the same reason.
Related to !7358 and !7373
See merge request !7648
Grapify the users API
Certain endpoints return different entities based on which user issues the request. Right now, I am not aware how to specify multiple entities as part of the description block of the endpoint. @rymai Do you know something about that.
## What are the relevant issue numbers?
Related to #22928
See merge request !7147
Allow `order_by` and `sort` parameters to `/api/v3/groups.json`. At
present, only ordering by name and path is supported, and the default
sort is name ascending (alphabetical order).
Defer saving project services to the database if there are no user changes
## What does this MR do?
It defers saving project services to the database as long as it is possible. It creates a project service when creating a project only if this project service has an active template. After that project services are saved on the first edit.
## Are there points in the code the reviewer needs to double check?
- tests that used `build_missing_services` before the change
- number of queries executed
## Why was this MR needed?
Motivation in #22281
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
Fixes#22281
See merge request !6958
Rémy Coutable
Robert Schilling
Grzegorz Bizon
Douwe Maan
Z.J. van de Weg
Yorick Peterse
Valery Sizov
Robert Speicher
Semyon Pupkov
Ido Leibovich
Kamil Trzciński
Sean McGivern
Sean McGivern
Douglas Barbosa Alexandre