[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
This suggests possibly related issues when the user types a title.
This uses GraphQL to allow the frontend to request the exact
data that is requires. We also get free caching through the Vue Apollo
plugin.
With this we can include the ability to import .graphql files in JS
and Vue files.
Also we now have the Vue test utils library to make testing
Vue components easier.
Closes#22071
Enables frozen string for some vestigial files as
well as the following:
* app/controllers/projects/**/*.rb
* app/controllers/sherlock/**/*.rb
* app/controllers/snippets/**/*.rb
* app/controllers/users/**/*.rb
Partially addresses #47424.
These methods don't really need to be on the Issue model. Issue#related_branches
can also be moved to a service, but we can do that in a separate commit.
This commit does not change any behaviour; it just moves code around, renames
the service, and refactors the specs.
The status is shown for
- The author of a commit when viewing a commit
- Notes on a commit (regular/diff)
- The user that triggered a pipeline when viewing a pipeline
- The author of a merge request when viewing a merge request
- The author of notes on a merge request (regular/diff)
- The author of an issue when viewing an issue
- The author of notes on an issue
- The author of a snippet when viewing a snippet
- The author of notes on a snippet
- A user's profile page
- The list of members of a group/user
With text/calendar as Content-Type, the browser always downloads the
content as a file (even ignoring the Content-Disposition header). We
want to display the content inline when accessed from GitLab, similarly
to the RSS feed.
This could only be possible for users that can create merge requests
within a project.
So they need to be a allowed to create a branch and create a merge request.
So we can distinguish between the permissions on the source and the
target project.
- `create_merge_request_from` indicates a user can create a merge
request with the project as a source_project
- `create_merge_request_in` indicates a user can create a merge
request with the project as a target_project
By extracting a new `filter_items` method, we can override that in the
IssuesFinder and MergeRequestsFinder separately, so we don't need checks that
the model is the correct one, because we can just use the class we're in to know
that.
We can do the same for the VALID_PARAMS constant, by making it a class method.
This ensures that we have more visibility in the number of SQL queries
that are executed in web requests. The current threshold is hardcoded to
100 as we will rarely (maybe once or twice) change it.
In production and development we use Sentry if enabled, in the test
environment we raise an error. This feature is also only enabled in
production/staging when running on GitLab.com as it's not very useful to
other users.
Discussions are now done asynchronously via the `IssuesController#discussions`
endpoint, so this should no longer be needed. This was taking 32% of the load
time for GitLab CE issue 1.
Closes#38034
In #37955,we see that the profile had a number of N+1 queries from repeated
access to `cross_reference_not_visible_for?`. This was optimized in previous
versions of GitLab by rendering all notes at once, counting the number of
visible references, and then using that number to check whether a system note
should be fully redacted.
There was also another N+1 query calling `ProjectTeam#member?`, which did not
take advantage of an optimization in prepare_notes_for_rendering that would
preload the maximum access level per project.
Closes#37955
this will remove the need make N queries (per-note) at the
cost of having to mark notes with an attribute
this opens up the possibility for other special roles for notes
This changes the issue and MR index pages so the pagination system
re-uses the output of the COUNT(*) query used to calculate the number of
rows per state (opened, closed, etc). This removes the need for an
additional COUNT(*) on both pages.
* master: (66 commits)
fix confidential border issue as well as confidential styles leaking on new MR
Migrate force push check to Gitaly
Add option to disable project export on instance
Better categorize test coverage results
Add option to disable project export on instance - db changes
Better caching and indexing of broadcast messages
Include the `is_admin` field in the `GET /users/:id` API when current user is an admin
Document rspec-retry and rspec-flaky
Fix cop description
Retrieve and sync flaky specs report from and to S3
Use a new RspecFlakyListener to detect flaky specs
Fix formatting of patch_versions.md [skip ci]
Enable Timecop safe mode
Show error message for API 500 error in tests, and
Fix merge request diff deserialisation when too_large was absent
Delete correct key from `session` after authenticating using U2F
Bumps omniauth-ldap gem version to 2.0.4
Pending delete projects no longer return 500 error in Admins projects view
Do not run the `ee_compat_check` job for stableish branches
Update gitlab.po: Missing 'r' in "Fouché" that comes from "Fourcher" verb.
...
* upstream/master: (62 commits)
Update gitlab.po: Missing 'r' in "Fouché" that comes from "Fourcher" verb.
Docs: update user docs index
Fix minor typos in views
Fix Layout/SpaceBeforeBlockBraces violation in bin/changelog_spec
Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4'
Merge branch 'import-symlinks-9-3' into 'security-9-3'
Fix wrong method call on prometheus histogram
Document new all-in-one Helm chart - docs
Fix 404 on link path
Fix line numbers not matching up to code in code viewer.
Hide overflow-x on collapsed sidebar
removed global use of breakpoint checker
Increase performance of the breakpoint size checker
Filter sensitive query string parameters from NGINX access logs
Added a template for database changes
Render new issue link in failed job as a regular link instead of a UJS one
Include RE2 in the upgrade docs
Remove affix plugin from issuable sidebar with new navigation
Fix linter error
alternative route for download archive
...
Phil Hughes
Cindy Pallares
Sean McGivern
Felipe Artur
gfyoung
Yorick Peterse
Bob Van Landuyt
Imre Farkas
Jacopo
Fatih Acet
Sean McGivern
Jeff Stubler
Christiaan Van den Poel
Vitaliy @blackst0ne Klachkov
Jarka Kadlecova
Eric Eastwood
Luke "Jared" Bennett
Stan Hu
micael.bergeron
Douwe Maan
Maxim Rydkin
Filipa Lacerda
Lin Jen-Shin
Mehdi Lahmam