Changes update_column to update_attributes in ProjectTreeRestorer#restore_project by using timeless to maintain the current timestamps
Closes#47765
See merge request gitlab-org/gitlab-ce!21242
Saved Wiki content goes through the GitalyClient::WikiService, which calls
StringIO#set_encoding on the input stream. The problem is that this call
mutates the encoding of the given string object to ASCII-88BIT, which
causes problems for models expecting the data to still be in UTF-8.
Freezing the input disables this behavior:
https://github.com/ruby/ruby/blob/v2_4_4/ext/stringio/stringio.c#L1583Closes#50590
Previously, this wasn't needed: text was normally set to the highlighted
contents anyway. Now, it is: we store different things in text and rich_text.
This caused https://gitlab.com/gitlab-com/production/issues/439.
When backend sends HTML it requires frontend to append it to the DOM causing
XSS vulnerabilities. By removing the `<br>` we avoid those vulnerabilities
Just like with the GitHub importer, the Bitbucket Server importer can hit the
default 60 s idle-in-transaction timeouts if it takes too long to create the
merge request. We solve this by using the same approach as the GitHub importer:
1. Bypass all validation and hooks in creating a merge request
2. Insert the Git data in a separate transaction
Part of #50021
Due to a regression in !20608, the LDAP authenticator was not being used
unless OmniAuth was enabled. This change allows the LDAP provider to be used
if it is configured regardless of the OmniAuth setting.
Closes#50579
When direct_upload is enabled and a for file is being uploaded,
then workhorse uses `public/uploads/tmp` path. If `uploads.storage_path`
i sset to a different directory, then upload fails because
`public/uploads/tmp` is not in allowed paths.
Resolve "Commits and Merge Requests does not list all files when one file exceeds size limits"
Closes#49907
See merge request gitlab-org/gitlab-ce!21125
We don't test any specific string generated by it yet, so there is no
point in keeping it enabled when we are disabling it everywhere we test its output.
it will decide the method for disable statement_timeout upon
per transaction or per session, based on how it's called.
When calling with a block, block will be executed and it will use
session based statement_timeout, otherwise will default to existing
behavior.
By default statement_timeout will only be enabled during transaction
lifetime, therefore not leaking outside of it.
With `transaction: false` it will set for entire session, but requires
a block to passed. It yields control and cleans up session after block
finishes, also preventing leaking outside of it.
Inline diff comments did not have the proper position, so even though
they had line codes the merge request validation would fail. Now
we cache the line position for each parent comment and use that.
Closes#50052
Kamil Trzciński
Douwe Maan
Sean McGivern
Stan Hu
Chantal Rollison
Michael Kozono
Filipa Lacerda
Tiago Botelho
Jasper Maes
Douglas Barbosa Alexandre
Sean McGivern
Jan Provaznik
Gilbert Roulot
Maciej Sokolowski
Robert Speicher
Alejandro Rodríguez
Yorick Peterse
Gabriel Mazetto
Andreas Brandl
Nick Thomas
Valery Sizov
Bob Van Landuyt
Jarka Kadlecová