Merge remote-tracking branch 'origin/master' into ide

16 files changed, 126 insertions, 124 deletions

diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index c1bc4c0d675..8367c22d1ca 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -76,88 +76,13 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
     params.delete(:domain_blacklist_raw) if params[:domain_blacklist_file]
 
     params.require(:application_setting).permit(
-      application_setting_params_ce
+      visible_application_setting_attributes
     )
   end
 
-  def application_setting_params_ce
-    [
-      :admin_notification_email,
-      :after_sign_out_path,
-      :after_sign_up_text,
-      :akismet_api_key,
-      :akismet_enabled,
-      :container_registry_token_expire_delay,
-      :default_artifacts_expire_in,
-      :default_branch_protection,
-      :default_group_visibility,
-      :default_project_visibility,
-      :default_projects_limit,
-      :default_snippet_visibility,
-      :domain_blacklist_enabled,
+  def visible_application_setting_attributes
+    ApplicationSettingsHelper.visible_attributes + [
       :domain_blacklist_file,
-      :domain_blacklist_raw,
-      :domain_whitelist_raw,
-      :email_author_in_body,
-      :enabled_git_access_protocol,
-      :gravatar_enabled,
-      :help_page_text,
-      :help_page_hide_commercial_content,
-      :help_page_support_url,
-      :home_page_url,
-      :housekeeping_bitmaps_enabled,
-      :housekeeping_enabled,
-      :housekeeping_full_repack_period,
-      :housekeeping_gc_period,
-      :housekeeping_incremental_repack_period,
-      :html_emails_enabled,
-      :koding_enabled,
-      :koding_url,
-      :password_authentication_enabled,
-      :plantuml_enabled,
-      :plantuml_url,
-      :max_artifacts_size,
-      :max_attachment_size,
-      :max_pages_size,
-      :metrics_enabled,
-      :metrics_host,
-      :metrics_method_call_threshold,
-      :metrics_packet_size,
-      :metrics_pool_size,
-      :metrics_port,
-      :metrics_sample_interval,
-      :metrics_timeout,
-      :performance_bar_allowed_group_id,
-      :performance_bar_enabled,
-      :recaptcha_enabled,
-      :recaptcha_private_key,
-      :recaptcha_site_key,
-      :repository_checks_enabled,
-      :require_two_factor_authentication,
-      :session_expire_delay,
-      :sign_in_text,
-      :signup_enabled,
-      :sentry_dsn,
-      :sentry_enabled,
-      :clientside_sentry_dsn,
-      :clientside_sentry_enabled,
-      :send_user_confirmation_email,
-      :shared_runners_enabled,
-      :shared_runners_text,
-      :sidekiq_throttling_enabled,
-      :sidekiq_throttling_factor,
-      :two_factor_grace_period,
-      :user_default_external,
-      :user_oauth_applications,
-      :unique_ips_limit_per_user,
-      :unique_ips_limit_time_window,
-      :unique_ips_limit_enabled,
-      :version_check_enabled,
-      :terminal_max_session_time,
-      :polling_interval_multiplier,
-      :prometheus_metrics_enabled,
-      :usage_ping_enabled,
-
       disabled_oauth_sign_in_sources: [],
       import_sources: [],
       repository_storages: [],
diff --git a/app/controllers/admin/applications_controller.rb b/app/controllers/admin/applications_controller.rb
index 434ff6b2a62..16590e66d61 100644
--- a/app/controllers/admin/applications_controller.rb
+++ b/app/controllers/admin/applications_controller.rb
@@ -50,6 +50,6 @@ class Admin::ApplicationsController < Admin::ApplicationController
 
   # Only allow a trusted parameter "white list" through.
   def application_params
-    params[:doorkeeper_application].permit(:name, :redirect_uri, :scopes)
+    params.require(:doorkeeper_application).permit(:name, :redirect_uri, :trusted, :scopes)
   end
 end
diff --git a/app/controllers/admin/dashboard_controller.rb b/app/controllers/admin/dashboard_controller.rb
index 8360ce08bdc..05e749c00c0 100644
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -1,6 +1,6 @@
 class Admin::DashboardController < Admin::ApplicationController
   def index
-    @projects = Project.with_route.limit(10)
+    @projects = Project.without_deleted.with_route.limit(10)
     @users = User.limit(10)
     @groups = Group.with_route.limit(10)
   end
diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb
index 984d5398708..0b6cd71e651 100644
--- a/app/controllers/admin/projects_controller.rb
+++ b/app/controllers/admin/projects_controller.rb
@@ -3,18 +3,9 @@ class Admin::ProjectsController < Admin::ApplicationController
   before_action :group, only: [:show, :transfer]
 
   def index
-    params[:sort] ||= 'latest_activity_desc'
-    @projects = Project.with_statistics
-    @projects = @projects.in_namespace(params[:namespace_id]) if params[:namespace_id].present?
-    @projects = @projects.where(visibility_level: params[:visibility_level]) if params[:visibility_level].present?
-    @projects = @projects.with_push if params[:with_push].present?
-    @projects = @projects.abandoned if params[:abandoned].present?
-    @projects = @projects.where(last_repository_check_failed: true) if params[:last_repository_check_failed].present?
-    @projects = @projects.non_archived unless params[:archived].present?
-    @projects = @projects.personal(current_user) if params[:personal].present?
-    @projects = @projects.search(params[:name]) if params[:name].present?
-    @projects = @projects.sort(@sort = params[:sort])
-    @projects = @projects.includes(:namespace).order("namespaces.path, projects.name ASC").page(params[:page])
+    finder    = Admin::ProjectsFinder.new(params: params, current_user: current_user)
+    @projects = finder.execute
+    @sort     = finder.sort
 
     respond_to do |format|
       format.html
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 43462b13903..d14b1dbecf6 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -70,6 +70,16 @@ class ApplicationController < ActionController::Base
 
   protected
 
+  def append_info_to_payload(payload)
+    super
+    payload[:remote_ip] = request.remote_ip
+
+    if current_user.present?
+      payload[:user_id] = current_user.id
+      payload[:username] = current_user.username
+    end
+  end
+
   # This filter handles both private tokens and personal access tokens
   def authenticate_user_from_private_token!
     token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
diff --git a/app/controllers/profiles/gpg_keys_controller.rb b/app/controllers/profiles/gpg_keys_controller.rb
new file mode 100644
index 00000000000..6779cc6ddac
--- /dev/null
+++ b/app/controllers/profiles/gpg_keys_controller.rb
@@ -0,0 +1,47 @@
+class Profiles::GpgKeysController < Profiles::ApplicationController
+  before_action :set_gpg_key, only: [:destroy, :revoke]
+
+  def index
+    @gpg_keys = current_user.gpg_keys
+    @gpg_key = GpgKey.new
+  end
+
+  def create
+    @gpg_key = current_user.gpg_keys.new(gpg_key_params)
+
+    if @gpg_key.save
+      redirect_to profile_gpg_keys_path
+    else
+      @gpg_keys = current_user.gpg_keys.select(&:persisted?)
+      render :index
+    end
+  end
+
+  def destroy
+    @gpg_key.destroy
+
+    respond_to do |format|
+      format.html { redirect_to profile_gpg_keys_url, status: 302 }
+      format.js { head :ok }
+    end
+  end
+
+  def revoke
+    @gpg_key.revoke
+
+    respond_to do |format|
+      format.html { redirect_to profile_gpg_keys_url, status: 302 }
+      format.js { head :ok }
+    end
+  end
+
+  private
+
+  def gpg_key_params
+    params.require(:gpg_key).permit(:key)
+  end
+
+  def set_gpg_key
+    @gpg_key = current_user.gpg_keys.find(params[:id])
+  end
+end
diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index 95de3a44641..221e01b415a 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -22,6 +22,7 @@ class Projects::ApplicationController < ApplicationController
 
   def project
     return @project if @project
+    return nil unless params[:project_id] || params[:id]
 
     path = File.join(params[:namespace_id], params[:project_id] || params[:id])
     auth_proc = ->(project) { !project.pending_delete? }
diff --git a/app/controllers/projects/badges_controller.rb b/app/controllers/projects/badges_controller.rb
index 6c25cd83a24..06ba73d8e8d 100644
--- a/app/controllers/projects/badges_controller.rb
+++ b/app/controllers/projects/badges_controller.rb
@@ -3,11 +3,11 @@ class Projects::BadgesController < Projects::ApplicationController
   before_action :authorize_admin_project!, only: [:index]
   before_action :no_cache_headers, except: [:index]
 
-  def build
-    build_status = Gitlab::Badge::Build::Status
+  def pipeline
+    pipeline_status = Gitlab::Badge::Pipeline::Status
       .new(project, params[:ref])
 
-    render_badge build_status
+    render_badge pipeline_status
   end
 
   def coverage
diff --git a/app/controllers/projects/commits_controller.rb b/app/controllers/projects/commits_controller.rb
index 37b5a6e9d48..2de9900d449 100644
--- a/app/controllers/projects/commits_controller.rb
+++ b/app/controllers/projects/commits_controller.rb
@@ -6,18 +6,9 @@ class Projects::CommitsController < Projects::ApplicationController
   before_action :require_non_empty_project
   before_action :assign_ref_vars
   before_action :authorize_download_code!
+  before_action :set_commits
 
   def show
-    @limit, @offset = (params[:limit] || 40).to_i, (params[:offset] || 0).to_i
-    search = params[:search]
-
-    @commits =
-      if search.present?
-        @repository.find_commits_by_message(search, @ref, @path, @limit, @offset)
-      else
-        @repository.commits(@ref, path: @path, limit: @limit, offset: @offset)
-      end
-
     @note_counts = project.notes.where(commit_id: @commits.map(&:id))
       .group(:commit_id).count
 
@@ -37,4 +28,33 @@ class Projects::CommitsController < Projects::ApplicationController
       end
     end
   end
+
+  def signatures
+    respond_to do |format|
+      format.json do
+        render json: {
+          signatures: @commits.select(&:has_signature?).map do |commit|
+            {
+              commit_sha: commit.sha,
+              html: view_to_html_string('projects/commit/_signature', signature: commit.signature)
+            }
+          end
+        }
+      end
+    end
+  end
+
+  private
+
+  def set_commits
+    @limit, @offset = (params[:limit] || 40).to_i, (params[:offset] || 0).to_i
+    search = params[:search]
+
+    @commits =
+      if search.present?
+        @repository.find_commits_by_message(search, @ref, @path, @limit, @offset)
+      else
+        @repository.commits(@ref, path: @path, limit: @limit, offset: @offset)
+      end
+  end
 end
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 0ac9da2ff0f..e2ccabb22db 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -8,7 +8,6 @@ class Projects::IssuesController < Projects::ApplicationController
 
   prepend_before_action :authenticate_user!, only: [:new]
 
-  before_action :redirect_to_external_issue_tracker, only: [:index, :new]
   before_action :check_issues_available!
   before_action :issue, except: [:index, :new, :create, :bulk_update]
 
@@ -243,19 +242,19 @@ class Projects::IssuesController < Projects::ApplicationController
   end
 
   def authorize_update_issue!
-    return render_404 unless can?(current_user, :update_issue, @issue)
+    render_404 unless can?(current_user, :update_issue, @issue)
   end
 
   def authorize_admin_issues!
-    return render_404 unless can?(current_user, :admin_issue, @project)
+    render_404 unless can?(current_user, :admin_issue, @project)
   end
 
   def authorize_create_merge_request!
-    return render_404 unless can?(current_user, :push_code, @project) && @issue.can_be_worked_on?(current_user)
+    render_404 unless can?(current_user, :push_code, @project) && @issue.can_be_worked_on?(current_user)
   end
 
   def check_issues_available!
-    return render_404 unless @project.feature_available?(:issues, current_user) && @project.default_issues_tracker?
+    return render_404 unless @project.feature_available?(:issues, current_user)
   end
 
   def redirect_to_external_issue_tracker
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 70c41da4de5..d361e661d0e 100644
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -223,12 +223,18 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
             if can?(current_user, :read_environment, environment) && environment.has_metrics?
               metrics_project_environment_deployment_path(environment.project, environment, deployment)
             end
+          
+          metrics_monitoring_url = 
+            if can?(current_user, :read_environment, environment)
+              environment_metrics_path(environment)
+            end
 
           {
             id: environment.id,
             name: environment.name,
             url: project_environment_path(project, environment),
             metrics_url: metrics_url,
+            metrics_monitoring_url: metrics_monitoring_url,
             stop_url: stop_url,
             external_url: environment.external_url,
             external_url_formatted: environment.formatted_external_url,
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index ea7ceb3eaa5..15a2ff56b92 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -35,7 +35,7 @@ module Projects
       def define_badges_variables
         @ref = params[:ref] || @project.default_branch || 'master'
 
-        @badges = [Gitlab::Badge::Build::Status,
+        @badges = [Gitlab::Badge::Pipeline::Status,
                    Gitlab::Badge::Coverage::Report]
 
         @badges.map! do |badge|
diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb
index ac98470c2b1..968d880886c 100644
--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -55,6 +55,9 @@ class Projects::WikisController < Projects::ApplicationController
     else
       render 'edit'
     end
+  rescue WikiPage::PageChangedError
+    @conflict = true
+    render 'edit'
   end
 
   def create
@@ -119,6 +122,6 @@ class Projects::WikisController < Projects::ApplicationController
   end
 
   def wiki_params
-    params.require(:wiki).permit(:title, :content, :format, :message)
+    params.require(:wiki).permit(:title, :content, :format, :message, :last_commit_sha)
   end
 end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index c769693255c..2d7cbd4614e 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -296,10 +296,10 @@ class ProjectsController < Projects::ApplicationController
 
   def project_params
     params.require(:project)
-      .permit(project_params_ce)
+      .permit(project_params_attributes)
   end
 
-  def project_params_ce
+  def project_params_attributes
     [
       :avatar,
       :build_allow_git_fetch,
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 0e8a57f8e03..9e743685d60 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController
 
   skip_before_action :check_two_factor_requirement, only: [:destroy]
 
+  # Explicitly call protect from forgery before anything else. Otherwise the
+  # CSFR-token might be cleared before authentication is done. This was the case
+  # when LDAP was enabled and the `OmniauthCallbacksController` is loaded
+  #
+  # *Note:* `prepend: true` is the default for rails4, but this will be changed
+  # to `prepend: false` in rails5.
+  protect_from_forgery prepend: true, with: :exception
+
   prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor,
     if: :two_factor_enabled?, only: [:create]
@@ -15,12 +23,7 @@ class SessionsController < Devise::SessionsController
 
   def new
     set_minimum_password_length
-    @ldap_servers =
-      if Gitlab.config.ldap.enabled
-        Gitlab::LDAP::Config.servers
-      else
-        []
-      end
+    @ldap_servers = Gitlab::LDAP::Config.available_servers
 
     super
   end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8131eba6a2f..4ee855806ab 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -73,10 +73,7 @@ class UsersController < ApplicationController
   end
 
   def calendar
-    calendar = contributions_calendar
-    @activity_dates = calendar.activity_dates
-
-    render 'calendar', layout: false
+    render json: contributions_calendar.activity_dates
   end
 
   def calendar_activities