Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into backup-archive-permissions

12 files changed, 93 insertions, 54 deletions

diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb
index f616ccf5684..da5f5bb83fa 100644
--- a/app/controllers/admin/projects_controller.rb
+++ b/app/controllers/admin/projects_controller.rb
@@ -23,7 +23,8 @@ class Admin::ProjectsController < Admin::ApplicationController
   end
 
   def transfer
-    ::Projects::TransferService.new(@project, current_user, params.dup).execute
+    namespace = Namespace.find_by(id: params[:new_namespace_id])
+    ::Projects::TransferService.new(@project, current_user, params.dup).execute(namespace)
 
     @project.reload
     redirect_to admin_namespace_project_path(@project.namespace, @project)
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 7a683098df3..770fe00af51 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -55,6 +55,12 @@ class Admin::UsersController < Admin::ApplicationController
     end
   end
 
+  def disable_two_factor
+    user.disable_two_factor!
+    redirect_to admin_user_path(user),
+      notice: 'Two-factor Authentication has been disabled for this user'
+  end
+
   def create
     opts = {
       force_random_password: true,
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 63fc146f1d1..362b03e0d5e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
     headers['X-Content-Type-Options'] = 'nosniff'
-    headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https
+    # Enabling HSTS for non-standard ports would send clients to the wrong port
+    if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443
+      headers['Strict-Transport-Security'] = 'max-age=31536000'
+    end
   end
 
   def add_gon_variables
@@ -265,6 +268,7 @@ class ApplicationController < ActionController::Base
     params[:scope] = 'all' if params[:scope].blank?
     params[:state] = 'opened' if params[:state].blank?
 
+    @sort = params[:sort]
     @filter_params = params.dup
 
     if @project
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 11af9895261..52e9c58b47c 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -1,22 +1,35 @@
 class AutocompleteController < ApplicationController
+  skip_before_action :authenticate_user!, only: [:users]
+
   def users
-    @users =
-      if params[:project_id].present?
-        project = Project.find(params[:project_id])
+    begin
+      @users =
+        if params[:project_id].present?
+          project = Project.find(params[:project_id])
 
-        if can?(current_user, :read_project, project)
-          project.team.users
-        end
-      elsif params[:group_id]
-        group = Group.find(params[:group_id])
+          if can?(current_user, :read_project, project)
+            project.team.users
+          end
+        elsif params[:group_id]
+          group = Group.find(params[:group_id])
 
-        if can?(current_user, :read_group, group)
-          group.users
+          if can?(current_user, :read_group, group)
+            group.users
+          end
+        elsif current_user
+          User.all
         end
-      else
-        User.all
+    rescue ActiveRecord::RecordNotFound
+      if current_user
+        return render json: {}, status: 404
       end
+    end
+
+    if @users.nil? && current_user.nil?
+      authenticate_user!
+    end
 
+    @users ||= User.none
     @users = @users.search(params[:search]) if params[:search].present?
     @users = @users.active
     @users = @users.page(params[:page]).per(PER_PAGE)
diff --git a/app/controllers/profiles/preferences_controller.rb b/app/controllers/profiles/preferences_controller.rb
index 538b09ca54d..f83b4abd1e2 100644
--- a/app/controllers/profiles/preferences_controller.rb
+++ b/app/controllers/profiles/preferences_controller.rb
@@ -32,6 +32,7 @@ class Profiles::PreferencesController < Profiles::ApplicationController
     params.require(:user).permit(
       :color_scheme_id,
       :dashboard,
+      :project_view,
       :theme_id
     )
   end
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 03845f1e1ec..f9af0871cf1 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -29,13 +29,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   end
 
   def destroy
-    current_user.update_attributes({
-      two_factor_enabled:        false,
-      encrypted_otp_secret:      nil,
-      encrypted_otp_secret_iv:   nil,
-      encrypted_otp_secret_salt: nil,
-      otp_backup_codes:          nil
-    })
+    current_user.disable_two_factor!
 
     redirect_to profile_account_path
   end
diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb
index 696011b94b9..117ae3aaa3d 100644
--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
@@ -32,7 +32,7 @@ class Projects::BranchesController < Projects::ApplicationController
   end
 
   def destroy
-    DeleteBranchService.new(project, current_user).execute(params[:id])
+    status = DeleteBranchService.new(project, current_user).execute(params[:id])
     @branch_name = params[:id]
 
     respond_to do |format|
@@ -40,7 +40,7 @@ class Projects::BranchesController < Projects::ApplicationController
         redirect_to namespace_project_branches_path(@project.namespace,
                                                     @project)
       end
-      format.js
+      format.js { render status: status[:return_code] }
     end
   end
 end
diff --git a/app/controllers/projects/graphs_controller.rb b/app/controllers/projects/graphs_controller.rb
index a060ea6f998..0b6f7f5c91e 100644
--- a/app/controllers/projects/graphs_controller.rb
+++ b/app/controllers/projects/graphs_controller.rb
@@ -1,6 +1,9 @@
 class Projects::GraphsController < Projects::ApplicationController
+  include ExtractsPath
+
   # Authorize
   before_action :require_non_empty_project
+  before_action :assign_ref_vars
   before_action :authorize_download_code!
 
   def show
@@ -13,7 +16,7 @@ class Projects::GraphsController < Projects::ApplicationController
   end
 
   def commits
-    @commits = @project.repository.commits(nil, nil, 2000, 0, true)
+    @commits = @project.repository.commits(@ref, nil, 2000, 0, true)
     @commits_graph = Gitlab::Graphs::Commits.new(@commits)
     @commits_per_week_days = @commits_graph.commits_per_week_days
     @commits_per_time = @commits_graph.commits_per_time
@@ -23,7 +26,7 @@ class Projects::GraphsController < Projects::ApplicationController
   private
 
   def fetch_graph
-    @commits = @project.repository.commits(nil, nil, 6000, 0, true)
+    @commits = @project.repository.commits(@ref, nil, 6000, 0, true)
     @log = []
 
     @commits.each do |commit|
diff --git a/app/controllers/projects/milestones_controller.rb b/app/controllers/projects/milestones_controller.rb
index 61689488d13..9efe9704d1e 100644
--- a/app/controllers/projects/milestones_controller.rb
+++ b/app/controllers/projects/milestones_controller.rb
@@ -64,7 +64,12 @@ class Projects::MilestonesController < Projects::ApplicationController
   end
 
   def destroy
-    return access_denied! unless can?(current_user, :admin_milestone, @milestone)
+    return access_denied! unless can?(current_user, :admin_milestone, @project)
+
+    update_params = { milestone: nil }
+    @milestone.issues.each do |issue|
+      Issues::UpdateService.new(@project, current_user, update_params).execute(issue)
+    end
 
     @milestone.destroy
 
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 01ca1537c0e..d83561cf32a 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -8,17 +8,21 @@ class Projects::RefsController < Projects::ApplicationController
   def switch
     respond_to do |format|
       format.html do
-        new_path = if params[:destination] == "tree"
-                     namespace_project_tree_path(@project.namespace, @project,
-                                                 (@id))
-                   elsif params[:destination] == "blob"
-                     namespace_project_blob_path(@project.namespace, @project,
-                                                 (@id))
-                   elsif params[:destination] == "graph"
-                     namespace_project_network_path(@project.namespace, @project, @id, @options)
-                   else
-                     namespace_project_commits_path(@project.namespace, @project, @id)
-                   end
+        new_path =
+          case params[:destination]
+          when "tree"
+            namespace_project_tree_path(@project.namespace, @project, @id)
+          when "blob"
+            namespace_project_blob_path(@project.namespace, @project, @id)
+          when "graph"
+            namespace_project_network_path(@project.namespace, @project, @id, @options)
+          when "graphs"
+            namespace_project_graph_path(@project.namespace, @project, @id)
+          when "graphs_commits"
+            commits_namespace_project_graph_path(@project.namespace, @project, @id)
+          else
+            namespace_project_commits_path(@project.namespace, @project, @id)
+          end
 
         redirect_to new_path
       end
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index b659e15f242..92e4bc16d9d 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -7,13 +7,15 @@ class Projects::TreeController < Projects::ApplicationController
   before_action :authorize_download_code!
 
   def show
+    return not_found! unless @repository.commit(@ref)
+
     if tree.entries.empty?
       if @repository.blob_at(@commit.id, @path)
         redirect_to(
           namespace_project_blob_path(@project.namespace, @project,
                                       File.join(@ref, @path))
         ) and return
-      else
+      elsif @path.present?
         return not_found!
       end
     end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index be5968cd7b0..586359f3080 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -1,12 +1,12 @@
 class ProjectsController < ApplicationController
   prepend_before_filter :render_go_import, only: [:show]
-  skip_before_action :authenticate_user!, only: [:show]
+  skip_before_action :authenticate_user!, only: [:show, :activity]
   before_action :project, except: [:new, :create]
   before_action :repository, except: [:new, :create]
 
   # Authorize
   before_action :authorize_admin_project!, only: [:edit, :update, :destroy, :transfer, :archive, :unarchive]
-  before_action :event_filter, only: :show
+  before_action :event_filter, only: [:show, :activity]
 
   layout :determine_layout
 
@@ -52,10 +52,21 @@ class ProjectsController < ApplicationController
   end
 
   def transfer
-    transfer_params = params.permit(:new_namespace_id)
-    ::Projects::TransferService.new(project, current_user, transfer_params).execute
-    if @project.errors[:namespace_id].present?
-      flash[:alert] = @project.errors[:namespace_id].first
+    namespace = Namespace.find_by(id: params[:new_namespace_id])
+    ::Projects::TransferService.new(project, current_user).execute(namespace)
+
+    if @project.errors[:new_namespace].present?
+      flash[:alert] = @project.errors[:new_namespace].first
+    end
+  end
+
+  def activity
+    respond_to do |format|
+      format.html
+      format.json do
+        load_events
+        pager_json('events/_events', @events.count)
+      end
     end
   end
 
@@ -65,15 +76,12 @@ class ProjectsController < ApplicationController
       return
     end
 
-    @show_star = !(current_user && current_user.starred?(@project))
-
     respond_to do |format|
       format.html do
         if @project.repository_exists?
           if @project.empty_repo?
             render 'projects/empty'
           else
-            @last_push = current_user.recent_push(@project.id) if current_user
             render :show
           end
         else
@@ -81,11 +89,6 @@ class ProjectsController < ApplicationController
         end
       end
 
-      format.json do
-        load_events
-        pager_json('events/_events', @events.count)
-      end
-
       format.atom do
         load_events
         render layout: false
@@ -147,11 +150,14 @@ class ProjectsController < ApplicationController
   def toggle_star
     current_user.toggle_star(@project)
     @project.reload
-    render json: { star_count: @project.star_count }
+
+    render json: {
+      html: view_to_html_string("projects/buttons/_star")
+    }
   end
 
   def markdown_preview
-    text = params[:text] 
+    text = params[:text]
 
     ext = Gitlab::ReferenceExtractor.new(@project, current_user)
     ext.analyze(text)