Add latest changes from gitlab-org/gitlab@master

10 files changed, 76 insertions, 14 deletions

diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index 3d347429398..ffa3f2c3364 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -7,7 +7,7 @@ module Groups
       before_action :authorize_admin_group!
       before_action :authorize_update_max_artifacts_size!, only: [:update]
       before_action do
-        push_frontend_feature_flag(:new_variables_ui, @group, default_enabled: true)
+        push_frontend_feature_flag(:new_variables_ui, @group)
       end
       before_action :define_variables, only: [:show, :create_deploy_token]
 
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 43c798bfc6e..aac6ecb07e4 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -6,7 +6,7 @@ module Projects
       before_action :authorize_admin_pipeline!
       before_action :define_variables
       before_action do
-        push_frontend_feature_flag(:new_variables_ui, @project, default_enabled: true)
+        push_frontend_feature_flag(:new_variables_ui, @project)
       end
 
       def show
diff --git a/app/finders/award_emojis_finder.rb b/app/finders/award_emojis_finder.rb
index 7320e035409..7882beb64bf 100644
--- a/app/finders/award_emojis_finder.rb
+++ b/app/finders/award_emojis_finder.rb
@@ -41,7 +41,7 @@ class AwardEmojisFinder
   def validate_name_param
     return unless params[:name]
 
-    raise ArgumentError, 'Invalid name param' unless params[:name].in?(Gitlab::Emoji.emojis_names)
+    raise ArgumentError, 'Invalid name param' unless params[:name].to_s.in?(Gitlab::Emoji.emojis_names)
   end
 
   def validate_awarded_by_param
diff --git a/app/models/concerns/usage_statistics.rb b/app/models/concerns/usage_statistics.rb
new file mode 100644
index 00000000000..d6cafcb22b1
--- /dev/null
+++ b/app/models/concerns/usage_statistics.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module UsageStatistics
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def distinct_count_by(column = nil, fallback = -1)
+      distinct.count(column)
+    rescue ActiveRecord::StatementInvalid
+      fallback
+    end
+  end
+end
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index 5c45c5fb7fb..c07078c03dd 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -14,6 +14,7 @@ class Discussion
             :author,
             :noteable,
             :commit_id,
+            :confidential?,
             :for_commit?,
             :for_merge_request?,
             :noteable_ability_name,
diff --git a/app/models/note.rb b/app/models/note.rb
index 670a981a78f..251a75e6025 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -320,6 +320,13 @@ class Note < ApplicationRecord
     super(noteable_type.to_s.classify.constantize.base_class.to_s)
   end
 
+  def noteable_assignee_or_author?(user)
+    return false unless user
+    return noteable.assignee_or_author?(user) if [MergeRequest, Issue].include?(noteable.class)
+
+    noteable.author_id == user.id
+  end
+
   def special_role=(role)
     raise "Role is undefined, #{role} not found in #{SpecialRole.values}" unless SpecialRole.value?(role)
 
@@ -337,7 +344,7 @@ class Note < ApplicationRecord
   end
 
   def confidential?
-    noteable.try(:confidential?)
+    confidential || noteable.try(:confidential?)
   end
 
   def editable?
diff --git a/app/models/zoom_meeting.rb b/app/models/zoom_meeting.rb
index fe2f351018c..f83aa93b69a 100644
--- a/app/models/zoom_meeting.rb
+++ b/app/models/zoom_meeting.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class ZoomMeeting < ApplicationRecord
+  include UsageStatistics
+
   belongs_to :project, optional: false
   belongs_to :issue, optional: false
 
@@ -23,10 +25,4 @@ class ZoomMeeting < ApplicationRecord
   def self.canonical_meeting_url(issue)
     canonical_meeting(issue)&.url
   end
-
-  def self.distinct_count_by(column = nil, fallback = -1)
-    distinct.count(column)
-  rescue ActiveRecord::StatementInvalid
-    fallback
-  end
 end
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 54dc70b08cb..32be89439ba 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class NotePolicy < BasePolicy
+  include Gitlab::Utils::StrongMemoize
+
   delegate { @subject.resource_parent }
   delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
 
@@ -13,6 +15,12 @@ class NotePolicy < BasePolicy
 
   condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) }
 
+  condition(:confidential, scope: :subject) { @subject.confidential? }
+
+  condition(:can_read_confidential) do
+    access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user)
+  end
+
   rule { ~editable }.prevent :admin_note
 
   # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -39,4 +47,37 @@ class NotePolicy < BasePolicy
   rule { is_noteable_author }.policy do
     enable :resolve_note
   end
+
+  rule { confidential & ~can_read_confidential }.policy do
+    prevent :read_note
+    prevent :admin_note
+    prevent :resolve_note
+    prevent :award_emoji
+  end
+
+  def parent_namespace
+    strong_memoize(:parent_namespace) do
+      next if @subject.is_a?(PersonalSnippet)
+      next @subject.noteable.group if @subject.noteable&.is_a?(Epic)
+
+      @subject.project
+    end
+  end
+
+  def access_level
+    return -1 if @user.nil?
+    return -1 unless parent_namespace
+
+    lookup_access_level!
+  end
+
+  def lookup_access_level!
+    return ::Gitlab::Access::REPORTER if alert_bot?
+
+    if parent_namespace.is_a?(Project)
+      parent_namespace.team.max_member_access(@user.id)
+    else
+      parent_namespace.max_member_access_for_user(@user)
+    end
+  end
 end
diff --git a/app/services/users/build_service.rb b/app/services/users/build_service.rb
index 56631bf2785..4c3ae2d204d 100644
--- a/app/services/users/build_service.rb
+++ b/app/services/users/build_service.rb
@@ -28,9 +28,7 @@ module Users
         end
       end
 
-      unless identity_params.empty?
-        user.identities.build(identity_params)
-      end
+      build_identity(user)
 
       user
     end
@@ -41,6 +39,12 @@ module Users
       [:extern_uid, :provider]
     end
 
+    def build_identity(user)
+      return if identity_params.empty?
+
+      user.identities.build(identity_params)
+    end
+
     def can_create_user?
       (current_user.nil? && Gitlab::CurrentSettings.allow_signup?) || current_user&.admin?
     end
diff --git a/app/views/ci/variables/_index.html.haml b/app/views/ci/variables/_index.html.haml
index aadb2c62d83..f11c730eba6 100644
--- a/app/views/ci/variables/_index.html.haml
+++ b/app/views/ci/variables/_index.html.haml
@@ -5,7 +5,7 @@
     - link_start = '<a href="%{url}">'.html_safe % { url: help_page_path('ci/variables/README', anchor: 'protected-variables') }
     = s_('Environment variables are configured by your administrator to be %{link_start}protected%{link_end} by default').html_safe % { link_start: link_start, link_end: '</a>'.html_safe }
 
-- if Feature.enabled?(:new_variables_ui, @project || @group, default_enabled: true)
+- if Feature.enabled?(:new_variables_ui, @project || @group)
   - is_group = !@group.nil?
 
   #js-ci-project-variables{ data: { endpoint: save_endpoint, project_id: @project&.id || '', group: is_group.to_s, maskable_regex: ci_variable_maskable_regex} }