Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

11 files changed, 47 insertions, 28 deletions

diff --git a/app/assets/javascripts/error_tracking_settings/utils.js b/app/assets/javascripts/error_tracking_settings/utils.js
index 7ef5f7bbd34..47a42dc3742 100644
--- a/app/assets/javascripts/error_tracking_settings/utils.js
+++ b/app/assets/javascripts/error_tracking_settings/utils.js
@@ -1,4 +1,4 @@
-export const projectKeys = ['name', 'organizationName', 'organizationSlug', 'slug'];
+export const projectKeys = ['id', 'name', 'organizationName', 'organizationSlug', 'slug'];
 
 export const transformFrontendSettings = ({
   apiHost,
@@ -9,6 +9,7 @@ export const transformFrontendSettings = ({
 }) => {
   const project = selectedProject
     ? {
+        sentry_project_id: selectedProject.id,
         slug: selectedProject.slug,
         name: selectedProject.name,
         organization_name: selectedProject.organizationName,
diff --git a/app/assets/javascripts/projects/settings/access_dropdown.js b/app/assets/javascripts/projects/settings/access_dropdown.js
index 7fb7a416dca..79dfa166b1a 100644
--- a/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -537,7 +537,7 @@ export default class AccessDropdown {
     return `
       <li>
         <a href="#" class="${isActiveClass}">
-          <strong>${key.title}</strong>
+          <strong>${escape(key.title)}</strong>
           <p>
             ${sprintf(
               __('Owned by %{image_tag}'),
diff --git a/app/controllers/projects/error_tracking_controller.rb b/app/controllers/projects/error_tracking_controller.rb
index 06383d26133..d2e36ef5496 100644
--- a/app/controllers/projects/error_tracking_controller.rb
+++ b/app/controllers/projects/error_tracking_controller.rb
@@ -4,6 +4,7 @@ class Projects::ErrorTrackingController < Projects::ErrorTracking::BaseControlle
   respond_to :json
 
   before_action :authorize_read_sentry_issue!
+  before_action :authorize_update_sentry_issue!, only: %i[update]
   before_action :set_issue_id, only: :details
 
   before_action only: [:index] do
diff --git a/app/controllers/projects/settings/operations_controller.rb b/app/controllers/projects/settings/operations_controller.rb
index d4126cbd708..77d7f3570f3 100644
--- a/app/controllers/projects/settings/operations_controller.rb
+++ b/app/controllers/projects/settings/operations_controller.rb
@@ -144,7 +144,7 @@ module Projects
             :integrated,
             :api_host,
             :token,
-            project: [:slug, :name, :organization_slug, :organization_name]
+            project: [:slug, :name, :organization_slug, :organization_name, :sentry_project_id]
           ],
 
           grafana_integration_attributes: [:token, :grafana_url, :enabled],
diff --git a/app/helpers/integrations_helper.rb b/app/helpers/integrations_helper.rb
index 82d4ceee44e..8d5523464c7 100644
--- a/app/helpers/integrations_helper.rb
+++ b/app/helpers/integrations_helper.rb
@@ -160,27 +160,6 @@ module IntegrationsHelper
     !Gitlab.com?
   end
 
-  def jira_issue_breadcrumb_link(issue_reference)
-    link_to '', { class: 'gl-display-flex gl-align-items-center gl-white-space-nowrap' } do
-      icon = image_tag image_path('illustrations/logos/jira.svg'), width: 15, height: 15, class: 'gl-mr-2'
-      [icon, html_escape(issue_reference)].join.html_safe
-    end
-  end
-
-  def zentao_issue_breadcrumb_link(issue)
-    link_to issue[:web_url], { target: '_blank', rel: 'noopener noreferrer', class: 'gl-display-flex gl-align-items-center gl-white-space-nowrap' } do
-      icon = image_tag image_path('logos/zentao.svg'), width: 15, height: 15, class: 'gl-mr-2'
-      [icon, html_escape(issue[:id])].join.html_safe
-    end
-  end
-
-  def zentao_issues_show_data
-    {
-      issues_show_path: project_integrations_zentao_issue_path(@project, params[:id], format: :json),
-      issues_list_path: project_integrations_zentao_issues_path(@project)
-    }
-  end
-
   extend self
 
   private
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 6112d05f37d..95e91a7ba27 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -300,6 +300,7 @@ module ProjectsHelper
         setting.organization_slug.blank?
 
     {
+      sentry_project_id: setting.sentry_project_id,
       name: setting.project_name,
       organization_name: setting.organization_name,
       organization_slug: setting.organization_slug,
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index bed0eab5a58..1ac4cbac1da 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -3,7 +3,7 @@
 module Clusters
   module Applications
     class Runner < ApplicationRecord
-      VERSION = '0.41.0'
+      VERSION = '0.42.1'
 
       self.table_name = 'clusters_applications_runners'
 
diff --git a/app/models/error_tracking/project_error_tracking_setting.rb b/app/models/error_tracking/project_error_tracking_setting.rb
index 3ecfb895dac..30382a1c205 100644
--- a/app/models/error_tracking/project_error_tracking_setting.rb
+++ b/app/models/error_tracking/project_error_tracking_setting.rb
@@ -125,17 +125,22 @@ module ErrorTracking
 
     def issue_details(opts = {})
       with_reactive_cache('issue_details', opts.stringify_keys) do |result|
+        ensure_issue_belongs_to_project!(result[:issue].project_id)
         result
       end
     end
 
     def issue_latest_event(opts = {})
       with_reactive_cache('issue_latest_event', opts.stringify_keys) do |result|
+        ensure_issue_belongs_to_project!(result[:latest_event].project_id)
         result
       end
     end
 
     def update_issue(opts = {})
+      issue_to_be_updated = sentry_client.issue_details(issue_id: opts[:issue_id])
+      ensure_issue_belongs_to_project!(issue_to_be_updated.project_id)
+
       handle_exceptions do
         { updated: sentry_client.update_issue(opts) }
       end
@@ -177,6 +182,25 @@ module ErrorTracking
 
     private
 
+    def ensure_issue_belongs_to_project!(project_id_from_api)
+      raise 'The Sentry issue appers to be outside of the configured Sentry project' if Integer(project_id_from_api) != ensure_sentry_project_id!
+    end
+
+    def ensure_sentry_project_id!
+      return sentry_project_id if sentry_project_id.present?
+
+      raise("Couldn't find project: #{organization_name} / #{project_name} on Sentry") if sentry_project.nil?
+
+      update!(sentry_project_id: sentry_project.id)
+      sentry_project_id
+    end
+
+    def sentry_project
+      strong_memoize(:sentry_project) do
+        sentry_client.projects.find { |project| project.name == project_name && project.organization_name == organization_name }
+      end
+    end
+
     def add_gitlab_issue_details(issue)
       issue.gitlab_commit = match_gitlab_commit(issue.first_release_version)
       issue.gitlab_commit_path = project_commit_path(project, issue.gitlab_commit) if issue.gitlab_commit
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3bce26be756..6ddd83544bc 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -308,7 +308,6 @@ class ProjectPolicy < BasePolicy
     enable :read_deployment
     enable :read_merge_request
     enable :read_sentry_issue
-    enable :update_sentry_issue
     enable :read_prometheus
     enable :read_metrics_dashboard_annotation
     enable :metrics_dashboard
@@ -423,6 +422,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_feature_flags_user_lists
     enable :update_escalation_status
     enable :read_secure_files
+    enable :update_sentry_issue
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
diff --git a/app/serializers/member_user_entity.rb b/app/serializers/member_user_entity.rb
index b3d8efc9143..6a01c5bb297 100644
--- a/app/serializers/member_user_entity.rb
+++ b/app/serializers/member_user_entity.rb
@@ -16,7 +16,7 @@ class MemberUserEntity < UserEntity
     user.blocked?
   end
 
-  expose :two_factor_enabled do |user|
+  expose :two_factor_enabled, if: -> (user) { current_user_can_manage_members? || current_user?(user) } do |user|
     user.two_factor_enabled?
   end
 
@@ -25,6 +25,18 @@ class MemberUserEntity < UserEntity
       user.status.emoji
     end
   end
+
+  private
+
+  def current_user_can_manage_members?
+    return false unless options[:source]
+
+    Ability.allowed?(options[:current_user], :"admin_#{options[:source].to_ability_name}_member", options[:source])
+  end
+
+  def current_user?(user)
+    options[:current_user] == user
+  end
 end
 
 MemberUserEntity.prepend_mod_with('MemberUserEntity')
diff --git a/app/services/projects/operations/update_service.rb b/app/services/projects/operations/update_service.rb
index d01e96a1a2d..7e4e0d7378e 100644
--- a/app/services/projects/operations/update_service.rb
+++ b/app/services/projects/operations/update_service.rb
@@ -90,7 +90,8 @@ module Projects
             api_url: api_url,
             enabled: settings[:enabled],
             project_name: settings.dig(:project, :name),
-            organization_name: settings.dig(:project, :organization_name)
+            organization_name: settings.dig(:project, :organization_name),
+            sentry_project_id: settings.dig(:project, :sentry_project_id)
           }
         }
         params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value