Merge branch 'master' into backstage/gb/build-stages-catch-up-migration

* master: (38 commits)

7 files changed, 21 insertions, 10 deletions

diff --git a/lib/banzai/filter/html_entity_filter.rb b/lib/banzai/filter/html_entity_filter.rb
index f3bd587c28b..e008fd428b0 100644
--- a/lib/banzai/filter/html_entity_filter.rb
+++ b/lib/banzai/filter/html_entity_filter.rb
@@ -5,7 +5,7 @@ module Banzai
     # Text filter that escapes these HTML entities: & " < >
     class HtmlEntityFilter < HTML::Pipeline::TextFilter
       def call
-        ERB::Util.html_escape_once(text)
+        ERB::Util.html_escape(text)
       end
     end
   end
diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index d75e73dac10..521680b8708 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -16,11 +16,11 @@ module Gitlab
         lfs_objects_missing: 'LFS objects are missing. Ensure LFS is properly set up or try a manual "git lfs push --all".'
       }.freeze
 
-      attr_reader :user_access, :project, :skip_authorization, :protocol, :oldrev, :newrev, :ref, :branch_name, :tag_name
+      attr_reader :user_access, :project, :skip_authorization, :skip_lfs_integrity_check, :protocol, :oldrev, :newrev, :ref, :branch_name, :tag_name
 
       def initialize(
         change, user_access:, project:, skip_authorization: false,
-        protocol:
+        skip_lfs_integrity_check: false, protocol:
       )
         @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
         @branch_name = Gitlab::Git.branch_name(@ref)
@@ -28,6 +28,7 @@ module Gitlab
         @user_access = user_access
         @project = project
         @skip_authorization = skip_authorization
+        @skip_lfs_integrity_check = skip_lfs_integrity_check
         @protocol = protocol
       end
 
@@ -37,7 +38,7 @@ module Gitlab
         push_checks
         branch_checks
         tag_checks
-        lfs_objects_exist_check
+        lfs_objects_exist_check unless skip_lfs_integrity_check
         commits_check unless skip_commits_check
 
         true
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 8ec3386184a..9ec3858b493 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -238,19 +238,22 @@ module Gitlab
       changes_list = Gitlab::ChangesList.new(changes)
 
       # Iterate over all changes to find if user allowed all of them to be applied
-      changes_list.each do |change|
+      changes_list.each.with_index do |change, index|
+        first_change = index == 0
+
         # If user does not have access to make at least one change, cancel all
         # push by allowing the exception to bubble up
-        check_single_change_access(change)
+        check_single_change_access(change, skip_lfs_integrity_check: !first_change)
       end
     end
 
-    def check_single_change_access(change)
+    def check_single_change_access(change, skip_lfs_integrity_check: false)
       Checks::ChangeAccess.new(
         change,
         user_access: user_access,
         project: project,
         skip_authorization: deploy_key?,
+        skip_lfs_integrity_check: skip_lfs_integrity_check,
         protocol: protocol
       ).exec
     end
diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb
index 1c9477e84b2..84d6e1490c3 100644
--- a/lib/gitlab/git_access_wiki.rb
+++ b/lib/gitlab/git_access_wiki.rb
@@ -13,7 +13,7 @@ module Gitlab
       authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_wiki_code)
     end
 
-    def check_single_change_access(change)
+    def check_single_change_access(change, _options = {})
       unless user_access.can_do_action?(:create_wiki)
         raise UnauthorizedError, ERROR_MESSAGES[:write_to_wiki]
       end
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index 47b3fce3e7a..a6bea98d631 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -15,7 +15,7 @@ module Gitlab
       end
 
       def self.servers
-        Gitlab.config.ldap.servers.values
+        Gitlab.config.ldap['servers']&.values || []
       end
 
       def self.available_servers
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index a3e1c66c19f..28ebac1776e 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -198,9 +198,11 @@ module Gitlab
       end
 
       def update_profile
+        clear_user_synced_attributes_metadata
+
         return unless sync_profile_from_provider? || creating_linked_ldap_user?
 
-        metadata = gl_user.user_synced_attributes_metadata || gl_user.build_user_synced_attributes_metadata
+        metadata = gl_user.build_user_synced_attributes_metadata
 
         if sync_profile_from_provider?
           UserSyncedAttributesMetadata::SYNCABLE_ATTRIBUTES.each do |key|
@@ -221,6 +223,10 @@ module Gitlab
         end
       end
 
+      def clear_user_synced_attributes_metadata
+        gl_user&.user_synced_attributes_metadata&.destroy
+      end
+
       def log
         Gitlab::AppLogger
       end
diff --git a/lib/gitlab/profiler.rb b/lib/gitlab/profiler.rb
index 95d94b3cc68..98a168b43bb 100644
--- a/lib/gitlab/profiler.rb
+++ b/lib/gitlab/profiler.rb
@@ -45,6 +45,7 @@ module Gitlab
 
       if user
         private_token ||= user.personal_access_tokens.active.pluck(:token).first
+        raise 'Your user must have a personal_access_token' unless private_token
       end
 
       headers['Private-Token'] = private_token if private_token