13 files changed, 51 insertions, 20 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 01585ede586..88e7cfaf967 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
+v 8.8.1 (unreleased)
+  - Fix MySQL compatibility in zero downtime migrations helpers
+  - Fix the CI login to Container Registry (the gitlab-ci-token user)
+  - Fix access to Pipelines by Anonymous user
+
 v 8.8.0 (unreleased)
   - Implement GFM references for milestones (Alejandro Rodríguez)
   - Snippets tab under user profile. !4001 (Long Nguyen)
diff --git a/Gemfile b/Gemfile
index 91ad1706a07..832c5a3ca89 100644
--- a/Gemfile
+++ b/Gemfile
@@ -325,7 +325,7 @@ gem "mail_room", "~> 0.7"
 gem 'email_reply_parser', '~> 0.5.8'
 
 ## CI
-gem 'activerecord-session_store', '~> 0.1.0'
+gem 'activerecord-session_store', '~> 1.0.0'
 gem "nested_form", '~> 0.3.2'
 
 # OAuth
diff --git a/Gemfile.lock b/Gemfile.lock
index b55764504c6..e1c5b9630d3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -33,10 +33,12 @@ GEM
       activemodel (= 4.2.6)
       activesupport (= 4.2.6)
       arel (~> 6.0)
-    activerecord-session_store (0.1.2)
-      actionpack (>= 4.0.0, < 5)
-      activerecord (>= 4.0.0, < 5)
-      railties (>= 4.0.0, < 5)
+    activerecord-session_store (1.0.0)
+      actionpack (>= 4.0, < 5.1)
+      activerecord (>= 4.0, < 5.1)
+      multi_json (~> 1.11, >= 1.11.2)
+      rack (>= 1.5.2, < 3)
+      railties (>= 4.0, < 5.1)
     activesupport (4.2.6)
       i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
@@ -883,7 +885,7 @@ PLATFORMS
 DEPENDENCIES
   RedCloth (~> 4.2.9)
   ace-rails-ap (~> 4.0.2)
-  activerecord-session_store (~> 0.1.0)
+  activerecord-session_store (~> 1.0.0)
   acts-as-taggable-on (~> 3.4)
   addressable (~> 2.3.8)
   after_commit_queue
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index f5aa5397ff1..156ab2811d6 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -36,7 +36,7 @@ class JwtController < ApplicationController
   end
 
   def authenticate_project(login, password)
-    if login == 'gitlab_ci_token'
+    if login == 'gitlab-ci-token'
       Project.find_by(builds_enabled: true, runners_token: password)
     end
   end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 0825b5b6437..5e5d170a9f3 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -144,6 +144,10 @@ module ProjectsHelper
       nav_tabs << :merge_requests
     end
 
+    if can?(current_user, :read_pipeline, project)
+      nav_tabs << :pipelines
+    end
+
     if can?(current_user, :read_build, project)
       nav_tabs << :builds
     end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index f7ea2fd2b1f..b354b1990c7 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -60,6 +60,7 @@ class Ability
           :read_project_member,
           :read_merge_request,
           :read_note,
+          :read_pipeline,
           :read_commit_status,
           :read_container_image,
           :download_code
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index f807b8ec09a..2bbab643e69 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -6,7 +6,7 @@ module Auth
       return error('not found', 404) unless registry.enabled
 
       if params[:offline_token]
-        return error('unauthorized', 401) unless current_user
+        return error('unauthorized', 401) unless current_user || project
       else
         return error('forbidden', 403) unless scope
       end
diff --git a/app/views/layouts/nav/_project.html.haml b/app/views/layouts/nav/_project.html.haml
index a97fefcfb46..6dff488eda5 100644
--- a/app/views/layouts/nav/_project.html.haml
+++ b/app/views/layouts/nav/_project.html.haml
@@ -38,7 +38,7 @@
         %span
           Commits
 
-  - if project_nav_tab? :builds
+  - if project_nav_tab? :pipelines
     = nav_link(controller: :pipelines) do
       = link_to project_pipelines_path(@project), title: 'Pipelines', class: 'shortcuts-pipelines' do
         = icon('ship fw')
@@ -46,6 +46,7 @@
           Pipelines
           %span.count.ci_counter= number_with_delimiter(@project.ci_commits.running_or_pending.count)
 
+  - if project_nav_tab? :builds
     = nav_link(controller: %w(builds)) do
       = link_to project_builds_path(@project), title: 'Builds', class: 'shortcuts-builds' do
         = icon('cubes fw')
diff --git a/lib/gitlab/database/migration_helpers.rb b/lib/gitlab/database/migration_helpers.rb
index 9b662d163f0..fd14234c558 100644
--- a/lib/gitlab/database/migration_helpers.rb
+++ b/lib/gitlab/database/migration_helpers.rb
@@ -39,7 +39,15 @@ module Gitlab
       def update_column_in_batches(table, column, value)
         quoted_table = quote_table_name(table)
         quoted_column = quote_column_name(column)
-        quoted_value = quote(value)
+
+        ##
+        # Workaround for #17711
+        #
+        # It looks like for MySQL `ActiveRecord::Base.conntection.quote(true)`
+        # returns correct value (1), but `ActiveRecord::Migration.new.quote`
+        # returns incorrect value ('true'), which causes migrations to fail.
+        #
+        quoted_value = connection.quote(value)
         processed = 0
 
         total = exec_query("SELECT COUNT(*) AS count FROM #{quoted_table}").
diff --git a/spec/features/pipelines_spec.rb b/spec/features/pipelines_spec.rb
index 32665aadd22..1d6f4485c81 100644
--- a/spec/features/pipelines_spec.rb
+++ b/spec/features/pipelines_spec.rb
@@ -24,6 +24,12 @@ describe "Pipelines" do
       end
     end
 
+    context 'anonymous access' do
+      before { visit namespace_project_pipelines_path(project.namespace, project) }
+
+      it { expect(page).to have_http_status(:success) }
+    end
+
     context 'cancelable pipeline' do
       let!(:running) { create(:ci_build, :running, commit: pipeline, stage: 'test', commands: 'test') }
 
diff --git a/spec/lib/gitlab/database/migration_helpers_spec.rb b/spec/lib/gitlab/database/migration_helpers_spec.rb
index ec43165bb53..35ade7a2be0 100644
--- a/spec/lib/gitlab/database/migration_helpers_spec.rb
+++ b/spec/lib/gitlab/database/migration_helpers_spec.rb
@@ -2,15 +2,13 @@ require 'spec_helper'
 
 describe Gitlab::Database::MigrationHelpers, lib: true do
   let(:model) do
-    Class.new do
-      include Gitlab::Database::MigrationHelpers
-
-      def method_missing(name, *args, &block)
-        ActiveRecord::Base.connection.send(name, *args, &block)
-      end
-    end.new
+    ActiveRecord::Migration.new.extend(
+      Gitlab::Database::MigrationHelpers
+    )
   end
 
+  before { allow(model).to receive(:puts) }
+
   describe '#add_concurrent_index' do
     context 'outside a transaction' do
       before do
@@ -60,6 +58,12 @@ describe Gitlab::Database::MigrationHelpers, lib: true do
 
       expect(Project.where(import_error: 'foo').count).to eq(5)
     end
+
+    it 'updates boolean values correctly' do
+      model.update_column_in_batches(:projects, :archived, true)
+
+      expect(Project.where(archived: true).count).to eq(5)
+    end
   end
 
   describe '#add_column_with_default' do
diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index 7bb71365a48..d006ff195cf 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -23,7 +23,7 @@ describe JwtController do
   context 'when using authorized request' do
     context 'using CI token' do
       let(:project) { create(:empty_project, runners_token: 'token', builds_enabled: builds_enabled) }
-      let(:headers) { { authorization: credentials('gitlab_ci_token', project.runners_token) } }
+      let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } }
 
       subject! { get '/jwt/auth', parameters, headers }
 
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index 73b8c3f048f..3f4a1ced2b6 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -127,12 +127,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
   context 'project authorization' do
     let(:current_project) { create(:empty_project) }
 
-    context 'disallow to use offline_token' do
+    context 'allow to use offline_token' do
       let(:current_params) do
         { offline_token: true }
       end
 
-      it_behaves_like 'an unauthorized'
+      it_behaves_like 'an authenticated'
     end
 
     context 'allow to pull and push images' do