18 files changed, 130 insertions, 55 deletions

diff --git a/app/assets/javascripts/vue_pipelines_index/components/pipelines_artifacts.js b/app/assets/javascripts/vue_pipelines_index/components/pipelines_artifacts.js
index 3555040d60f..f18e2dfadaf 100644
--- a/app/assets/javascripts/vue_pipelines_index/components/pipelines_artifacts.js
+++ b/app/assets/javascripts/vue_pipelines_index/components/pipelines_artifacts.js
@@ -21,6 +21,7 @@ export default {
         <li v-for="artifact in artifacts">
           <a
             rel="nofollow"
+            download
             :href="artifact.path">
             <i class="fa fa-download" aria-hidden="true"></i>
             <span>Download {{artifact.name}} artifacts</span>
diff --git a/app/assets/stylesheets/framework/nav.scss b/app/assets/stylesheets/framework/nav.scss
index 0e09638a8cc..e6d808717f3 100644
--- a/app/assets/stylesheets/framework/nav.scss
+++ b/app/assets/stylesheets/framework/nav.scss
@@ -146,6 +146,10 @@
       display: block;
     }
 
+    &.scrolling-tabs {
+      float: left;
+    }
+
     li a {
       padding: 16px 15px 11px;
     }
@@ -480,6 +484,10 @@
 .inner-page-scroll-tabs {
   position: relative;
 
+  .nav-links {
+    padding-bottom: 1px;
+  }
+
   .fade-right {
     @include fade(left, $white-light);
     right: 0;
diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb
index 69959fe3687..7d1aa8d1ce0 100644
--- a/app/controllers/profiles/accounts_controller.rb
+++ b/app/controllers/profiles/accounts_controller.rb
@@ -1,11 +1,22 @@
 class Profiles::AccountsController < Profiles::ApplicationController
+  include AuthHelper
+
   def show
     @user = current_user
   end
 
   def unlink
     provider = params[:provider]
-    current_user.identities.find_by(provider: provider).destroy unless provider.to_s == 'saml'
+    identity = current_user.identities.find_by(provider: provider)
+
+    return render_404 unless identity
+
+    if unlink_allowed?(provider)
+      identity.destroy
+    else
+      flash[:alert] = "You are not allowed to unlink your primary login account"
+    end
+
     redirect_to profile_account_path
   end
 end
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 612d69cf557..4a579601785 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -6,45 +6,19 @@ class SearchController < ApplicationController
   layout 'search'
 
   def show
-    if params[:project_id].present?
-      @project = Project.find_by(id: params[:project_id])
-      @project = nil unless can?(current_user, :download_code, @project)
-    end
+    search_service = SearchService.new(current_user, params)
 
-    if params[:group_id].present?
-      @group = Group.find_by(id: params[:group_id])
-      @group = nil unless can?(current_user, :read_group, @group)
-    end
+    @project = search_service.project
+    @group = search_service.group
 
     return if params[:search].blank?
 
     @search_term = params[:search]
 
-    @scope = params[:scope]
-    @show_snippets = params[:snippets].eql? 'true'
-
-    @search_results =
-      if @project
-        unless %w(blobs notes issues merge_requests milestones wiki_blobs
-                  commits).include?(@scope)
-          @scope = 'blobs'
-        end
-
-        Search::ProjectService.new(@project, current_user, params).execute
-      elsif @show_snippets
-        unless %w(snippet_blobs snippet_titles).include?(@scope)
-          @scope = 'snippet_blobs'
-        end
-
-        Search::SnippetService.new(current_user, params).execute
-      else
-        unless %w(projects issues merge_requests milestones).include?(@scope)
-          @scope = 'projects'
-        end
-        Search::GlobalService.new(current_user, params).execute
-      end
-
-    @search_objects = @search_results.objects(@scope, params[:page])
+    @scope = search_service.scope
+    @show_snippets = search_service.show_snippets?
+    @search_results = search_service.search_results
+    @search_objects = search_service.search_objects
 
     check_single_commit_result
   end
diff --git a/app/helpers/auth_helper.rb b/app/helpers/auth_helper.rb
index 1ee6c1d3afa..101fe579da2 100644
--- a/app/helpers/auth_helper.rb
+++ b/app/helpers/auth_helper.rb
@@ -76,5 +76,9 @@ module AuthHelper
       (current_user.otp_grace_period_started_at + current_application_settings.two_factor_grace_period.hours) < Time.current
   end
 
+  def unlink_allowed?(provider)
+    %w(saml cas3).exclude?(provider.to_s)
+  end
+
   extend self
 end
diff --git a/app/models/project_services/jira_service.rb b/app/models/project_services/jira_service.rb
index eef403dba92..3b90fd1c2c7 100644
--- a/app/models/project_services/jira_service.rb
+++ b/app/models/project_services/jira_service.rb
@@ -62,7 +62,7 @@ class JiraService < IssueTrackerService
   def help
     "You need to configure JIRA before enabling this service. For more details
     read the
-    [JIRA service documentation](#{help_page_url('project_services/jira')})."
+    [JIRA service documentation](#{help_page_url('user/project/integrations/jira')})."
   end
 
   def title
diff --git a/app/models/user.rb b/app/models/user.rb
index cbd741f96ed..95a766f2ede 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -635,8 +635,10 @@ class User < ActiveRecord::Base
   end
 
   def fork_of(project)
-    links = ForkedProjectLink.where(forked_from_project_id: project, forked_to_project_id: personal_projects)
-
+    links = ForkedProjectLink.where(
+      forked_from_project_id: project,
+      forked_to_project_id: personal_projects.unscope(:order)
+    )
     if links.any?
       links.first.forked_to_project
     else
diff --git a/app/services/search/global_service.rb b/app/services/search/global_service.rb
index 781cd13b44b..a3c655493a5 100644
--- a/app/services/search/global_service.rb
+++ b/app/services/search/global_service.rb
@@ -16,5 +16,9 @@ module Search
 
       Gitlab::SearchResults.new(current_user, projects, params[:search])
     end
+
+    def scope
+      @scope ||= %w[issues merge_requests milestones].delete(params[:scope]) { 'projects' }
+    end
   end
 end
diff --git a/app/services/search/project_service.rb b/app/services/search/project_service.rb
index 4b500914cfb..9a22abae635 100644
--- a/app/services/search/project_service.rb
+++ b/app/services/search/project_service.rb
@@ -12,5 +12,9 @@ module Search
                                        params[:search],
                                        params[:repository_ref])
     end
+
+    def scope
+      @scope ||= %w[notes issues merge_requests milestones wiki_blobs commits].delete(params[:scope]) { 'blobs' }
+    end
   end
 end
diff --git a/app/services/search/snippet_service.rb b/app/services/search/snippet_service.rb
index 0b3e713e220..4f161beea4d 100644
--- a/app/services/search/snippet_service.rb
+++ b/app/services/search/snippet_service.rb
@@ -11,5 +11,9 @@ module Search
 
       Gitlab::SnippetSearchResults.new(snippets, params[:search])
     end
+
+    def scope
+      @scope ||= %w[snippet_titles].delete(params[:scope]) { 'snippet_blobs' }
+    end
   end
 end
diff --git a/app/services/search_service.rb b/app/services/search_service.rb
new file mode 100644
index 00000000000..8d46a8dab3e
--- /dev/null
+++ b/app/services/search_service.rb
@@ -0,0 +1,63 @@
+class SearchService
+  include Gitlab::Allowable
+
+  def initialize(current_user, params = {})
+    @current_user = current_user
+    @params = params.dup
+  end
+
+  def project
+    return @project if defined?(@project)
+
+    @project =
+      if params[:project_id].present?
+        the_project = Project.find_by(id: params[:project_id])
+        can?(current_user, :download_code, the_project) ? the_project : nil
+      else
+        nil
+      end
+  end
+
+  def group
+    return @group if defined?(@group)
+
+    @group =
+      if params[:group_id].present?
+        the_group = Group.find_by(id: params[:group_id])
+        can?(current_user, :read_group, the_group) ? the_group : nil
+      else
+        nil
+      end
+  end
+
+  def show_snippets?
+    return @show_snippets if defined?(@show_snippets)
+
+    @show_snippets = params[:snippets] == 'true'
+  end
+
+  delegate :scope, to: :search_service
+
+  def search_results
+    @search_results ||= search_service.execute
+  end
+
+  def search_objects
+    @search_objects ||= search_results.objects(scope, params[:page])
+  end
+
+  private
+
+  def search_service
+    @search_service ||=
+      if project
+        Search::ProjectService.new(project, current_user, params)
+      elsif show_snippets?
+        Search::SnippetService.new(current_user, params)
+      else
+        Search::GlobalService.new(current_user, params)
+      end
+  end
+
+  attr_reader :current_user, :params
+end
diff --git a/app/views/layouts/header/_default.html.haml b/app/views/layouts/header/_default.html.haml
index 43abd44d89f..23abf6897d4 100644
--- a/app/views/layouts/header/_default.html.haml
+++ b/app/views/layouts/header/_default.html.haml
@@ -35,6 +35,15 @@
               %li
                 = link_to admin_root_path, title: 'Admin Area', aria: { label: "Admin Area" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
                   = icon('wrench fw')
+            - if current_user.can_create_project?
+              %li
+                = link_to new_project_path, title: 'New project', aria: { label: "New project" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
+                  = icon('plus fw')
+            - if Gitlab::Sherlock.enabled?
+              %li
+                = link_to sherlock_transactions_path, title: 'Sherlock Transactions',
+                  data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
+                  = icon('tachometer fw')
             %li
               = link_to assigned_issues_dashboard_path, title: 'Issues', aria: { label: "Issues" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
                 = icon('hashtag fw')
@@ -50,15 +59,6 @@
                 = icon('check-circle fw')
                 %span.badge.todos-count
                   = todos_count_format(todos_pending_count)
-            - if current_user.can_create_project?
-              %li
-                = link_to new_project_path, title: 'New project', aria: { label: "New project" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
-                  = icon('plus fw')
-            - if Gitlab::Sherlock.enabled?
-              %li
-                = link_to sherlock_transactions_path, title: 'Sherlock Transactions',
-                  data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
-                  = icon('tachometer fw')
             %li.header-user.dropdown
               = link_to current_user, class: "header-user-dropdown-toggle", data: { toggle: "dropdown" } do
                 = image_tag avatar_icon(current_user, 26), width: 26, height: 26, class: "header-user-avatar"
diff --git a/app/views/notify/project_was_exported_email.html.haml b/app/views/notify/project_was_exported_email.html.haml
index b28fea35ad5..76440926a2b 100644
--- a/app/views/notify/project_was_exported_email.html.haml
+++ b/app/views/notify/project_was_exported_email.html.haml
@@ -2,7 +2,7 @@
   Project #{@project.name} was exported successfully.
 %p
   The project export can be downloaded from:
-  = link_to download_export_namespace_project_url(@project.namespace, @project) do
+  = link_to download_export_namespace_project_url(@project.namespace, @project), rel: 'nofollow', download: '', do
     = @project.name_with_namespace + " export"
 %p
   The download link will expire in 24 hours.
diff --git a/app/views/profiles/accounts/show.html.haml b/app/views/profiles/accounts/show.html.haml
index 8a994f6d600..5ce2220c907 100644
--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -75,12 +75,12 @@
           .provider-btn-image
             = provider_image_tag(provider)
           - if auth_active?(provider)
-            - if provider.to_s == 'saml'
-              %a.provider-btn
-                Active
-            - else
+            - if unlink_allowed?(provider)
               = link_to unlink_profile_account_path(provider: provider), method: :delete, class: 'provider-btn' do
                 Disconnect
+            - else
+              %a.provider-btn
+                Active
           - else
             = link_to omniauth_authorize_path(:user, provider), method: :post, class: 'provider-btn not-active' do
               Connect
diff --git a/app/views/projects/artifacts/browse.html.haml b/app/views/projects/artifacts/browse.html.haml
index edf55d59f28..de8c173f26f 100644
--- a/app/views/projects/artifacts/browse.html.haml
+++ b/app/views/projects/artifacts/browse.html.haml
@@ -3,7 +3,7 @@
 .top-block.row-content-block.clearfix
   .pull-right
     = link_to download_namespace_project_build_artifacts_path(@project.namespace, @project, @build),
-      class: 'btn btn-default download' do
+      rel: 'nofollow', download: '', class: 'btn btn-default download' do
       = icon('download')
       Download artifacts archive
 
diff --git a/app/views/projects/builds/_sidebar.html.haml b/app/views/projects/builds/_sidebar.html.haml
index b597c7f7a12..6f45d5b0689 100644
--- a/app/views/projects/builds/_sidebar.html.haml
+++ b/app/views/projects/builds/_sidebar.html.haml
@@ -33,7 +33,7 @@
               = link_to keep_namespace_project_build_artifacts_path(@project.namespace, @project, @build), class: 'btn btn-sm btn-default', method: :post do
                 Keep
 
-            = link_to download_namespace_project_build_artifacts_path(@project.namespace, @project, @build), class: 'btn btn-sm btn-default' do
+            = link_to download_namespace_project_build_artifacts_path(@project.namespace, @project, @build), rel: 'nofollow', download: '', class: 'btn btn-sm btn-default' do
               Download
 
             - if @build.artifacts_metadata?
diff --git a/app/views/projects/ci/builds/_build.html.haml b/app/views/projects/ci/builds/_build.html.haml
index 09286a1b3c6..aeed293a724 100644
--- a/app/views/projects/ci/builds/_build.html.haml
+++ b/app/views/projects/ci/builds/_build.html.haml
@@ -94,7 +94,7 @@
   %td
     .pull-right
       - if can?(current_user, :read_build, build) && build.artifacts?
-        = link_to download_namespace_project_build_artifacts_path(build.project.namespace, build.project, build), title: 'Download artifacts', class: 'btn btn-build' do
+        = link_to download_namespace_project_build_artifacts_path(build.project.namespace, build.project, build), rel: 'nofollow', download: '', title: 'Download artifacts', class: 'btn btn-build' do
           = icon('download')
       - if can?(current_user, :update_build, build)
         - if build.active?
diff --git a/app/views/projects/edit.html.haml b/app/views/projects/edit.html.haml
index 82e0d0025ec..b78de092a60 100644
--- a/app/views/projects/edit.html.haml
+++ b/app/views/projects/edit.html.haml
@@ -163,7 +163,7 @@
 
       - if @project.export_project_path
         = link_to 'Download export',  download_export_namespace_project_path(@project.namespace, @project),
-                method: :get, class: "btn btn-default"
+                rel: 'nofollow', download: '', method: :get, class: "btn btn-default"
         = link_to 'Generate new export',  generate_new_export_namespace_project_path(@project.namespace, @project),
                 method: :post, class: "btn btn-default"
       - else