[ci skip]

Upgrade Rails to 4.2.7.1 for security fixes.

Upgrades Rails from 4.2.7 to 4.2.7.1 for security fixes.

For more information: http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/

This should be backported to all currently-supported releases.

See merge request !5781

Fix problems with events under notes importing GitLab projects

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19588

See merge request !5154
(cherry picked from commit 734e44ee)

Fix commit avatar alignment in compare view

Closes #19567

See merge request !5128
(cherry picked from commit df49492f)

Fix log statements in import/export

Fixes - as seen in the logs:
```
Import/Export error raised on /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/import_export/file_importer.rb:19:in `rescue in import': undefined method `message' for #<String:0x007fc45e977e10>
```

See merge request !5129
(cherry picked from commit 3c89a788)

Fix broken migration in MySQL

`keys` is a reserved name in MySQL, so if this migration actually attempted to remove any duplicate keys it would fail.

Closes #19344

See merge request !5005
(cherry picked from commit e82c72d1)

Add more debug info to import/export and memory killer

This should help debug https://gitlab.com/gitlab-org/gitlab-ce/issues/19124 further

See merge request !5108
(cherry picked from commit b73da895)

Fix diff comments not showing up in activity feed

## What does this MR do?

It fixes the detection of note events to check for `Note` and `LegacyDiffNote`.

## Are there points in the code the reviewer needs to double check?

No? /cc @DouweM (since I believe you introduced `LegacyDiffNote`

## Why was this MR needed?

To fix #19092.

## What are the relevant issue numbers?

Fixes #19092.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5069
(cherry picked from commit b5b17d00)

Add index on both Award Emoji user and name

See merge request !5061
(cherry picked from commit c85092ac)

Downgrade to Redis 3.2.2 due to massive memory leak with Sidekiq

This affects GitLab 8.8 and 8.9. See:

* https://github.com/mperham/sidekiq/blob/master/Changes.md#413
* https://gitlab.com/gitlab-org/gitlab-ce/issues/19441

See merge request !5056
(cherry picked from commit 4b0bd4f8)

Renable import button when import process fail due to the namespace already been taken

Closes #19435

## Screenshots (if relevant)

Before:

![1](/uploads/e8de1b326e0751891f667630a7685f6a/1.png)<br/><br/>

After:

![2](/uploads/566f1fd5442c28232350689fce8eae76/2.png)

See merge request !5053
(cherry picked from commit d6efef0f)

Fix snippets comments not displayed

## What does this MR do?

Fix an issue where comments body were not displayed for project snippets anymore (see commit for details).

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Because of #19388.

## What are the relevant issue numbers?

Fixes #19388.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5045
(cherry picked from commit b2273559)

Fix emoji paths in relative root configurations

## What does this MR do?

If a site specifies a relative URL root, emoji files would omit the path from the URL, leading to lots of 404s.

## Are there points in the code the reviewer needs to double check?

At first, I tried to use `ActionView::Helpers::AssetUrlHelper.asset_url` since this is what it's intended to do. But this helper function is extremely slow, and it took minutes to generate the URLs for the hundreds of links needed for each emoji.

## Why was this MR needed?

Because emojis were broken in relative URL installations

## What are the relevant issue numbers?

#15642

## Does this MR meet the acceptance criteria?

- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [X] Added for this feature/bug
  - [x] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5027
(cherry picked from commit 88dbc4d1)

Fixing problems with events for import/export

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19202

A couple of issues related to target being missing in exported `Events` (as being polymorphic and not have `ActiveRecord` relationships is a bit more tricky than normal models) plus as the export was in JSON, the import retrieves hashed fields as stringified hashes and not symbolized - so fixed that as well, which was the cause of https://gitlab.com/gitlab-org/gitlab-ce/issues/19202

Also fixed / refactored tests
:simpl
Import/Export Version has been bumped to 0.1.1 as theses changes to events won't work very well with old exports - forcing users to generate a new export in the new version.

See merge request !4987
(cherry picked from commit c368cb60)

Fixed 'use shortcuts' button on docs

## What does this MR do?

Exposes 'onToggleHelp() to window object through `showHelp()` so a help panel can be toggled globally using `showHelp()`.

## Are there points in the code the reviewer needs to double check?

Is this the best implementation? I actually think this is tidier than doing something like `onclick="new Shortcuts().onToggleHelp"` or `$.trigger 'keydown', char: '?'` but let me know.

## Why was this MR needed?

Docs UX

## What are the relevant issue numbers?

Closes #19157.

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
Closes #19157

See merge request !4979
(cherry picked from commit 48843c0d)

Admin should be able to turn shared runners into specific ones:

## What does this MR do?

Make sure admins could turn shared runners into specific runners.

## Are there points in the code the reviewer needs to double check?

Is this the desired behaviour?

## Why was this MR needed?

Closes #19039
Closes #19272

![Screen_Shot_2016-06-30_at_9.30.05_PM](/uploads/97eb3b4923fd4e498b1f8ca70b1345c8/Screen_Shot_2016-06-30_at_9.30.05_PM.png)

See merge request !4961
(cherry picked from commit b569f842)

Update RedCloth to 4.3.2 for CVE-2012-6684

## What does this MR do?

To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.

## What are the relevant issue numbers?

Closes #19169

cf. !2037, !2071

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [n/a] API support added
- Tests
  - [n/a] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4929
(cherry picked from commit 95336861)

Improve the request / withdraw access button

It implements the design proposed in #18310.

No.

To close #18310.

Closes #18310.

| Medium | Large |
| ----------- | ------- |
| ![request_access_button](/uploads/a1de370dcbb8ac9a63d2df5c68591db7/request_access_button.png) | ![request_access_button-large](/uploads/0a1c70380268e620a6ca4d3e1661d58c/request_access_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![withdraw_access_request_button](/uploads/c9df39d04b61566ec143d5e9cc43ada2/withdraw_access_request_button.png) | ![withdraw_access_request_button-large](/uploads/10fdaa94d72956e06bdb995e65b51472/withdraw_access_request_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![request_access_button](/uploads/8e71395041a5cea996a35df2083bb723/request_access_button.png) | ![project-request_access_button-large](/uploads/adb2dec0eccec8e5171dc0e26e6b03a6/project-request_access_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![withdraw_access_request_button](/uploads/12be06f0a2bf9426a5e043f52c4d1dab/withdraw_access_request_button.png) | ![project-withdraw_access_request_button-large](/uploads/93fda7767ee5f02186c4c954ea346254/project-withdraw_access_request_button-large.png) |

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4860
(cherry picked from commit c578fb06)

Merge branch 'doc-mysql-priv' into 'master'

## What does this MR do?

Update missing mysql user permissions.

## Why was this MR needed?

This should also be in the `8-9-stable` branch.


See merge request !5086

Add missing privileges to MySQL database

Closes gitlab-org/gitlab-ce#19321

See merge request !5079

Updated breakpoint for sidebar pinning

Updates the breakpoint for sidebar pinning to 1024px.

Think we will have the same issue as before when picking into stable with `$window` not being defined.

See merge request !5019
(cherry picked from commit c5d164d1)

Expiry date on pinned nav cookie

Adds an expiry date far into the future for the pinned nav cookie so that it survives logout & browser closing.

See merge request !5009
(cherry picked from commit 73196fbd)

Handle external issues in IssueReferenceFilter

Rendering issue references such as `#1` was broken for projects using an external issues tracker.

See gitlab-org/gitlab-ce#19036

See merge request !4988
(cherry picked from commit 6e82c0e0)

Fix restore warning message

## What does this MR do?

Fix the restore Rake task so it properly outputs the database warning. This is a pretty important warning and it was not even being output. After this fix, the output looks like the screenshot below.

![Screen_Shot_2016-06-28_at_3.53.46_PM](/uploads/d250189d39fcacd0c8ec0aacf9cd930d/Screen_Shot_2016-06-28_at_3.53.46_PM.png)

See merge request !4980
(cherry picked from commit 0144dce7)

Do not show build retry link when build is active

Closes #19244

See merge request !4967
(cherry picked from commit dc2d0051)

Fixed comit avatar alignment

## What does this MR do?

Fixes the alignment of the avatar on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG

Also fixes potential issues in other places.

## Screenshots (if relevant)

![Screen_Shot_2016-06-27_at_10.58.26](/uploads/fa4f50cfc30a870422d1afa63a4331d1/Screen_Shot_2016-06-27_at_10.58.26.png)![Screen_Shot_2016-06-27_at_10.58.35](/uploads/bd7dc3cf77464c1775fabb45b8079f02/Screen_Shot_2016-06-27_at_10.58.35.png)

See merge request !4933
(cherry picked from commit 8cada02d)

Fixed URL on label button when filtering

## What does this MR do?

Gives the filtered labels the correct URL. Previously they tried to link to `labels#show` whereas now it links to the correct filter path.

## What are the relevant issue numbers?

Closes #19005

See merge request !4897
(cherry picked from commit d3d9df5a)

File Browser navigation fixes

Fixes a double request being made when clicking the file name when navigating through file browser and also fixes opening a file in a new tab or when doing ctrl + click.

Closes #19050

**Before**

![navigation-old](/uploads/f9a40c91e430e31beae3a896cffb1c68/navigation-old.gif)

**After**

![navigation](/uploads/dec9b43894c00cc09d80d19c83506530/navigation.gif)

See merge request !4891
(cherry picked from commit b32a6add)

Resolve "Sub nav isn't showing on file view"

## What does this MR do?
Adds subnav to `Repository` > `File` view

## What are the relevant issue numbers?
Closes #19003
Part of #18844

## Screenshots (if relevant)
![Screen_Shot_2016-06-23_at_5.33.05_PM](/uploads/aa6993b2376dbe454af87d852aa74f5e/Screen_Shot_2016-06-23_at_5.33.05_PM.png)

cc @dzaporozhets

See merge request !4890
(cherry picked from commit 2efee5f6)

Fixed search field blur not removing focus

## What does this MR do?

Adds a blur event to remove focus styling from the search input.

Any particular reason we were looking for clicks on the document? I can't see why we would be.

## What are the relevant issue numbers?

Closes #18670

## Screenshots (if relevant)

![tab](/uploads/4c74d4f76ec7b45bfcf581606d2defb5/tab.gif)

See merge request !4704
(cherry picked from commit c051630a)

Ensure logged-out users can't see private refs

https://gitlab.com/gitlab-org/gitlab-ce/issues/18033

I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10.

See merge request !1974
(cherry picked from commit 3a6ebb1f)

Fix privilege escalation issue with OAuth external users

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312

This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.

/cc @douwe

See merge request !1975
(cherry picked from commit 5e6342b7)

Use update_columns to by_pass all the dirty code on active_record

See merge request !4985
(cherry picked from commit ad09fcb5)

Reduce overhead and optimize ProjectTeam#max_member_access performance

See merge request !4973
(cherry picked from commit d33991f8)