Update grape-entity to 0.6.0

See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] ✅ lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`]

- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
✅ - Permissions check tested

### Issue lookup without access check (security)

- [x] ✅ app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] 
- [x] ✅ app/controllers/projects/todos_controller.rb:19

### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb

### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030

Fix information disclosure in `Projects::BlobController#update`

## What does this MR do?

It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ce/issues/22869

See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix label creation non members

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416

See merge request !2006

500 error on project show when user is not logged in and project is still empty

## What does this MR do?

Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show

## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.

![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png)

## Does this MR meet the acceptance criteria?

- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

Closes #23990

See merge request !7376

Backport JIRA api docs to 8-13-stable

We need to backport the JIRA API docs that were until recently on
master to 8-13-stable also. With 8.14 we simplified the way JIRA is
configured and we need a link to point to the old docs.
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471

See merge request !7677

[ci skip]

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Allow commit note to be visible if repo is visible

## What does this MR do?

It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes.

Closes #23824

See merge request !7504

Limit labels returned for a specific project as an administrator

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527

See merge request !7496

Signed-off-by: Rémy Coutable <remy@rymai.me>

Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`

## What does this MR do?

Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`

It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only).

cc @stanhu @ahanselka 

## Why was this MR needed?

Errors shown here: gitlab-org/gitlab-ce#24392

Discovered thanks to gitlab-com/infrastructure#302

## What are the relevant issue numbers?

Fixes #24392 

Fixes gitlab-com/support-forum#1280

See merge request !7417

Ensure labels are loaded for all "show" methods of MR Controller

Closes #24397

See merge request !7416

Fix cache for commit status in commits list to respect branches

Fix cache for commit status in commits list to respect branches

Closes #24324

See merge request !7372

Clicking "force remove source branch" label now toggles the checkbox again

We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]`
in order to fix the checkbox toggling when the associated label is clicked.

The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311.

See merge request !7356

Split out markdown cache storage into a separate method

See merge request !7277

Fix no "Register" tab if ldap auth is enabled (#24038)

Closes #24038

See merge request !7274

Fix project Visibility level selector not using default values

closes #20245

See merge request !7264

Fix relative links in Markdown wiki when displayed in "Project" tab

Refers to #23806

See merge request !7218

Add test for refs dropdown selection with special chars

## What does this MR do?

## Are there points in the code the reviewer needs to double check?

## Why was this MR needed?

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

See merge request !7175

Milestone dropdown does not stay selected

Closes #23713

See merge request !7117
Signed-off-by: Rémy Coutable <remy@rymai.me>

Account for fixed position MR when scrolling to elements

This MR accounts for the new merge request fixed affix bar when scrolling to an element on the MR page.

The fixed MR tabs bar was not being taken into account when shifting permalink scroll targets so that they are unobscured by navigation elements.

Closes #23520

See merge request !7051
Signed-off-by: Rémy Coutable <remy@rymai.me>

Omniauth auto link LDAP user falls back to find by DN when user cannot be found by uid

Unfortunately, SAML IDs can be an LDAP UID, DN, or something else entirely. UID and DN are most common, though. This adds a fallback scenario so we first try to find a matching LDAP user by UID, then by DN. This will fix a problem for the customer in https://gitlab.zendesk.com/agent/tickets/43298

See merge request !7002

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Restore unauthenticated access to public container registries

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284

/cc @stanhu @kamil @pablo

See merge request !2025

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix for HackerOne XSS vulnerability in markdown

This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153

See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fixups to "Round-robin repository storage"

## What does this MR do?

* Simplifies a method in application_settings.rb
* Correctly marks a migration as needing downtime
* Documents the requirement for renamed columns to be 

## Are there points in the code the reviewer needs to double check?

Should any of these changes be split out? Ideally we'd get this into the same point release as !7273

## Why was this MR needed?

Post-facto review of !7273

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- [X] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [X] API support added
- Tests
  - [X] Added for this feature/bug
  - [x] All builds are passing
- [X] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

Related to #24059

/cc @yorickpeterse @rspeicher

See merge request !7287

Show pipeline status from branch and commit than only commit

Closes #23615

See merge request !7034
Signed-off-by: Rémy Coutable <remy@rymai.me>

Resolve "Introduce round-robin project creation to spread load over multiple shards"

Allow multiple shards to be enabled in the admin settings page, balancing project creation across all enabled shards.

* `f.select ..., multiple: true` isn't the most beautiful UI in the world, but switching to `collection_check_boxes` (or a facsimile thereof) isn't trivial
* Should `pick_repository_storage` be a method of `ApplicationSetting`, or `Project`? It's going to accrete logic over time so perhaps it should be its own class already?
* This is written to avoid the need for a database migration, so it is`serialize :repository_storage` without `, Array`. This is tested, but alternatives include:
  * Add a database migration
  * Write a custom Coder that will accept a String or Array in `load` and always `dump an Array.

Closes #24059

See merge request !7273
Signed-off-by: Rémy Coutable <remy@rymai.me>

See merge request !7014
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix lightweight tags not processed correctly by GitTagPushService

Closes #22271

See merge request !6532
Signed-off-by: Rémy Coutable <remy@rymai.me>