Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Filter `incoming_email_token` and `runners_token` parameters

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676

See merge request !2045
Signed-off-by: Rémy Coutable <remy@rymai.me>

Issue#visible_to_user moved to IssuesFinder

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.

See merge request !2039
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing Note access checks in by moving Note#search to updated NoteFinder

See merge request !2035
Signed-off-by: Rémy Coutable <remy@rymai.me>

API: Memoize the current_user so that the sudo can work properly

Closes #25482

See merge request !8017
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin.

Closes #24537

See merge request !7615
Signed-off-by: Rémy Coutable <remy@rymai.me>

Make the `downtime_check` task happy

See merge request !7845
Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
✅ - Permissions check tested

### MR lookup from project

- [x] 💣  app/finders/notes_finder.rb:17
- [x] ⚠  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] 💣  app/controllers/concerns/creates_commit.rb:84
- [x] 🚥  app/controllers/projects/commits_controller.rb:24
- [x] 🚥  app/controllers/projects/compare_controller.rb:56
- [x] 🚦  app/controllers/projects/discussions_controller.rb:29
- [x] ✅  app/controllers/projects/todos_controller.rb:27
- [x] 🚦  app/models/commit.rb:268
- [x] ✅ lib/gitlab/search_results.rb:71

### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033

[ci skip]

Create tag after running pre-hooks and pass updated SHA to post-hooks

Closes #24813

See merge request !7700
Signed-off-by: Rémy Coutable <remy@rymai.me>

Ensure state param has a valid value when filtering issuables.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064

This fix makes sure we only call safe methods on issuable when filtering by state.

See merge request !2038

[ci skip]

Update grape-entity to 0.6.0

See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] ✅ lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`]

- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
✅ - Permissions check tested

### Issue lookup without access check (security)

- [x] ✅ app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`] 
- [x] ✅ app/controllers/projects/todos_controller.rb:19

### Code smells
- [x] Potential double render in app/controllers/projects/todos_controller.rb

### Previous discussions
- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030

Fix information disclosure in `Projects::BlobController#update`

## What does this MR do?

It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ce/issues/22869

See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix label creation non members

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416

See merge request !2006

500 error on project show when user is not logged in and project is still empty

## What does this MR do?

Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show

## Screenshots (if relevant)
When the project is empty and the user is not logged in we default to the empty project partial instead of readme.

![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png)

## Does this MR meet the acceptance criteria?

- [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if it does - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

## What are the relevant issue numbers?

Closes #23990

See merge request !7376

Backport JIRA api docs to 8-13-stable

We need to backport the JIRA API docs that were until recently on
master to 8-13-stable also. With 8.14 we simplified the way JIRA is
configured and we need a link to point to the old docs.
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471

See merge request !7677

[ci skip]

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

Allow commit note to be visible if repo is visible

## What does this MR do?

It enforces the `:download_code` permission in `Event#visible_to_user?` for commit notes.

Closes #23824

See merge request !7504

Limit labels returned for a specific project as an administrator

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/24527

See merge request !7496

Signed-off-by: Rémy Coutable <remy@rymai.me>

Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`

## What does this MR do?

Move the `objects` method to `LfsHelper` so that it is also available to `LfsStorageController`

It is needed for the `lfs_check_access!` callback when the repository size limit is enabled (EE only).

cc @stanhu @ahanselka 

## Why was this MR needed?

Errors shown here: gitlab-org/gitlab-ce#24392

Discovered thanks to gitlab-com/infrastructure#302

## What are the relevant issue numbers?

Fixes #24392 

Fixes gitlab-com/support-forum#1280

See merge request !7417

Ensure labels are loaded for all "show" methods of MR Controller

Closes #24397

See merge request !7416

Fix cache for commit status in commits list to respect branches

Fix cache for commit status in commits list to respect branches

Closes #24324

See merge request !7372

Clicking "force remove source branch" label now toggles the checkbox again

We remove the ID from the hidden tag for `merge_request[force_remove_source_branch]`
in order to fix the checkbox toggling when the associated label is clicked.

The issue was introduced by !7267 and discovered in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7267#note_18028311.

See merge request !7356

Split out markdown cache storage into a separate method

See merge request !7277

Fix no "Register" tab if ldap auth is enabled (#24038)

Closes #24038

See merge request !7274

Fix project Visibility level selector not using default values

closes #20245

See merge request !7264

Fix relative links in Markdown wiki when displayed in "Project" tab

Refers to #23806

See merge request !7218