[master] EE Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"

See merge request gitlab/gitlab-ee!726

[master] Fixed XSS in merge request approvers

Closes #353

See merge request gitlab/gitlab-ee!662

[master] Stored XSS in Operation Page

See merge request gitlab/gitlab-ee!722

[master] Authorize user when listing board resources

Closes gitlabhq#2738

See merge request gitlab/gitlab-ee!721

[master] Resolve: Guest can set weight of a new issue

See merge request gitlab/gitlab-ee!720

[master] Fix IDOR at /drafts/publish/

Closes #356

See merge request gitlab/gitlab-ee!710

[master ee] Fixed ability to comment on and edit/delete comments on locked or confidential issues

See merge request gitlab/gitlab-ee!739

When creating comments, sending different noteable IDs for target_id and
note[:noteable_id] would allow you to bypass comment creation security
if the user had creation permissions for target_id. The comment would be
created in note[:noteable_id].

Also made it so that users cannot edit/delete their comments on a
noteable that becomes unreadable to them (if it gets flagged
confidential and they don't have read access for example)

[ci skip]

[ci skip]

[ci skip]

[ci skip]

[ci skip]

[ci skip]

Changes the delete custom metric alert

Closes #4940

See merge request gitlab-org/gitlab-ee!8430

Resolve "Maven package permissions option wrongly available in Starter"

Closes #8316

See merge request gitlab-org/gitlab-ee!8270

Merge branch '8581-geo-the-geo-nodes-admin-page-display-secondary-database-state-incorrectly' into 'master'

Rails 5: Fix the check whether the database is in read-only mode

Closes #8581

See merge request gitlab-org/gitlab-ee!8594

Merge branch '8583-rails5-gitlab-database-loadbalancing-caught_up-returns-state-incorrectly' into 'master'

Raisl 5: Fix Gitlab::Database::LoadBalancing#caught_up? check

Closes #8583

See merge request gitlab-org/gitlab-ee!8595

Extracts EE specific Sidekiq queue config to a new file

See merge request gitlab-org/gitlab-ee!8470

CE upstream - 2018-11-26 16:21 UTC

See merge request gitlab-org/gitlab-ee!8592

Rails 5 returns true/false instead of a string 't' or 'f'.

Rails 5 returns true/false instead of a string 't' or 'f'.

Enable some frozen string in ee/app

See merge request gitlab-org/gitlab-ee!8580

CE upstream - 2018-11-26 14:21 UTC

See merge request gitlab-org/gitlab-ee!8588

i18n: externalize strings from 'app/views/layouts'

See merge request gitlab-org/gitlab-ee!8587

CE port of "Move merge request approval settings"

See merge request gitlab-org/gitlab-ce!23157

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

# Conflicts:
#	locale/gitlab.pot

[ci skip]

[EE] i18n: externalize strings from 'app/views/shared/members'

See merge request gitlab-org/gitlab-ee!8474

Update externalized strings from `/app/views/project/runners`

See merge request gitlab-org/gitlab-ce!23347

i18n: externalize strings from 'app/views/shared/members'

See merge request gitlab-org/gitlab-ce!23125

Signed-off-by: Tao Wang <twang2218@gmail.com>

Packages feature is only available in Premium so we should not show this
feature in settings and navigation
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

CE upstream - 2018-11-26 13:21 UTC

See merge request gitlab-org/gitlab-ee!8586