Allow the Rails cookie to be used for API authentication

Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.

Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.

Closes #18302

See merge request !1995

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Exclude some pending or inactivated rows in Member scopes

An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.

One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650



See merge request !1994

Signed-off-by: Rémy Coutable <remy@rymai.me>

Update doorkeeper to 4.2.0

Changelog: https://git.io/v6PnV

See merge request !5881

(cherry picked from commit c5aa31c8)

Set permissions to admin for importing a project via Import/Export

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/20802

In order to import a project, it is now required to be an admin

Moved from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5766

See merge request !1983
(cherry picked from commit 966b3038)

[ci skip]

Upgrade Rails to 4.2.7.1 for security fixes.

Upgrades Rails from 4.2.7 to 4.2.7.1 for security fixes.

For more information: http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/

This should be backported to all currently-supported releases.

See merge request !5781

Fix problems with events under notes importing GitLab projects

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19588

See merge request !5154
(cherry picked from commit 734e44ee)

Fix commit avatar alignment in compare view

Closes #19567

See merge request !5128
(cherry picked from commit df49492f)

Fix log statements in import/export

Fixes - as seen in the logs:
```
Import/Export error raised on /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/import_export/file_importer.rb:19:in `rescue in import': undefined method `message' for #<String:0x007fc45e977e10>
```

See merge request !5129
(cherry picked from commit 3c89a788)

Fix broken migration in MySQL

`keys` is a reserved name in MySQL, so if this migration actually attempted to remove any duplicate keys it would fail.

Closes #19344

See merge request !5005
(cherry picked from commit e82c72d1)

Add more debug info to import/export and memory killer

This should help debug https://gitlab.com/gitlab-org/gitlab-ce/issues/19124 further

See merge request !5108
(cherry picked from commit b73da895)

Fix diff comments not showing up in activity feed

## What does this MR do?

It fixes the detection of note events to check for `Note` and `LegacyDiffNote`.

## Are there points in the code the reviewer needs to double check?

No? /cc @DouweM (since I believe you introduced `LegacyDiffNote`

## Why was this MR needed?

To fix #19092.

## What are the relevant issue numbers?

Fixes #19092.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5069
(cherry picked from commit b5b17d00)

Add index on both Award Emoji user and name

See merge request !5061
(cherry picked from commit c85092ac)

Downgrade to Redis 3.2.2 due to massive memory leak with Sidekiq

This affects GitLab 8.8 and 8.9. See:

* https://github.com/mperham/sidekiq/blob/master/Changes.md#413
* https://gitlab.com/gitlab-org/gitlab-ce/issues/19441

See merge request !5056
(cherry picked from commit 4b0bd4f8)

Renable import button when import process fail due to the namespace already been taken

Closes #19435

## Screenshots (if relevant)

Before:

![1](/uploads/e8de1b326e0751891f667630a7685f6a/1.png)<br/><br/>

After:

![2](/uploads/566f1fd5442c28232350689fce8eae76/2.png)

See merge request !5053
(cherry picked from commit d6efef0f)

Fix snippets comments not displayed

## What does this MR do?

Fix an issue where comments body were not displayed for project snippets anymore (see commit for details).

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Because of #19388.

## What are the relevant issue numbers?

Fixes #19388.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5045
(cherry picked from commit b2273559)

Fix emoji paths in relative root configurations

## What does this MR do?

If a site specifies a relative URL root, emoji files would omit the path from the URL, leading to lots of 404s.

## Are there points in the code the reviewer needs to double check?

At first, I tried to use `ActionView::Helpers::AssetUrlHelper.asset_url` since this is what it's intended to do. But this helper function is extremely slow, and it took minutes to generate the URLs for the hundreds of links needed for each emoji.

## Why was this MR needed?

Because emojis were broken in relative URL installations

## What are the relevant issue numbers?

#15642

## Does this MR meet the acceptance criteria?

- [X] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [X] Added for this feature/bug
  - [x] All builds are passing
- [X] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [X] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [X] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !5027
(cherry picked from commit 88dbc4d1)

Fixing problems with events for import/export

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19202

A couple of issues related to target being missing in exported `Events` (as being polymorphic and not have `ActiveRecord` relationships is a bit more tricky than normal models) plus as the export was in JSON, the import retrieves hashed fields as stringified hashes and not symbolized - so fixed that as well, which was the cause of https://gitlab.com/gitlab-org/gitlab-ce/issues/19202

Also fixed / refactored tests
:simpl
Import/Export Version has been bumped to 0.1.1 as theses changes to events won't work very well with old exports - forcing users to generate a new export in the new version.

See merge request !4987
(cherry picked from commit c368cb60)

Fixed 'use shortcuts' button on docs

## What does this MR do?

Exposes 'onToggleHelp() to window object through `showHelp()` so a help panel can be toggled globally using `showHelp()`.

## Are there points in the code the reviewer needs to double check?

Is this the best implementation? I actually think this is tidier than doing something like `onclick="new Shortcuts().onToggleHelp"` or `$.trigger 'keydown', char: '?'` but let me know.

## Why was this MR needed?

Docs UX

## What are the relevant issue numbers?

Closes #19157.

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
Closes #19157

See merge request !4979
(cherry picked from commit 48843c0d)

Admin should be able to turn shared runners into specific ones:

## What does this MR do?

Make sure admins could turn shared runners into specific runners.

## Are there points in the code the reviewer needs to double check?

Is this the desired behaviour?

## Why was this MR needed?

Closes #19039
Closes #19272

![Screen_Shot_2016-06-30_at_9.30.05_PM](/uploads/97eb3b4923fd4e498b1f8ca70b1345c8/Screen_Shot_2016-06-30_at_9.30.05_PM.png)

See merge request !4961
(cherry picked from commit b569f842)

Update RedCloth to 4.3.2 for CVE-2012-6684

## What does this MR do?

To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.

## Are there points in the code the reviewer needs to double check?

No.

## Why was this MR needed?

Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.

## What are the relevant issue numbers?

Closes #19169

cf. !2037, !2071

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [n/a] API support added
- Tests
  - [n/a] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4929
(cherry picked from commit 95336861)

Improve the request / withdraw access button

It implements the design proposed in #18310.

No.

To close #18310.

Closes #18310.

| Medium | Large |
| ----------- | ------- |
| ![request_access_button](/uploads/a1de370dcbb8ac9a63d2df5c68591db7/request_access_button.png) | ![request_access_button-large](/uploads/0a1c70380268e620a6ca4d3e1661d58c/request_access_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![withdraw_access_request_button](/uploads/c9df39d04b61566ec143d5e9cc43ada2/withdraw_access_request_button.png) | ![withdraw_access_request_button-large](/uploads/10fdaa94d72956e06bdb995e65b51472/withdraw_access_request_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![request_access_button](/uploads/8e71395041a5cea996a35df2083bb723/request_access_button.png) | ![project-request_access_button-large](/uploads/adb2dec0eccec8e5171dc0e26e6b03a6/project-request_access_button-large.png) |

| Medium | Large |
| ----------- | ------- |
| ![withdraw_access_request_button](/uploads/12be06f0a2bf9426a5e043f52c4d1dab/withdraw_access_request_button.png) | ![project-withdraw_access_request_button-large](/uploads/93fda7767ee5f02186c4c954ea346254/project-withdraw_access_request_button-large.png) |

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4860
(cherry picked from commit c578fb06)

Merge branch 'doc-mysql-priv' into 'master'

## What does this MR do?

Update missing mysql user permissions.

## Why was this MR needed?

This should also be in the `8-9-stable` branch.


See merge request !5086

Add missing privileges to MySQL database

Closes gitlab-org/gitlab-ce#19321

See merge request !5079

Updated breakpoint for sidebar pinning

Updates the breakpoint for sidebar pinning to 1024px.

Think we will have the same issue as before when picking into stable with `$window` not being defined.

See merge request !5019
(cherry picked from commit c5d164d1)

Expiry date on pinned nav cookie

Adds an expiry date far into the future for the pinned nav cookie so that it survives logout & browser closing.

See merge request !5009
(cherry picked from commit 73196fbd)

Handle external issues in IssueReferenceFilter

Rendering issue references such as `#1` was broken for projects using an external issues tracker.

See gitlab-org/gitlab-ce#19036

See merge request !4988
(cherry picked from commit 6e82c0e0)

Fix restore warning message

## What does this MR do?

Fix the restore Rake task so it properly outputs the database warning. This is a pretty important warning and it was not even being output. After this fix, the output looks like the screenshot below.

![Screen_Shot_2016-06-28_at_3.53.46_PM](/uploads/d250189d39fcacd0c8ec0aacf9cd930d/Screen_Shot_2016-06-28_at_3.53.46_PM.png)

See merge request !4980
(cherry picked from commit 0144dce7)

Do not show build retry link when build is active

Closes #19244

See merge request !4967
(cherry picked from commit dc2d0051)

Fixed comit avatar alignment

## What does this MR do?

Fixes the alignment of the avatar on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG

Also fixes potential issues in other places.

## Screenshots (if relevant)

![Screen_Shot_2016-06-27_at_10.58.26](/uploads/fa4f50cfc30a870422d1afa63a4331d1/Screen_Shot_2016-06-27_at_10.58.26.png)![Screen_Shot_2016-06-27_at_10.58.35](/uploads/bd7dc3cf77464c1775fabb45b8079f02/Screen_Shot_2016-06-27_at_10.58.35.png)

See merge request !4933
(cherry picked from commit 8cada02d)