Merge branches 'feature/project-export' and 'master' of...

Merge branches 'feature/project-export' and 'master' of gitlab.com:gitlab-org/gitlab-ce into feature/project-export

.gitlab-ci.yml

@@ -115,6 +115,11 @@ bundler:audit:
   script:
     - "bundle exec bundle-audit check --update --ignore OSVDB-115941"
 
+db-migrate-reset:
+  stage: test
+  script:
+    - RAILS_ENV=test bundle exec rake db:migrate:reset
+
 # Ruby 2.2 jobs
 
 spec:feature:ruby22:

.scss-lint.yml

@@ -65,7 +65,7 @@ linters:
   
   # Reports when you have an empty rule set.
   EmptyRule:
-    enabled: false
+    enabled: true
   
   # Reports when you have an @extend directive.
   ExtendDirective:
@@ -244,11 +244,11 @@ linters:
   
   # URLs should be valid and not contain protocols or domain names.
   UrlFormat:
-    enabled: false
+    enabled: true
 
   # URLs should always be enclosed within quotes.
   UrlQuotes:
-    enabled: false
+    enabled: true
 
   # Properties, like color and font, are easier to read and maintain
   # when defined using variables rather than literals.

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.8.0 (unreleased)
-
-v 8.7.0 (unreleased)
+  - Project#open_branches has been cleaned up and no longer loads entire records into memory.
+  - Make build status canceled if any of the jobs was canceled and none failed
+  - Remove future dates from contribution calendar graph.
+  - Support e-mail notifications for comments on project snippets
+  - Use ActionDispatch Remote IP for Akismet checking
+  - Fix error when visiting commit builds page before build was updated
+  - Add 'l' shortcut to open Label dropdown on issuables and 'i' to create new issue on a project
+  - Updated search UI
+  - Display informative message when new milestone is created
+  - Replace Devise Async with Devise ActiveJob integration. !3902 (Connor Shea)
+  - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea)
+  - Added button to toggle whitespaces changes on diff view
+  - Backport GitLab Enterprise support from EE
+  - Files over 5MB can only be viewed in their raw form, files over 1MB without highlighting !3718
+  - Add support for supressing text diffs using .gitattributes on the default branch (Matt Oakes)
+  - Added multiple colors for labels in dropdowns when dups happen.
+
+v 8.7.2 (unreleased)
+  - The "New Branch" button is now loaded asynchronously
+  - Fix error 500 when trying to create a wiki page
+
+v 8.7.1
+  - Throttle the update of `project.last_activity_at` to 1 minute. !3848
+  - Fix .gitlab-ci.yml parsing issue when hidde job is a template without script definition. !3849
+  - Fix license detection to detect all license files, not only known licenses. !3878
+  - Use the `can?` helper instead of `current_user.can?`. !3882
+  - Prevent users from deleting Webhooks via API they do not own
+  - Fix Error 500 due to stale cache when projects are renamed or transferred
+  - Update width of search box to fix Safari bug. !3900 (Jedidiah)
+  - Use the `can?` helper instead of `current_user.can?`
+
+v 8.7.0
+  - Gitlab::GitAccess and Gitlab::GitAccessWiki are now instrumented
+  - Fix vulnerability that made it possible to gain access to private labels and milestones
   - The number of InfluxDB points stored per UDP packet can now be configured
   - Fix error when cross-project label reference used with non-existent project
   - Transactions for /internal/allowed now have an "action" tag set
@@ -53,7 +85,7 @@ v 8.7.0 (unreleased)
   - Add links to CI setup documentation from project settings and builds pages
   - Display project members page to all members
   - Handle nil descriptions in Slack issue messages (Stan Hu)
-  - Add automated repository integrity checks
+  - Add automated repository integrity checks (OFF by default)
   - API: Expose open_issues_count, closed_issues_count, open_merge_requests_count for labels (Robert Schilling)
   - API: Ability to star and unstar a project (Robert Schilling)
   - Add default scope to projects to exclude projects pending deletion
@@ -80,6 +112,7 @@ v 8.7.0 (unreleased)
   - Remove "Congratulations!" tweet button on newly-created project. (Connor Shea)
   - Fix admin/projects when using visibility levels on search (PotHix)
   - Build status notifications
+  - Update email confirmation interface
   - API: Expose user location (Robert Schilling)
   - API: Do not leak group existence via return code (Robert Schilling)
   - ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
@@ -107,14 +140,27 @@ v 8.7.0 (unreleased)
   - Updated print style for issues
   - Use GitHub Issue/PR number as iid to keep references
   - Import GitHub labels
+  - Add option to filter by "Owned projects" on dashboard page
   - Import GitHub milestones
-  - Fix emoji catgories in the emoji picker
   - Execute system web hooks on push to the project
   - Allow enable/disable push events for system hooks
   - Fix GitHub project's link in the import page when provider has a custom URL
   - Add RAW build trace output and button on build page
   - Add incremental build trace update into CI API
 
+v 8.6.8
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent XSS via label drop-down
+  - Prevent information disclosure via milestone API
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.6.7
   - Fix persistent XSS vulnerability in `commit_person_link` helper
   - Fix persistent XSS vulnerability in Label and Milestone dropdowns
@@ -256,6 +302,17 @@ v 8.6.0
   - Trigger a todo for mentions on commits page
   - Let project owners and admins soft delete issues and merge requests
 
+v 8.5.12
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.5.11
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -406,6 +463,17 @@ v 8.5.0
   - Show label row when filtering issues or merge requests by label (Nuttanart Pornprasitsakul)
   - Add Todos
 
+v 8.4.10
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.4.9
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -531,6 +599,15 @@ v 8.4.0
   - Add IP check against DNSBLs at account sign-up
   - Added cache:key to .gitlab-ci.yml allowing to fine tune the caching
 
+v 8.3.9
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.3.8
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -640,6 +717,17 @@ v 8.3.0
   - Expose Git's version in the admin area
   - Show "New Merge Request" buttons on canonical repos when you have a fork (Josh Frye)
 
+v 8.2.5
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
+v 8.2.4
+  - Bump Git version requirement to 2.7.4
+
 v 8.2.3
   - Fix application settings cache not expiring after changes (Stan Hu)
   - Fix Error 500s when creating global milestones with Unicode characters (Stan Hu)

CONTRIBUTING.md

@@ -38,7 +38,7 @@ source edition, and GitLab Enterprise Edition (EE) which is our commercial
 edition. Throughout this guide you will see references to CE and EE for
 abbreviation.
 
-If you have read this guide and want to know how the GitLab [core team][core-team]
+If you have read this guide and want to know how the GitLab [core team]
 operates please see [the GitLab contributing process](PROCESS.md).
 
 ## Contributor license agreement
@@ -135,8 +135,9 @@ For feature proposals for EE, open an issue on the
 
 In order to help track the feature proposals, we have created a
 [`feature proposal`][fpl] label. For the time being, users that are not members
-of the project cannot add labels. You can instead ask one of the [core team][core-team]
-members to add the label `feature proposal` to the issue.
+of the project cannot add labels. You can instead ask one of the [core team]
+members to add the label `feature proposal` to the issue or add the following
+code snippet right after your description in a new line: `~"feature proposal"`.
 
 Please keep feature proposals as small and simple as possible, complex ones
 might be edited to make them small and simple.
@@ -344,8 +345,7 @@ is it will be merged (quickly). After that you can send more MRs to enhance it.
 For examples of feedback on merge requests please look at already
 [closed merge requests][closed-merge-requests]. If you would like quick feedback
 on your merge request feel free to mention one of the Merge Marshalls in the
-[core team][core-team] or one of the
-[Merge request coaches](https://about.gitlab.com/team/).
+[core team] or one of the [Merge request coaches](https://about.gitlab.com/team/).
 Please ensure that your merge request meets the contribution acceptance criteria.
 
 When having your code reviewed and when reviewing merge requests please take the
@@ -497,7 +497,7 @@ reported by emailing `contact@gitlab.com`.
 This Code of Conduct is adapted from the [Contributor Covenant][contributor-covenant], version 1.1.0,
 available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/).
 
-[core-team]: https://about.gitlab.com/core-team/
+[core team]: https://about.gitlab.com/core-team/
 [getting-help]: https://about.gitlab.com/getting-help/
 [codetriage]: http://www.codetriage.com/gitlabhq/gitlabhq
 [up-for-grabs]: https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name=up-for-grabs

Gemfile

@@ -19,8 +19,7 @@ gem "pg", '~> 0.18.2', group: :postgres
 
 # Authentication libraries
 gem 'devise',                 '~> 3.5.4'
-gem 'devise-async',           '~> 0.9.0'
-gem 'doorkeeper',             '~> 2.2.0'
+gem 'doorkeeper',             '~> 3.1'
 gem 'omniauth',               '~> 1.3.1'
 gem 'omniauth-auth0',         '~> 1.4.1'
 gem 'omniauth-azure-oauth2',  '~> 0.0.6'
@@ -178,7 +177,7 @@ gem 'ruby-fogbugz', '~> 0.2.1'
 gem 'd3_rails', '~> 3.5.0'
 
 #cal-heatmap
-gem 'cal-heatmap-rails', '~> 3.5.0'
+gem 'cal-heatmap-rails', '~> 3.6.0'
 
 # underscore-rails
 gem "underscore-rails", "~> 1.8.0"
@@ -217,7 +216,7 @@ gem 'font-awesome-rails', '~> 4.2'
 gem 'gitlab_emoji',       '~> 0.3.0'
 gem 'gon',                '~> 6.0.1'
 gem 'jquery-atwho-rails', '~> 1.3.2'
-gem 'jquery-rails',       '~> 4.0.0'
+gem 'jquery-rails',       '~> 4.1.0'
 gem 'jquery-scrollto-rails', '~> 1.4.3'
 gem 'jquery-ui-rails',    '~> 5.0.0'
 gem 'raphael-rails',      '~> 2.1.2'
@@ -243,7 +242,7 @@ group :development do
   gem 'brakeman', '~> 3.2.0', require: false
 
   gem "annotate", "~> 2.7.0"
-  gem "letter_opener", '~> 1.1.2'
+  gem 'letter_opener_web', '~> 1.3.0'
   gem 'quiet_assets', '~> 1.0.2'
   gem 'rerun', '~> 0.11.0'
   gem 'bullet', require: false

Gemfile.lock

@@ -103,7 +103,7 @@ GEM
       bundler (~> 1.2)
       thor (~> 0.18)
     byebug (8.2.1)
-    cal-heatmap-rails (3.5.1)
+    cal-heatmap-rails (3.6.0)
     capybara (2.6.2)
       addressable
       mime-types (>= 1.16)
@@ -134,7 +134,7 @@ GEM
       execjs
     coffee-script-source (1.10.0)
     colorize (0.7.7)
-    concurrent-ruby (1.0.0)
+    concurrent-ruby (1.0.1)
     connection_pool (2.2.0)
     coveralls (0.8.13)
       json (~> 1.8)
@@ -164,8 +164,6 @@ GEM
       responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
-    devise-async (0.9.0)
-      devise (~> 3.2)
     devise-two-factor (2.0.1)
       activesupport
       attr_encrypted (~> 1.3.2)
@@ -175,7 +173,7 @@ GEM
     diff-lcs (1.2.5)
     diffy (3.0.7)
     docile (1.1.5)
-    doorkeeper (2.2.2)
+    doorkeeper (3.1.0)
       railties (>= 3.2)
     dropzonejs-rails (0.7.2)
       rails (> 3.1)
@@ -186,7 +184,7 @@ GEM
     encryptor (1.3.0)
     equalizer (0.0.11)
     erubis (2.7.0)
-    escape_utils (1.1.0)
+    escape_utils (1.1.1)
     eventmachine (1.0.8)
     excon (0.45.4)
     execjs (2.6.0)
@@ -336,7 +334,7 @@ GEM
       json
     get_process_mem (0.2.0)
     gherkin-ruby (0.3.2)
-    github-linguist (4.7.5)
+    github-linguist (4.7.6)
       charlock_holmes (~> 0.7.3)
       escape_utils (~> 1.1.0)
       mime-types (>= 1.19)
@@ -346,14 +344,14 @@ GEM
       flowdock (~> 0.7)
       gitlab-grit (>= 2.4.1)
       multi_json
-    gitlab-grit (2.7.3)
+    gitlab-grit (2.8.1)
       charlock_holmes (~> 0.6)
       diff-lcs (~> 1.1)
-      mime-types (~> 1.15)
+      mime-types (>= 1.16, < 3)
       posix-spawn (~> 0.3)
     gitlab_emoji (0.3.1)
       gemojione (~> 2.2, >= 2.2.1)
-    gitlab_git (10.0.0)
+    gitlab_git (10.0.1)
       activesupport (~> 4.0)
       charlock_holmes (~> 0.7.3)
       github-linguist (~> 4.7.0)
@@ -431,8 +429,8 @@ GEM
       json
     ipaddress (0.8.2)
     jquery-atwho-rails (1.3.2)
-    jquery-rails (4.0.5)
-      rails-dom-testing (~> 1.0)
+    jquery-rails (4.1.1)
+      rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     jquery-scrollto-rails (1.4.3)
@@ -450,8 +448,12 @@ GEM
     kgio (2.10.0)
     launchy (2.4.3)
       addressable (~> 2.3)
-    letter_opener (1.1.2)
+    letter_opener (1.4.1)
       launchy (~> 2.2)
+    letter_opener_web (1.3.0)
+      actionmailer (>= 3.2)
+      letter_opener (~> 1.0)
+      railties (>= 3.2)
     licensee (8.0.0)
       rugged (>= 0.24b)
     listen (3.0.5)
@@ -465,7 +467,7 @@ GEM
       mime-types (>= 1.16, < 4)
     mail_room (0.6.1)
     method_source (0.8.2)
-    mime-types (1.25.1)
+    mime-types (2.99.1)
     mimemagic (0.3.0)
     mini_portile2 (2.0.0)
     minitest (5.7.0)
@@ -629,7 +631,7 @@ GEM
     recaptcha (1.0.2)
       json
     redcarpet (3.3.3)
-    redis (3.2.2)
+    redis (3.3.0)
     redis-actionpack (4.0.1)
       actionpack (~> 4)
       redis-rack (~> 1.5.0)
@@ -736,10 +738,9 @@ GEM
       rack
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)
-    sidekiq (4.0.1)
+    sidekiq (4.1.1)
       concurrent-ruby (~> 1.0)
       connection_pool (~> 2.2, >= 2.2.0)
-      json (~> 1.0)
       redis (~> 3.2, >= 3.2.1)
     sidekiq-cron (0.4.0)
       redis-namespace (>= 1.5.2)
@@ -905,7 +906,7 @@ DEPENDENCIES
   bullet
   bundler-audit
   byebug
-  cal-heatmap-rails (~> 3.5.0)
+  cal-heatmap-rails (~> 3.6.0)
   capybara (~> 2.6.2)
   capybara-screenshot (~> 1.0.0)
   carrierwave (~> 0.10.0)
@@ -919,10 +920,9 @@ DEPENDENCIES
   database_cleaner (~> 1.4.0)
   default_value_for (~> 3.0.0)
   devise (~> 3.5.4)
-  devise-async (~> 0.9.0)
   devise-two-factor (~> 2.0.0)
   diffy (~> 3.0.3)
-  doorkeeper (~> 2.2.0)
+  doorkeeper (~> 3.1)
   dropzonejs-rails (~> 0.7.1)
   email_reply_parser (~> 0.5.8)
   email_spec (~> 1.6.0)
@@ -953,12 +953,12 @@ DEPENDENCIES
   httparty (~> 0.13.3)
   influxdb (~> 0.2)
   jquery-atwho-rails (~> 1.3.2)
-  jquery-rails (~> 4.0.0)
+  jquery-rails (~> 4.1.0)
   jquery-scrollto-rails (~> 1.4.3)
   jquery-turbolinks (~> 2.1.0)
   jquery-ui-rails (~> 5.0.0)
   kaminari (~> 0.16.3)
-  letter_opener (~> 1.1.2)
+  letter_opener_web (~> 1.3.0)
   licensee (~> 8.0.0)
   loofah (~> 2.0.3)
   mail_room (~> 0.6.1)

PROCESS.md

@@ -59,7 +59,7 @@ core team members will mention this person.
 
 Workflow labels are purposely not very detailed since that would be hard to keep
 updated as you would need to re-evaluate them after every comment. We optionally
-use functional labels on demand when want to group related issues to get an
+use functional labels on demand when we want to group related issues to get an
 overview (for example all issues related to RVM, to tackle them in one go) and
 to add details to the issue.
 
@@ -73,6 +73,7 @@ in support or comment for further detail. Do not use `feature request`.
 - ~bug is an issue reporting undesirable or incorrect behavior.
 - ~customer is an issue reported by enterprise subscribers. This label should
 be accompanied by *bug* or *feature proposal* labels.
+
 Example workflow: when a UX designer provided a design but it needs frontend work they remove the UX label and add the frontend label.
 
 ## Functional labels

app/assets/javascripts/commits.js.coffee

 class @CommitsList
   @timer = null
 
-  @init: (ref, limit) ->
+  @init: (limit) ->
     $("body").on "click", ".day-commits-table li.commit", (event) ->
       if event.target.nodeName != "A"
         location.href = $(this).attr("url")

app/assets/javascripts/dispatcher.js.coffee

@@ -108,6 +108,8 @@ class Dispatcher
         new BuildArtifacts()
       when 'projects:group_links:index'
         new GroupsSelect()
+      when 'search:show'
+        new Search()
 
     switch path.first()
       when 'admin'

app/assets/javascripts/gl_dropdown.js.coffee

@@ -184,6 +184,9 @@ class GitLabDropdown
     @dropdown.on "shown.bs.dropdown", @opened
     @dropdown.on "hidden.bs.dropdown", @hidden
     @dropdown.on "click", ".dropdown-menu, .dropdown-menu-close", @shouldPropagate
+    @dropdown.on 'keyup', (e) =>
+      if e.which is 27 # Escape key
+        $('.dropdown-menu-close', @dropdown).trigger 'click'
 
     if @dropdown.find(".dropdown-toggle-page").length
       @dropdown.find(".dropdown-toggle-page, .dropdown-menu-back").on "click", (e) =>
@@ -221,6 +224,9 @@ class GitLabDropdown
 
     menu.toggleClass PAGE_TWO_CLASS
 
+    # Focus first visible input on active page
+    @dropdown.find('[class^="dropdown-page-"]:visible :text:visible:first').focus()
+
   parseData: (data) ->
     @renderedData = data
 
@@ -240,7 +246,8 @@ class GitLabDropdown
   shouldPropagate: (e) =>
     if @options.multiSelect
       $target = $(e.target)
-      if not $target.hasClass('dropdown-menu-close') and not $target.hasClass('dropdown-menu-close-icon')
+
+      if not $target.hasClass('dropdown-menu-close') and not $target.hasClass('dropdown-menu-close-icon') and not $target.data('is-link')
         e.stopPropagation()
         return false
       else
@@ -375,7 +382,6 @@ class GitLabDropdown
       selectedObject = @renderedData[selectedIndex]
     value = if @options.id then @options.id(selectedObject, el) else selectedObject.id
     field = @dropdown.parent().find("input[name='#{fieldName}'][value='#{value}']")
-
     if el.hasClass(ACTIVE_CLASS)
       el.removeClass(ACTIVE_CLASS)
       field.remove()

app/assets/javascripts/issuable_context.js.coffee

@@ -10,8 +10,8 @@ class @IssuableContext
       $(this).submit()
 
     $(document)
-      .off 'click', '.dropdown-content a'
-      .on 'click', '.dropdown-content a', (e) ->
+      .off 'click', '.issuable-sidebar .dropdown-content a'
+      .on 'click', '.issuable-sidebar .dropdown-content a', (e) ->
         e.preventDefault()
 
     $(document)

app/assets/javascripts/issue.js.coffee

@@ -12,6 +12,7 @@ class @Issue
 
     @initMergeRequests()
     @initRelatedBranches()
+    @initCanCreateBranch()
 
   initTaskList: ->
     $('.detail-page-description .js-task-list-container').taskList('enable')
@@ -92,3 +93,25 @@ class @Issue
       .success (data) ->
         if 'html' of data
           $container.html(data.html)
+
+  initCanCreateBranch: ->
+    $container = $('div#new-branch')
+
+    # If the user doesn't have the required permissions the container isn't
+    # rendered at all.
+    return unless $container
+
+    $.getJSON($container.data('path'))
+      .error ->
+        $container.find('.checking').hide()
+        $container.find('.unavailable').show()
+
+        new Flash('Failed to check if a new branch can be created.', 'alert')
+      .success (data) ->
+        if data.can_create_branch
+          $container.find('.checking').hide()
+          $container.find('.available').show()
+          $container.find('a').attr('disabled', false)
+        else
+          $container.find('.checking').hide()
+          $container.find('.unavailable').show()

app/assets/javascripts/labels_select.js.coffee

@@ -19,23 +19,19 @@ class @LabelsSelect
       $form = $dropdown.closest('form')
       $sidebarCollapsedValue = $block.find('.sidebar-collapsed-icon span')
       $value = $block.find('.value')
-      $loading = $block.find('.block-loading').fadeOut()
-
-      if newLabelField.length
-        $newLabelCreateButton = $('.js-new-label-btn')
-        $colorPreview = $('.js-dropdown-label-color-preview')
-        $newLabelError = $dropdown.parent().find('.js-label-error')
-        $newLabelError.hide()
+      $newLabelError = $('.js-label-error')
+      $colorPreview = $('.js-dropdown-label-color-preview')
+      $newLabelCreateButton = $('.js-new-label-btn')
 
-        # Suggested colors in the dropdown to chose from pre-chosen colors
-        $('.suggest-colors-dropdown a').on 'click', (e) ->
+      $newLabelError.hide()
+      $loading = $block.find('.block-loading').fadeOut()
 
       issueURLSplit = issueUpdateURL.split('/') if issueUpdateURL?
       if issueUpdateURL
         labelHTMLTemplate = _.template(
             '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= _.escape(label.title) %>">
-            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>;">
+            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%= _.escape(label.title) %>">
+            <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>; color: <%= label.text_color %>;">
             <%= _.escape(label.title) %>
             </span>
             </a>
@@ -43,7 +39,9 @@ class @LabelsSelect
         )
         labelNoneHTMLTemplate = _.template('<div class="light">None</div>')
 
-      if newLabelField.length and $dropdown.hasClass 'js-extra-options'
+      if newLabelField.length
+
+        # Suggested colors in the dropdown to chose from pre-chosen colors
         $('.suggest-colors-dropdown a').on "click", (e) ->
           e.preventDefault()
           e.stopPropagation()
@@ -82,26 +80,25 @@ class @LabelsSelect
         enableLabelCreateButton = ->
           if newLabelField.val() isnt '' and newColorField.val() isnt ''
             $newLabelError.hide()
-            $('.js-new-label-btn').disable()
-
-            # Create new label with API
-            Api.newLabel projectId, {
-              name: newLabelField.val()
-              color: newColorField.val()
-            }, (label) ->
-              $('.js-new-label-btn').enable()
-
-              if label.message?
-                $newLabelError
-                  .text label.message
-                  .show()
-              else
-                $('.dropdown-menu-back', $dropdown.parent()).trigger 'click'
-
             $newLabelCreateButton.enable()
           else
             $newLabelCreateButton.disable()
 
+        saveLabel = ->
+          # Create new label with API
+          Api.newLabel projectId, {
+            name: newLabelField.val()
+            color: newColorField.val()
+          }, (label) ->
+            $newLabelCreateButton.enable()
+
+            if label.message?
+              $newLabelError
+                .text label.message
+                .show()
+            else
+              $('.dropdown-menu-back', $dropdown.parent()).trigger 'click'
+
         newLabelField.on 'keyup change', enableLabelCreateButton
 
         newColorField.on 'keyup change', enableLabelCreateButton
@@ -112,24 +109,7 @@ class @LabelsSelect
           .on 'click', (e) ->
             e.preventDefault()
             e.stopPropagation()
-
-            if newLabelField.val() isnt '' and newColorField.val() isnt ''
-              $newLabelError.hide()
-              $('.js-new-label-btn').disable()
-
-              # Create new label with API
-              Api.newLabel projectId, {
-                name: newLabelField.val()
-                color: newColorField.val()
-              }, (label) ->
-                $('.js-new-label-btn').enable()
-
-                if label.message?
-                  $newLabelError
-                    .text label.message
-                    .show()
-                else
-                  $('.dropdown-menu-back', $dropdown.parent()).trigger 'click'
+            saveLabel()
 
       saveLabelData = ->
         selected = $dropdown
@@ -183,6 +163,21 @@ class @LabelsSelect
           $.ajax(
             url: labelUrl
           ).done (data) ->
+            data = _.chain data
+              .groupBy (label) ->
+                label.title
+              .map (label) ->
+                color = _.map label, (dup) ->
+                  dup.color
+
+                return {
+                  id: label[0].id
+                  title: label[0].title
+                  color: color
+                  duplicate: color.length > 1
+                }
+              .value()
+
             if $dropdown.hasClass 'js-extra-options'
               if showNo
                 data.unshift(
@@ -198,6 +193,7 @@ class @LabelsSelect
 
               if data.length > 2
                 data.splice 2, 0, 'divider'
+
             callback data
 
         renderRow: (label) ->
@@ -212,11 +208,31 @@ class @LabelsSelect
           if $dropdown.hasClass('js-multiselect') and removesAll
             selectedClass.push 'dropdown-clear-active'
 
-          color = if label.color? then "<span class='dropdown-label-box' style='background-color: #{label.color}'></span>" else ""
+          if label.duplicate
+            spacing = 100 / label.color.length
+
+            # Reduce the colors to 4
+            label.color = label.color.filter (color, i) ->
+              i < 4
+
+            color = _.map(label.color, (color, i) ->
+              percentFirst = Math.floor(spacing * i)
+              percentSecond = Math.floor(spacing * (i + 1))
+              "#{color} #{percentFirst}%,#{color} #{percentSecond}% "
+            ).join(',')
+            color = "linear-gradient(#{color})"
+          else
+            if label.color?
+              color = label.color[0]
+
+          if color
+            colorEl = "<span class='dropdown-label-box' style='background: #{color}'></span>"
+          else
+            colorEl = ''
 
           "<li>
             <a href='#' class='#{selectedClass.join(' ')}'>
-              #{color}
+              #{colorEl}
               #{_.escape(label.title)}
             </a>
           </li>"
@@ -243,7 +259,7 @@ class @LabelsSelect
         fieldName: $dropdown.data('field-name')
         id: (label) ->
           if $dropdown.hasClass("js-filter-submit") and not label.isAny?
-            label.title
+            _.escape label.title
           else
             label.id
 

app/assets/javascripts/merge_request_tabs.js.coffee

@@ -87,8 +87,8 @@ class @MergeRequestTabs
     if window.location.hash
       navBarHeight = $('.navbar-gitlab').outerHeight()
 
-      $el = $("#{container} #{window.location.hash}")
-      $.scrollTo("#{container} #{window.location.hash}", offset: -navBarHeight) if $el.length
+      $el = $("#{container} #{window.location.hash}:not(.match)")
+      $.scrollTo("#{container} #{window.location.hash}:not(.match)", offset: -navBarHeight) if $el.length
 
   # Activate a tab based on the current action
   activateTab: (action) ->
@@ -176,12 +176,12 @@ class @MergeRequestTabs
 
     if locationHash isnt ''
       hashClassString = ".#{locationHash.replace('#', '')}"
-      $diffLine = $(locationHash)
+      $diffLine = $("#{locationHash}:not(.match)", $('#diffs'))
 
-      if $diffLine.is ':not(tr)'
-        $diffLine = $("td#{locationHash}, td#{hashClassString}")
+      if not $diffLine.is 'tr'
+        $diffLine = $('#diffs').find("td#{locationHash}, td#{hashClassString}")
       else
-        $diffLine = $('td', $diffLine)
+        $diffLine = $diffLine.find('td')
 
       if $diffLine.length
         $diffLine.addClass 'hll'

app/assets/javascripts/notes.js.coffee

@@ -167,8 +167,8 @@ class @Notes
       return
 
     if note.award
-      awards_handler.addAwardToEmojiBar(note.note)
-      awards_handler.scrollToAwards()
+      awardsHandler.addAwardToEmojiBar(note.note)
+      awardsHandler.scrollToAwards()
 
     # render note if it not present in loaded list
     # or skip if rendered
@@ -373,11 +373,11 @@ class @Notes
 
     new GLForm form
     if scrollTo? and myLastNote?
-      # scroll to the bottom 
+      # scroll to the bottom
       # so the open of the last element doesn't make a jump
       $('html, body').scrollTop($(document).height());
       $('html, body').animate({
-        scrollTop: myLastNote.offset().top - 150  
+        scrollTop: myLastNote.offset().top - 150
       }, 500, ->
         $noteText = form.find(".js-note-text")
         $noteText.focus()

app/assets/javascripts/right_sidebar.js.coffee

 class @Sidebar
   constructor: (currentUser) ->
+    @sidebar = $('aside')
+
     @addEventListeners()
 
   addEventListeners: ->
-    $('aside').on('click', '.sidebar-collapsed-icon', @sidebarCollapseClicked)
-    $('.dropdown').on('hidden.gl.dropdown', @sidebarDropdownHidden)
+    @sidebar.on('click', '.sidebar-collapsed-icon', @, @sidebarCollapseClicked)
+    $('.dropdown').on('hidden.gl.dropdown', @, @onSidebarDropdownHidden)
     $('.dropdown').on('loading.gl.dropdown', @sidebarDropdownLoading)
     $('.dropdown').on('loaded.gl.dropdown', @sidebarDropdownLoaded)
 
@@ -30,26 +32,56 @@ class @Sidebar
     else
       i.show()
 
-
   sidebarCollapseClicked: (e) ->
+    sidebar = e.data
     e.preventDefault()
     $block = $(@).closest('.block')
+    sidebar.openDropdown($block);
 
-    $('aside')
-      .find('.gutter-toggle')
-      .trigger('click')
-    $editLink = $block.find('.edit-link')
+  openDropdown: (blockOrName) ->
+    $block = if _.isString(blockOrName) then @getBlock(blockOrName) else blockOrName
+
+    $block.find('.edit-link').trigger('click')
 
-    if $editLink.length
-      $editLink.trigger('click')
-      $block.addClass('collapse-after-update')
-      $('.page-with-sidebar').addClass('with-overlay')
+    if not @isOpen()
+      @setCollapseAfterUpdate($block)
+      @toggleSidebar('open')
 
-  sidebarDropdownHidden: (e) ->
+  setCollapseAfterUpdate: ($block) ->
+    $block.addClass('collapse-after-update')
+    $('.page-with-sidebar').addClass('with-overlay')
+
+  onSidebarDropdownHidden: (e) ->
+    sidebar = e.data
+    e.preventDefault()
     $block = $(@).closest('.block')
+    sidebar.sidebarDropdownHidden($block)
+
+  sidebarDropdownHidden: ($block) ->
     if $block.hasClass('collapse-after-update')
       $block.removeClass('collapse-after-update')
       $('.page-with-sidebar').removeClass('with-overlay')
-      $('aside')
-        .find('.gutter-toggle')
-        .trigger('click')
+      @toggleSidebar('hide')
+
+  triggerOpenSidebar: ->
\ No newline at end of file
+    @sidebar
+      .find('.js-sidebar-toggle')
+      .trigger('click')
+
+  toggleSidebar: (action = 'toggle') ->
+    if action is 'toggle'
+      @triggerOpenSidebar()
+
+    if action is 'open'
+      @triggerOpenSidebar() if not @isOpen()
+
+    if action is 'hide'
+      @triggerOpenSidebar() is @isOpen()
+
+  isOpen: ->
+    @sidebar.is('.right-sidebar-expanded')
+
+  getBlock: (name) ->
+    @sidebar.find(".block.#{name}")
+
+

app/assets/javascripts/search.js.coffee

+class @Search
+  constructor: ->
+    $groupDropdown = $('.js-search-group-dropdown')
+    $projectDropdown = $('.js-search-project-dropdown')
+    @eventListeners()
+
+    $groupDropdown.glDropdown(
+      selectable: true
+      filterable: true
+      fieldName: 'group_id'
+      data: (term, callback) ->
+        Api.groups term, null, (data) ->
+          data.unshift(
+            name: 'Any'
+          )
+          data.splice 1, 0, 'divider'
+
+          callback(data)
+      id: (obj) ->
+        obj.id
+      text: (obj) ->
+        obj.name
+      toggleLabel: (obj) ->
+        "#{$groupDropdown.data('default-label')} #{obj.name}"
+      clicked: =>
+        @submitSearch()
+    )
+
+    $projectDropdown.glDropdown(
+      selectable: true
+      filterable: true
+      fieldName: 'project_id'
+      data: (term, callback) ->
+        Api.projects term, 'id', (data) ->
+          data.unshift(
+            name_with_namespace: 'Any'
+          )
+          data.splice 1, 0, 'divider'
+
+          callback(data)
+      id: (obj) ->
+        obj.id
+      text: (obj) ->
+        obj.name_with_namespace
+      toggleLabel: (obj) ->
+        "#{$projectDropdown.data('default-label')} #{obj.name_with_namespace}"
+      clicked: =>
+        @submitSearch()
+    )
+
+  eventListeners: ->
+    $(document)
+      .off 'keyup', '.js-search-input'
+      .on 'keyup', '.js-search-input', @searchKeyUp
+
+    $(document)
+      .off 'click', '.js-search-clear'
+      .on 'click', '.js-search-clear', @clearSearchField
+
+  submitSearch: ->
+    $('.js-search-form').submit()
+
+  searchKeyUp: ->
+    $input = $(@)
+
+    if $input.val() is ''
+      $('.js-search-clear').addClass 'hidden'
+    else
+      $('.js-search-clear').removeClass 'hidden'
+
+  clearSearchField: ->
+    $('.js-search-input')
+      .val ''
+      .trigger 'keyup'
+      .focus()

app/assets/javascripts/shortcuts.js.coffee

@@ -2,34 +2,35 @@ class @Shortcuts
   constructor: ->
     @enabledHelp = []
     Mousetrap.reset()
-    Mousetrap.bind('?', @selectiveHelp)
+    Mousetrap.bind('?', @onToggleHelp)
     Mousetrap.bind('s', Shortcuts.focusSearch)
     Mousetrap.bind(['ctrl+shift+p', 'command+shift+p'], @toggleMarkdownPreview)
     Mousetrap.bind('t', -> Turbolinks.visit(findFileURL)) if findFileURL?
 
-  selectiveHelp: (e) =>
-    Shortcuts.showHelp(e, @enabledHelp)
+  onToggleHelp: (e) =>
+    e.preventDefault()
+    @toggleHelp(@enabledHelp)
 
   toggleMarkdownPreview: (e) =>
     $(document).triggerHandler('markdown-preview:toggle', [e])
 
-  @showHelp: (e, location) ->
-    if $('#modal-shortcuts').length > 0
-      $('#modal-shortcuts').modal('show')
-    else
-      url = '/help/shortcuts'
-      url = gon.relative_url_root + url if gon.relative_url_root?
-      $.ajax(
-        url: url,
-        dataType: 'script',
-        success: (e) ->
-          if location and location.length > 0
-            $(l).show() for l in location
-          else
-            $('.hidden-shortcut').show()
-            $('.js-more-help-button').remove()
-      )
-      e.preventDefault()
+  toggleHelp: (location) ->
+    $modal = $('#modal-shortcuts')
+
+    if $modal.length
+      $modal.modal('toggle')
+      return
+
+    $.ajax(
+      url: gon.shortcuts_path,
+      dataType: 'script',
+      success: (e) ->
+        if location and location.length > 0
+          $(l).show() for l in location
+        else
+          $('.hidden-shortcut').show()
+          $('.js-more-help-button').remove()
+    )
 
   @focusSearch: (e) ->
     $('#search').focus()

app/assets/javascripts/shortcuts_issuable.coffee

@@ -4,18 +4,8 @@
 class @ShortcutsIssuable extends ShortcutsNavigation
   constructor: (isMergeRequest) ->
     super()
-    Mousetrap.bind('a', ->
-      $('.block.assignee .edit-link').trigger('click')
-      return false
-    )
-    Mousetrap.bind('m', ->
-      $('.block.milestone .edit-link').trigger('click')
-      return false
-    )
-    Mousetrap.bind('r', =>
-      @replyWithSelectedText()
-      return false
-    )
+    Mousetrap.bind('a', @openSidebarDropdown.bind(@, 'assignee'))
+    Mousetrap.bind('m', @openSidebarDropdown.bind(@, 'milestone'))
     Mousetrap.bind('j', =>
       @prevIssue()
       return false
@@ -28,7 +18,7 @@ class @ShortcutsIssuable extends ShortcutsNavigation
       @editIssue()
       return false
     )
-
+    Mousetrap.bind('l', @openSidebarDropdown.bind(@, 'labels'))
 
     if isMergeRequest
       @enabledHelp.push('.hidden-shortcut.merge_requests')
@@ -71,3 +61,7 @@ class @ShortcutsIssuable extends ShortcutsNavigation
   editIssue: ->
     $editBtn = $('.issuable-edit')
     Turbolinks.visit($editBtn.attr('href'))
+
+  openSidebarDropdown: (name) ->
+    sidebar.openDropdown(name)
+    return false

app/assets/javascripts/shortcuts_navigation.coffee

@@ -14,6 +14,7 @@ class @ShortcutsNavigation extends Shortcuts
     Mousetrap.bind('g m', -> ShortcutsNavigation.findAndFollowLink('.shortcuts-merge_requests'))
     Mousetrap.bind('g w', -> ShortcutsNavigation.findAndFollowLink('.shortcuts-wiki'))
     Mousetrap.bind('g s', -> ShortcutsNavigation.findAndFollowLink('.shortcuts-snippets'))
+    Mousetrap.bind('i', -> ShortcutsNavigation.findAndFollowLink('.shortcuts-new-issue'))
     @enabledHelp.push('.hidden-shortcut.project')
 
   @findAndFollowLink: (selector) ->

app/assets/javascripts/todos.js.coffee

@@ -102,7 +102,8 @@ class @Todos
     todoLink = $(this).data('url')
     return unless todoLink
 
-    if e.metaKey
+    # Allow Meta-Click or Mouse3-click to open in a new tab
+    if e.metaKey or e.which is 2
       e.preventDefault()
       window.open(todoLink,'_blank')
     else

app/assets/javascripts/user_tabs.js.coffee

@@ -92,7 +92,7 @@ class @UserTabs
     @setCurrentAction(action)
 
   activateTab: (action) ->
-    @parentEl.find(".nav-links .#{action}-tab a").tab('show')
+    @parentEl.find(".nav-links .js-#{action}-tab a").tab('show')
 
   setTab: (source, action) ->
     return if @loaded[action] is true

app/assets/stylesheets/framework.scss

@@ -25,6 +25,7 @@
 @import "framework/lists.scss";
 @import "framework/markdown_area.scss";
 @import "framework/mobile.scss";
+@import "framework/modal.scss";
 @import "framework/nav.scss";
 @import "framework/pagination.scss";
 @import "framework/progress.scss";

app/assets/stylesheets/framework/blocks.scss

 .light-well {
-  background-color: #f8fafc;
+  background-color: $background-color;
   padding: 15px;
 }
 

app/assets/stylesheets/framework/buttons.scss

@@ -139,11 +139,19 @@
     pointer-events: auto !important;
   }
 
+  &[disabled] {
+    pointer-events: none !important;
+  }
+
   .caret {
     margin-left: 5px;
   }
 }
 
+.btn-lg {
+  padding: 12px 20px;
+}
+
 .btn-transparent {
   color: $btn-transparent-color;
   background-color: transparent;

app/assets/stylesheets/framework/calendar.scss

@@ -54,6 +54,10 @@
     fill: #254e77 !important;
   }
 
+  .future {
+    visibility: hidden;
+  }
+
   .domain-background {
     fill: none;
     shape-rendering: crispedges;

app/assets/stylesheets/framework/common.scss

@@ -11,6 +11,7 @@
 .prepend-top-10 { margin-top: 10px }
 .prepend-top-default { margin-top: $gl-padding !important; }
 .prepend-top-20 { margin-top: 20px }
+.prepend-left-5 { margin-left: 5px }
 .prepend-left-10 { margin-left: 10px }
 .prepend-left-default { margin-left: $gl-padding; }
 .prepend-left-20 { margin-left: 20px }

app/assets/stylesheets/framework/dropdowns.scss

@@ -42,7 +42,7 @@
   font-size: 15px;
   text-align: left;
   border: 1px solid $dropdown-toggle-border-color;
-  border-radius: $dropdown-border-radius;
+  border-radius: $border-radius-base;
   outline: 0;
   text-overflow: ellipsis;
   white-space: nowrap;
@@ -80,7 +80,7 @@
   padding: 10px 0;
   background-color: $dropdown-bg;
   border: 1px solid $dropdown-border-color;
-  border-radius: $dropdown-border-radius;
+  border-radius: $border-radius-base;
   box-shadow: 0 2px 4px $dropdown-shadow-color;
 
   &.is-loading {
@@ -320,7 +320,7 @@
   }
 }
 
-.dropdown-input-field {
+.dropdown-input-field, .default-dropdown-input {
   width: 100%;
   padding: 0 7px;
   color: $dropdown-input-color;

app/assets/stylesheets/framework/files.scss

@@ -38,12 +38,14 @@
 
     .filename {
       &.old {
+        display: inline-block;
         span.idiff {
           background-color: #f8cbcb;
         }
       }
 
       &.new {
+        display: inline-block;
         span.idiff {
           background-color: #a6f3a6;
         }
@@ -82,10 +84,6 @@
       }
     }
 
-    &.blob_file {
-
-    }
-
     &.blob-no-preview {
       background: #eee;
       text-shadow: 0 1px 2px #fff;
@@ -129,6 +127,11 @@
       td.line-numbers {
         float: none;
         border-left: 1px solid #ddd;
+
+        i {
+          float: none;
+          margin-right: 0;
+        }
       }
       td.lines {
         padding: 0;

app/assets/stylesheets/framework/forms.scss

@@ -78,6 +78,24 @@ label {
   border-radius: 3px;
 }
 
+.select-wrapper {
+  position: relative;
+
+  .caret {
+    position: absolute;
+    right: 10px;
+    top: $gl-padding;
+    color: $gray-darkest;
+    pointer-events: none;
+  }
+}
+
+.select-control {
+  padding-left: 10px;
+  padding-right: 10px;
+  -webkit-appearance: none;
+}
+
 .form-control-inline {
   display: inline;
 }

app/assets/stylesheets/framework/header.scss

@@ -26,9 +26,9 @@ header {
     z-index: 100;
     margin-bottom: 0;
     min-height: $header-height;
-    background-color: #fff;
+    background-color: $background-color;
     border: none;
-    border-bottom: 1px solid #eee;
+    border-bottom: 1px solid $border-color;
 
     .container-fluid {
       width: 100% !important;
@@ -47,7 +47,7 @@ header {
         text-align: center;
 
         &:hover, &:focus, &:active {
-          background-color: #fff;
+          background-color: $background-color;
         }
       }
 

app/assets/stylesheets/framework/markdown_area.scss

@@ -95,7 +95,7 @@
   &.md-preview-holder {
     code {
       white-space: pre-wrap;
-      word-break: break-all;
+      word-break: keep-all;
     }
   }
 }

app/assets/stylesheets/framework/modal.scss

+.modal-body {
+  position: relative;
+  overflow-y: auto;
+  padding: 15px;
+
+  .form-actions {
+    margin: -$gl-padding+1;
+    margin-top: 15px;
+  }
+
+  .text-danger {
+    font-weight: bold;
+  }
+}
+
+body.modal-open {
+  overflow: hidden;
+}
+
+.modal .modal-dialog {
+  width: 860px;
+}

app/assets/stylesheets/framework/nav.scss

@@ -185,3 +185,22 @@
     }
   }
 }
+
+.layout-nav {
+  background: $background-color;
+  border-bottom: 1px solid $border-color;
+
+  .controls {
+    float: right;
+    position: relative;
+    top: 10px;
+
+    .dropdown {
+      margin-left: 7px;
+    }
+  }
+
+  .nav-links {
+    border-bottom: none;
+  }
+}

app/assets/stylesheets/framework/selects.scss

@@ -7,13 +7,11 @@
   .select2-choice {
     background: #fff;
     border-color: $input-border;
-    border-color: $border-white-light;
     height: 35px;
     padding: $gl-vert-padding $gl-btn-padding;
     font-size: $gl-font-size;
     line-height: 1.42857143;
-
-    @include border-radius($border-radius-default);
+    border-radius: $border-radius-base;
 
     .select2-arrow {
       background-image: none;
@@ -121,9 +119,6 @@
   }
 }
 
-.select2-container-multi .select2-choices .select2-search-choice {
-}
-
 .select2-drop-active {
   margin-top: 6px;
   font-size: 14px;
@@ -202,6 +197,14 @@
   }
 }
 
+.select2-highlighted {
+  .group-result {
+    .group-path {
+      color: #fff;
+    }
+  }
+}
+
 .group-result {
   .group-image {
     float: left;

app/assets/stylesheets/framework/timeline.scss

@@ -11,7 +11,7 @@
     border-bottom: 1px solid $border-white-light;
 
     &:target {
-      background: $row-hover;
+      background: $line-target-blue;
     }
 
     .avatar {

app/assets/stylesheets/framework/tw_bootstrap_variables.scss

@@ -153,8 +153,8 @@ $nav-link-padding: 13px $gl-padding;
 //== Code
 //
 //##
-$pre-bg:           #f8fafc !default;
+$pre-bg:           $background-color !default;
 $pre-color:        $gl-gray !default;
-$pre-border-color: #e7e9ed;
+$pre-border-color: $border-color;
 
 $table-bg-accent: $background-color;

app/assets/stylesheets/framework/typography.scss

@@ -205,6 +205,10 @@ h1, h2, h3, h4, h5, h6 {
   font-weight: 600;
 }
 
+.light-header {
+  font-weight: 600;
+}
+
 /** CODE **/
 pre {
   font-family: $monospace_font;
@@ -259,3 +263,9 @@ h1, h2, h3, h4 {
     color: $gl-gray;
   }
 }
+
+.text-right-lg {
+  @media (min-width: $screen-lg-min) {
+    text-align: right;
+  }
+}

app/assets/stylesheets/framework/variables.scss

@@ -71,8 +71,7 @@ $gl-avatar-size: 40px;
 $error-exclamation-point: #e62958;
 $border-radius-default: 2px;
 $btn-transparent-color: #8f8f8f;
-$ssh-key-icon-color: #8f8f8f;
-$ssh-key-icon-size: 18px;
+$settings-icon-size: 18px;
 $provider-btn-group-border: #e5e5e5;
 $provider-btn-not-active-color: #4688f1;
 
@@ -168,8 +167,12 @@ $line-removed: #fbe9eb;
 $line-removed-dark: #fac5cd;
 $line-number-old: #f9d7dc;
 $line-number-new: #ddfbe6;
+$line-number-select: #fbf2da;
 $match-line: #fafafa;
 $table-border-gray: #f0f0f0;
+$line-target-blue: #eaf3fc;
+$line-select-yellow: #fcf8e7;
+$line-select-yellow-dark: #f0e2bd;
 /*
  * Fonts
  */
@@ -179,7 +182,6 @@ $regular_font: 'Source Sans Pro', "Helvetica Neue", Helvetica, Arial, sans-serif
 /*
 * Dropdowns
 */
-$dropdown-border-radius: 2px;
 $dropdown-width: 300px;
 $dropdown-bg: #fff;
 $dropdown-link-color: #555;

app/assets/stylesheets/highlight/monokai.scss

@@ -111,8 +111,6 @@
   .vg { color: #f8f8f2 } /* Name.Variable.Global */
   .vi { color: #f8f8f2 } /* Name.Variable.Instance */
   .il { color: #ae81ff } /* Literal.Number.Integer.Long */
-
-  .gh { } /* Generic Heading & Diff Header */
   .gu { color: #75715e; } /* Generic.Subheading & Diff Unified/Comment? */
   .gd { color: #f92672; } /* Generic.Deleted & Diff Deleted */
   .gi { color: #a6e22e; } /* Generic.Inserted & Diff Inserted */

app/assets/stylesheets/highlight/white.scss

@@ -21,11 +21,6 @@
 
   // Diff line
   .line_holder {
-    td.diff-line-num.hll:not(.empty-cell),
-    td.line_content.hll:not(.empty-cell) {
-      background-color: #f8eec7;
-      border-color: darken(#f8eec7, 15%);
-    }
 
     .diff-line-num {
       &.old {
@@ -37,11 +32,16 @@
         background-color: $line-number-new;
         border-color: $line-added-dark;
       }
+
+      &.hll:not(.empty-cell) {
+        background-color: $line-number-select;
+        border-color: $line-select-yellow-dark;
+      }
     }
 
     .line_content {
       &.old {
-        background: $line-removed;
+        background-color: $line-removed;
 
         span.idiff {
           background-color: $line-removed-dark;
@@ -58,7 +58,11 @@
 
       &.match {
         color: $black-transparent;
-        background: $match-line;
+        background-color: $match-line;
+      }
+
+      &.hll:not(.empty-cell) {
+        background-color: $line-select-yellow;
       }
     }
   }

app/assets/stylesheets/pages/confirmation.scss

+.well-confirmation {
+  margin-bottom: 20px;
+  border-bottom: 1px solid #eee;
+
+  > h1 {
+    font-weight: 400;
+  }
+
+  .lead {
+    margin-bottom: 20px;
+  }
+}
+
+.confirmation-content {
+  a {
+    color: $md-link-color;
+  }
+}

app/assets/stylesheets/pages/detail_page.scss

@@ -40,6 +40,7 @@
   .wiki {
     code {
       white-space: pre-wrap;
+      word-break: keep-all;
     }
   }
 }

app/assets/stylesheets/pages/diff.scss

@@ -98,7 +98,11 @@
       }
 
       td.line_content.parallel {
-        width: 50%;
+        width: 46%;
+      }
+
+      .add-diff-note {
+        margin-left: -65px;
       }
     }
 
@@ -127,8 +131,13 @@
       margin: 0;
       padding: 0 0.5em;
       border: none;
+
       &.parallel {
         display: table-cell;
+
+        span {
+          word-break: break-all;
+        }
       }
     }
 

app/assets/stylesheets/pages/graph.scss

@@ -18,9 +18,6 @@
 }
 
 .graphs {
-  .graph-author-commits-count {
-  }
-
   .graph-author-email {
     float: right;
     color: #777;

app/assets/stylesheets/pages/help.scss

@@ -55,25 +55,6 @@
   }
 }
 
-.modal-body {
-  position: relative;
-  overflow-y: auto;
-  padding: 15px;
-
-  .form-actions {
-    margin: -$gl-padding+1;
-    margin-top: 15px;
-  }
-}
-
-body.modal-open {
-  overflow: hidden;
-}
-
-.modal .modal-dialog {
-  width: 860px;
-}
-
 .documentation {
   padding: 7px;
 }

app/assets/stylesheets/pages/issuable.scss

@@ -249,6 +249,10 @@
       background: $gray-dark;
       border: 1px solid $border-gray-dark;
     }
+
+    &.btn-primary {
+      @extend .btn-primary
+    }
   }
 
   a:not(.issuable-pager) {

app/assets/stylesheets/pages/notes.scss

@@ -109,6 +109,10 @@ ul.notes {
           border-color: darken(#f5f5f5, 8%);
           margin: 10px 0;
         }
+
+        code {
+          word-break: keep-all;
+        }
       }
 
       a {
@@ -183,6 +187,9 @@ ul.notes {
     }
   }
 
+  .author_link {
+    color: $gl-gray;
+  }
 }
 
 .note-headline-light,
@@ -208,7 +215,7 @@ ul.notes {
 }
 
 .discussion-actions {
-  @media (max-width: $screen-sm-max) {
+  @media (max-width: $screen-md-max) {
     float: none;
     margin-left: 0;
 

app/assets/stylesheets/pages/profile.scss

@@ -18,7 +18,8 @@
 }
 
 .account-btn-link,
-.profile-settings-sidebar a {
+.profile-settings-sidebar a,
+.settings-sidebar a {
   color: $md-link-color;
 }
 
@@ -123,12 +124,6 @@
   }
 }
 
-.key-icon {
-  color: $ssh-key-icon-color;
-  font-size: $ssh-key-icon-size;
-  line-height: 42px;
-}
-
 .key-created-at {
   line-height: 42px;
 }
@@ -180,14 +175,6 @@
   }
 }
 
-.profile-settings-message {
-  line-height: 32px;
-  color: $warning-message-color;
-  background-color: $warning-message-bg;
-  border: 1px solid $warning-message-border;
-  border-radius: $border-radius-base;
-}
-
 .oauth-applications {
   form {
     display: inline-block;

app/assets/stylesheets/pages/projects.scss

@@ -202,8 +202,31 @@
   min-width: 200px;
 }
 
-.deploy-project-label {
-  margin: 1px;
+.deploy-key-content {
+  @media (min-width: $screen-sm-min) {
+    float: left;
+
+    &:last-child {
+      float: right;
+    }
+  }
+}
+
+.deploy-key-projects {
+  @media (min-width: $screen-sm-min) {
+    line-height: 42px;
+  }
+}
+
+a.deploy-project-label {
+  padding: 5px;
+  margin-right: 5px;
+  color: $gl-gray;
+  background-color: $row-hover;
+
+  &:hover {
+    color: $gl-link-color;
+  }
 }
 
 .vs-public {
@@ -256,12 +279,6 @@
   }
 }
 
-table.table.protected-branches-list tr.no-border {
-  th, td {
-    border: 0;
-  }
-}
-
 .project-import .btn {
   float: left;
   margin-right: 10px;
@@ -474,3 +491,14 @@ pre.light-well {
     color: #fff;
   }
 }
+
+.protected-branches-list {
+  a {
+    color: $gl-gray;
+    font-weight: 600;
+
+    &:hover {
+      color: $gl-link-color;
+    }
+  }
+}

app/assets/stylesheets/pages/search.scss

@@ -10,17 +10,6 @@
   }
 }
 
-.search-holder {
-  max-width: 600px;
-  margin: 0 auto;
-  margin-bottom: 20px;
-
-  input {
-    border-color: #bbb;
-    font-weight: bold;
-  }
-}
-
 .search {
   margin-right: 10px;
   margin-left: 10px;
@@ -159,7 +148,85 @@
 
   &.has-location-badge {
     .search-input-wrap {
-      width: 78%;
+      width: 68%;
     }
   }
 }
+
+.search-holder {
+  @media (min-width: $screen-sm-min) {
+    display: -webkit-flex;
+    display: -ms-flexbox;
+    display: flex;
+  }
+
+  .search-field-holder {
+    -webkit-flex: 1 0 auto;
+    -ms-flex: 1 0 auto;
+    flex: 1 0 auto;
+    position: relative;
+    margin-right: 0;
+
+    @media (min-width: $screen-sm-min) {
+      margin-right: 5px;
+    }
+  }
+
+  .search-icon {
+    position: absolute;
+    left: 10px;
+    top: 10px;
+    color: $gray-darkest;
+    pointer-events: none;
+  }
+
+  .search-text-input {
+    padding-left: $gl-padding + 15px;
+    padding-right: $gl-padding + 15px;
+  }
+
+  .btn-search {
+    width: 100%;
+    margin-top: 5px;
+
+    @media (min-width: $screen-sm-min) {
+      width: auto;
+      margin-top: 0;
+      margin-left: 5px;
+    }
+  }
+
+  .dropdown {
+    @media (min-width: $screen-sm-min) {
+      margin-left: 5px;
+      margin-right: 5px;
+    }
+  }
+
+  .dropdown-menu-toggle {
+    width: 100%;
+    margin-top: 5px;
+
+    @media (min-width: $screen-sm-min) {
+      width: 160px;
+      margin-top: 0;
+    }
+  }
+}
+
+.search-clear {
+  position: absolute;
+  right: 10px;
+  top: 10px;
+  padding: 0;
+  color: $gray-darkest;
+  line-height: 0;
+  background: none;
+  border: 0;
+
+  &:hover,
+  &:focus {
+    color: $gl-link-color;
+    outline: none;
+  }
+}

app/assets/stylesheets/pages/settings.scss

+.settings-list-icon {
+  color: $gl-placeholder-color;
+  font-size: $settings-icon-size;
+  line-height: 42px;
+}
+
+.settings-message {
+  padding: 5px;
+  line-height: 1.3;
+  color: $warning-message-color;
+  background-color: $warning-message-bg;
+  border: 1px solid $warning-message-border;
+  border-radius: $border-radius-base;
+}

app/controllers/admin/application_controller.rb

@@ -6,12 +6,6 @@ class Admin::ApplicationController < ApplicationController
   layout 'admin'
 
   def authenticate_admin!
-    return render_404 unless current_user.is_admin?
-  end
-
-  def authorize_impersonator!
-    if session[:impersonator_id]
-      User.find_by!(username: session[:impersonator_id]).admin?
-    end
+    render_404 unless current_user.is_admin?
   end
 end

app/controllers/admin/hooks_controller.rb

@@ -39,6 +39,12 @@ class Admin::HooksController < Admin::ApplicationController
   end
 
   def hook_params
-    params.require(:hook).permit(:url, :enable_ssl_verification, :push_events, :tag_push_events)
+    params.require(:hook).permit(
+      :enable_ssl_verification,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
   end
 end

app/controllers/admin/impersonation_controller.rb

-class Admin::ImpersonationController < Admin::ApplicationController
-  skip_before_action :authenticate_admin!, only: :destroy
-
-  before_action :user
-  before_action :authorize_impersonator!
-
-  def create
-    if @user.blocked?
-      flash[:alert] = "You cannot impersonate a blocked user"
-
-      redirect_to admin_user_path(@user)
-    else
-      session[:impersonator_id] = current_user.username
-      session[:impersonator_return_to] = admin_user_path(@user)
-
-      warden.set_user(user, scope: 'user')
-
-      flash[:alert] = "You are impersonating #{user.username}."
-
-      redirect_to root_path
-    end
-  end
-
-  def destroy
-    redirect = session[:impersonator_return_to]
-
-    warden.set_user(user, scope: 'user')
-
-    session[:impersonator_return_to] = nil
-    session[:impersonator_id] = nil
-
-    redirect_to redirect || root_path
-  end
-
-  def user
-    @user ||= User.find_by!(username: params[:id] || session[:impersonator_id])
-  end
-end

app/controllers/admin/impersonations_controller.rb

+class Admin::ImpersonationsController < Admin::ApplicationController
+  skip_before_action :authenticate_admin!
+  before_action :authenticate_impersonator!
+
+  def destroy
+    original_user = current_user
+
+    warden.set_user(impersonator, scope: :user)
+
+    session[:impersonator_id] = nil
+
+    redirect_to admin_user_path(original_user)
+  end
+
+  private
+
+  def impersonator
+    @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id]
+  end
+
+  def authenticate_impersonator!
+    render_404 unless impersonator && impersonator.is_admin? && !impersonator.blocked?
+  end
+end

app/controllers/admin/users_controller.rb

@@ -31,6 +31,22 @@ class Admin::UsersController < Admin::ApplicationController
     user
   end
 
+  def impersonate
+    if user.blocked?
+      flash[:alert] = "You cannot impersonate a blocked user"
+
+      redirect_to admin_user_path(user)
+    else
+      session[:impersonator_id] = current_user.id
+
+      warden.set_user(user, scope: :user)
+
+      flash[:alert] = "You are now impersonating #{user.username}"
+
+      redirect_to root_path
+    end
+  end
+
   def block
     if user.block
       redirect_back_or_admin_user(notice: "Successfully blocked")

app/controllers/concerns/filter_projects.rb

@@ -10,6 +10,8 @@ module FilterProjects
   def filter_projects(projects)
     projects = projects.search(params[:filter_projects]) if params[:filter_projects].present?
     projects = projects.non_archived if params[:archived].blank?
+    projects = projects.personal(current_user) if params[:personal].present? && current_user
+
     projects
   end
 end

app/controllers/confirmations_controller.rb

 class ConfirmationsController < Devise::ConfirmationsController
 
+  def almost_there
+    flash[:notice] = nil
+    render layout: "devise_empty"
+  end
+
   protected
 
+  def after_resending_confirmation_instructions_path_for(resource)
+    users_almost_there_path
+  end
+
   def after_confirmation_path_for(resource_name, resource)
     if signed_in?(resource_name)
       after_sign_in_path_for(resource)

app/controllers/projects/application_controller.rb

@@ -83,8 +83,7 @@ class Projects::ApplicationController < ApplicationController
   end
 
   def apply_diff_view_cookie!
-    view = params[:view] || cookies[:diff_view]
-    cookies.permanent[:diff_view] = params[:view] = view if view
+    cookies.permanent[:diff_view] = params.delete(:view) if params[:view].present?
   end
 
   def builds_enabled

app/controllers/projects/deploy_keys_controller.rb

@@ -7,31 +7,24 @@ class Projects::DeployKeysController < Projects::ApplicationController
   layout "project_settings"
 
   def index
-    @enabled_keys = @project.deploy_keys
-
-    @available_keys         = accessible_keys - @enabled_keys
-    @available_project_keys = current_user.project_deploy_keys - @enabled_keys
-    @available_public_keys  = DeployKey.are_public - @enabled_keys
-
-    # Public keys that are already used by another accessible project are already
-    # in @available_project_keys.
-    @available_public_keys -= @available_project_keys
+    @key = DeployKey.new
+    set_index_vars
   end
 
   def new
-    @key = @project.deploy_keys.new
-
-    respond_with(@key)
+    redirect_to namespace_project_deploy_keys_path(@project.namespace,
+                                                   @project)
   end
 
   def create
     @key = DeployKey.new(deploy_key_params)
+    set_index_vars
 
     if @key.valid? && @project.deploy_keys << @key
       redirect_to namespace_project_deploy_keys_path(@project.namespace,
                                                      @project)
     else
-      render "new"
+      render "index"
     end
   end
 
@@ -51,6 +44,18 @@ class Projects::DeployKeysController < Projects::ApplicationController
 
   protected
 
+  def set_index_vars
+    @enabled_keys ||= @project.deploy_keys
+
+    @available_keys         ||= accessible_keys - @enabled_keys
+    @available_project_keys ||= current_user.project_deploy_keys - @enabled_keys
+    @available_public_keys  ||= DeployKey.are_public - @enabled_keys
+
+    # Public keys that are already used by another accessible project are already
+    # in @available_project_keys.
+    @available_public_keys -= @available_project_keys
+  end
+
   def accessible_keys
     @accessible_keys ||= current_user.accessible_deploy_keys
   end

app/controllers/projects/hooks_controller.rb

@@ -52,8 +52,16 @@ class Projects::HooksController < Projects::ApplicationController
   end
 
   def hook_params
-    params.require(:hook).permit(:url, :push_events, :issues_events,
-      :merge_requests_events, :tag_push_events, :note_events,
-      :build_events, :enable_ssl_verification)
+    params.require(:hook).permit(
+      :build_events,
+      :enable_ssl_verification,
+      :issues_events,
+      :merge_requests_events,
+      :note_events,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
   end
 end

app/controllers/projects/issues_controller.rb

@@ -3,8 +3,8 @@ class Projects::IssuesController < Projects::ApplicationController
   include IssuableActions
 
   before_action :module_enabled
-  before_action :issue,
-    only: [:edit, :update, :show, :referenced_merge_requests, :related_branches]
+  before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
+                               :related_branches, :can_create_branch]
 
   # Allow read any issue
   before_action :authorize_read_issue!, only: [:show]
@@ -96,12 +96,13 @@ class Projects::IssuesController < Projects::ApplicationController
 
     if params[:move_to_project_id].to_i > 0
       new_project = Project.find(params[:move_to_project_id])
+      return render_404 unless issue.can_move?(current_user, new_project)
+
       move_service = Issues::MoveService.new(project, current_user)
       @issue = move_service.execute(@issue, new_project)
     end
 
     respond_to do |format|
-      format.js
       format.html do
         if @issue.valid?
           redirect_to issue_path(@issue)
@@ -110,7 +111,7 @@ class Projects::IssuesController < Projects::ApplicationController
         end
       end
       format.json do
-        render json: @issue.to_json(include: [:milestone, :labels, assignee: { methods: :avatar_url }])
+        render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } })
       end
     end
   end
@@ -140,6 +141,18 @@ class Projects::IssuesController < Projects::ApplicationController
     end
   end
 
+  def can_create_branch
+    can_create = current_user &&
+      can?(current_user, :push_code, @project) &&
+      @issue.can_be_worked_on?(current_user)
+
+    respond_to do |format|
+      format.json do
+        render json: { can_create_branch: can_create }
+      end
+    end
+  end
+
   def bulk_update
     result = Issues::BulkUpdateService.new(project, current_user, bulk_update_params).execute
     redirect_back_or_default(default: { action: 'index' }, options: { notice: "#{result[:count]} issues updated" })

app/controllers/projects/merge_requests_controller.rb

@@ -149,13 +149,12 @@ class Projects::MergeRequestsController < Projects::ApplicationController
 
     if @merge_request.valid?
       respond_to do |format|
-        format.js
         format.html do
           redirect_to([@merge_request.target_project.namespace.becomes(Namespace),
                        @merge_request.target_project, @merge_request])
         end
         format.json do
-          render json: @merge_request.to_json(include: [:milestone, :labels, assignee: { methods: :avatar_url }])
+          render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } })
         end
       end
     else

app/controllers/projects/wikis_controller.rb

@@ -40,10 +40,10 @@ class Projects::WikisController < Projects::ApplicationController
   end
 
   def update
-    @page = @project_wiki.find_page(params[:id])
-
     return render('empty') unless can?(current_user, :create_wiki, @project)
 
+    @page = @project_wiki.find_page(params[:id])
+
     if @page = WikiPages::UpdateService.new(@project, current_user, wiki_params).execute(@page)
       redirect_to(
         namespace_project_wiki_path(@project.namespace, @project, @page),

app/controllers/registrations_controller.rb

@@ -31,11 +31,11 @@ class RegistrationsController < Devise::RegistrationsController
   end
 
   def after_sign_up_path_for(_resource)
-    new_user_session_path
+    users_almost_there_path
   end
 
   def after_inactive_sign_up_path_for(_resource)
-    new_user_session_path
+    users_almost_there_path
   end
 
   private

app/controllers/search_controller.rb

@@ -8,8 +8,6 @@ class SearchController < ApplicationController
   def show
     return if params[:search].nil? || params[:search].blank?
 
-    @search_term = params[:search]
-
     if params[:project_id].present?
       @project = Project.find_by(id: params[:project_id])
       @project = nil unless can?(current_user, :download_code, @project)
@@ -20,6 +18,8 @@ class SearchController < ApplicationController
       @group = nil unless can?(current_user, :read_group, @group)
     end
 
+    @search_term = params[:search]
+
     @scope = params[:scope]
     @show_snippets = params[:snippets].eql? 'true'
 
@@ -44,7 +44,7 @@ class SearchController < ApplicationController
         Search::GlobalService.new(current_user, params).execute
       end
 
-    @objects = @search_results.objects(@scope, params[:page])
+    @search_objects = @search_results.objects(@scope, params[:page])
   end
 
   def autocomplete

app/finders/issuable_finder.rb

@@ -278,9 +278,7 @@ class IssuableFinder
       end
     end
 
-    # When filtering by multiple labels we may end up duplicating issues (if one
-    # has multiple labels). This ensures we only return unique issues.
-    items.distinct
+    items
   end
 
   def by_due_date(items)

app/finders/snippets_finder.rb

@@ -51,7 +51,7 @@ class SnippetsFinder
     snippets = project.snippets.fresh
 
     if current_user
-      if project.team.member?(current_user.id)
+      if project.team.member?(current_user.id) || current_user.admin?
         snippets
       else
         snippets.public_and_internal

app/helpers/blob_helper.rb

@@ -3,8 +3,8 @@ module BlobHelper
     Gitlab::Highlight.new(blob_name, blob_content, nowrap: nowrap)
   end
 
-  def highlight(blob_name, blob_content, nowrap: false)
-    Gitlab::Highlight.highlight(blob_name, blob_content, nowrap: nowrap)
+  def highlight(blob_name, blob_content, nowrap: false, plain: false)
+    Gitlab::Highlight.highlight(blob_name, blob_content, nowrap: nowrap, plain: plain)
   end
 
   def no_highlight_files

app/helpers/ci_badge_helper.rb

-module CiBadgeHelper
-  def markdown_badge_code(project, ref)
-    url = status_ci_project_url(project, ref: ref, format: 'png')
-    link = namespace_project_commits_path(project.namespace, project, ref)
-    "[![build status](#{url})](#{link})"
-  end
-
-  def html_badge_code(project, ref)
-    url = status_ci_project_url(project, ref: ref, format: 'png')
-    link = namespace_project_commits_path(project.namespace, project, ref)
-    "<a href='#{link}'><img src='#{url}' /></a>"
-  end
-end

app/helpers/diff_helper.rb

@@ -9,7 +9,13 @@ module DiffHelper
   end
 
   def diff_view
-    params[:view] == 'parallel' ? 'parallel' : 'inline'
+    diff_views = %w(inline parallel)
+
+    if diff_views.include?(cookies[:diff_view])
+      cookies[:diff_view]
+    else
+      diff_views.first
+    end
   end
 
   def diff_hard_limit_enabled?
@@ -17,7 +23,7 @@ module DiffHelper
   end
 
   def diff_options
-    options = { ignore_whitespace_change: params[:w] == '1' }
+    options = { ignore_whitespace_change: hide_whitespace? }
     if diff_hard_limit_enabled?
       options.merge!(Commit.max_diff_options)
     end
@@ -122,4 +128,31 @@ module DiffHelper
       title
     end
   end
+
+  def commit_diff_whitespace_link(project, commit, options)
+    url = namespace_project_commit_path(project.namespace, project, commit.id, params_with_whitespace)
+    toggle_whitespace_link(url, options)
+  end
+
+  def diff_merge_request_whitespace_link(project, merge_request, options)
+    url = diffs_namespace_project_merge_request_path(project.namespace, project, merge_request, params_with_whitespace)
+    toggle_whitespace_link(url, options)
+  end
+
+  private
+
+  def hide_whitespace?
+    params[:w] == '1'
+  end
+
+  def params_with_whitespace
+    hide_whitespace? ? request.query_parameters.except(:w) : request.query_parameters.merge(w: 1)
+  end
+
+  def toggle_whitespace_link(url, options)
+    options[:class] ||= ''
+    options[:class] << ' btn btn-default'
+
+    link_to "#{hide_whitespace? ? 'Show' : 'Hide'} whitespace changes", url, class: options[:class]
+  end
 end

app/helpers/issues_helper.rb

@@ -16,31 +16,49 @@ module IssuesHelper
   def url_for_project_issues(project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.project_path
-    else
-      project.issues_tracker.project_url
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.project_path
+      else
+        project.issues_tracker.project_url
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def url_for_new_issue(project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.new_issue_path
-    else
-      project.issues_tracker.new_issue_url
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.new_issue_path
+      else
+        project.issues_tracker.new_issue_url
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def url_for_issue(issue_iid, project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.issue_path(issue_iid)
-    else
-      project.issues_tracker.issue_url(issue_iid)
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.issue_path(issue_iid)
+      else
+        project.issues_tracker.issue_url(issue_iid)
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def bulk_update_milestone_options

app/helpers/labels_helper.rb

@@ -37,7 +37,7 @@ module LabelsHelper
     link = send("namespace_project_#{type.to_s.pluralize}_path",
                 project.namespace,
                 project,
-                label_name: label.name)
+                label_name: [label.name])
 
     if block_given?
       link_to link, &block

app/helpers/projects_helper.rb

@@ -123,6 +123,18 @@ module ProjectsHelper
     end
   end
 
+  def license_short_name(project)
+    no_license_key = project.repository.license_key.nil? ||
+      # Back-compat if cache contains 'no-license', can be removed in a few weeks
+      project.repository.license_key == 'no-license'
+
+    return 'LICENSE' if no_license_key
+
+    license = Licensee::License.new(project.repository.license_key)
+
+    license.nickname || license.name
+  end
+
   private
 
   def get_project_nav_tabs(project, current_user)
@@ -320,14 +332,6 @@ module ProjectsHelper
     @ref || @repository.try(:root_ref)
   end
 
-  def license_short_name(project)
-    license = Licensee::License.new(project.repository.license_key)
-
-    license.nickname || license.name
-  end
-
-  private
-
   def filename_path(project, filename)
     if project && blob = project.repository.send(filename)
       namespace_project_blob_path(

app/helpers/search_helper.rb

@@ -19,6 +19,16 @@ module SearchHelper
     end
   end
 
+  def search_entries_info(collection, scope, term)
+    return unless collection.count > 0
+
+    from = collection.offset_value + 1
+    to = collection.offset_value + collection.length
+    count = collection.total_count
+
+    "Showing #{from} - #{to} of #{count} #{scope.humanize(capitalize: false)} for \"#{term}\""
+  end
+
   private
 
   # Autocomplete results for various settings pages

app/mailers/emails/notes.rb

@@ -28,6 +28,14 @@ module Emails
       mail_answer_thread(@merge_request, note_thread_options(recipient_id))
     end
 
+    def note_snippet_email(recipient_id, note_id)
+      setup_note_mail(note_id, recipient_id)
+
+      @snippet = @note.noteable
+      @target_url = namespace_project_snippet_url(*note_target_url_options)
+      mail_answer_thread(@snippet, note_thread_options(recipient_id))
+    end
+
     private
 
     def note_target_url_options

app/models/blob.rb

@@ -19,6 +19,14 @@ class Blob < SimpleDelegator
     new(blob)
   end
 
+  def no_highlighting?
+    size && size > 1.megabyte
+  end
+
+  def only_display_raw?
+    size && size > 5.megabytes
+  end
+
   def svg?
     text? && language && language.name == 'SVG'
   end

app/models/concerns/milestoneish.rb

@@ -8,7 +8,7 @@ module Milestoneish
   end
 
   def complete?(user = nil)
-    total_items_count(user) == closed_items_count(user)
+    total_items_count(user) > 0 && total_items_count(user) == closed_items_count(user)
   end
 
   def percent_complete(user = nil)

app/models/concerns/statuseable.rb

@@ -18,7 +18,7 @@ module Statuseable
         WHEN (#{builds})=0 THEN NULL
         WHEN (#{builds})=(#{success})+(#{ignored}) THEN 'success'
         WHEN (#{builds})=(#{pending}) THEN 'pending'
-        WHEN (#{builds})=(#{canceled}) THEN 'canceled'
+        WHEN (#{builds})=(#{canceled})+(#{success})+(#{ignored}) THEN 'canceled'
         WHEN (#{builds})=(#{skipped}) THEN 'skipped'
         WHEN (#{running})+(#{pending})>0 THEN 'running'
         ELSE 'failed'

app/models/event.rb

@@ -345,7 +345,7 @@ class Event < ActiveRecord::Base
   end
 
   def reset_project_activity
-    if project
+    if project && Gitlab::ExclusiveLease.new("project:update_last_activity_at:#{project.id}", timeout: 60).try_obtain
       project.update_column(:last_activity_at, self.created_at)
     end
   end

app/models/hooks/project_hook.rb

@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 
 class ProjectHook < WebHook

app/models/hooks/service_hook.rb

@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 
 class ServiceHook < WebHook

app/models/hooks/system_hook.rb

@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 
 class SystemHook < WebHook

app/models/hooks/web_hook.rb

@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 
 class WebHook < ActiveRecord::Base
@@ -43,23 +44,17 @@ class WebHook < ActiveRecord::Base
     if parsed_url.userinfo.blank?
       response = WebHook.post(url,
                               body: data.to_json,
-                              headers: {
-                                  "Content-Type" => "application/json",
-                                  "X-Gitlab-Event" => hook_name.singularize.titleize
-                              },
+                              headers: build_headers(hook_name),
                               verify: enable_ssl_verification)
     else
-      post_url = url.gsub("#{parsed_url.userinfo}@", "")
+      post_url = url.gsub("#{parsed_url.userinfo}@", '')
       auth = {
         username: CGI.unescape(parsed_url.user),
         password: CGI.unescape(parsed_url.password),
       }
       response = WebHook.post(post_url,
                               body: data.to_json,
-                              headers: {
-                                  "Content-Type" => "application/json",
-                                  "X-Gitlab-Event" => hook_name.singularize.titleize
-                              },
+                              headers: build_headers(hook_name),
                               verify: enable_ssl_verification,
                               basic_auth: auth)
     end
@@ -73,4 +68,15 @@ class WebHook < ActiveRecord::Base
   def async_execute(data, hook_name)
     Sidekiq::Client.enqueue(ProjectWebHookWorker, id, data, hook_name)
   end
+
+  private
+
+  def build_headers(hook_name)
+    headers = {
+      'Content-Type' => 'application/json',
+      'X-Gitlab-Event' => hook_name.singularize.titleize
+    }
+    headers['X-Gitlab-Token'] = token if token.present?
+    headers
+  end
 end

app/models/project.rb

@@ -735,19 +735,17 @@ class Project < ActiveRecord::Base
   end
 
   def open_branches
-    all_branches = repository.branches
+    # We're using a Set here as checking values in a large Set is faster than
+    # checking values in a large Array.
+    protected_set = Set.new(protected_branch_names)
 
-    if protected_branches.present?
-      all_branches.reject! do |branch|
-        protected_branches_names.include?(branch.name)
-      end
+    repository.branches.reject do |branch|
+      protected_set.include?(branch.name)
     end
-
-    all_branches
   end
 
-  def protected_branches_names
-    @protected_branches_names ||= protected_branches.map(&:name)
+  def protected_branch_names
+    @protected_branch_names ||= protected_branches.pluck(:name)
   end
 
   def root_ref?(branch)
@@ -764,7 +762,7 @@ class Project < ActiveRecord::Base
 
   # Check if current branch name is marked as protected in the system
   def protected_branch?(branch_name)
-    protected_branches_names.include?(branch_name)
+    protected_branches.where(name: branch_name).any?
   end
 
   def developers_can_push_to_protected_branch?(branch_name)
@@ -820,13 +818,11 @@ class Project < ActiveRecord::Base
     wiki = Repository.new("#{old_path}.wiki", self)
 
     if repo.exists?
-      repo.expire_cache
-      repo.expire_emptiness_caches
+      repo.before_delete
     end
 
     if wiki.exists?
-      wiki.expire_cache
-      wiki.expire_emptiness_caches
+      wiki.before_delete
     end
   end
 
@@ -903,6 +899,7 @@ class Project < ActiveRecord::Base
     repository.rugged.references.create('HEAD',
                                         "refs/heads/#{branch}",
                                         force: true)
+    repository.copy_gitattributes(branch)
     reload_default_branch
   end
 

app/models/project_services/buildkite_service.rb

@@ -26,7 +26,7 @@ class BuildkiteService < CiService
 
   prop_accessor :project_url, :token, :enable_ssl_verification
 
-  validates :project_url, presence: true, if: :activated?
+  validates :project_url, presence: true, url: true, if: :activated?
   validates :token, presence: true, if: :activated?
 
   after_save :compose_service_hook, if: :activated?
@@ -91,7 +91,7 @@ class BuildkiteService < CiService
       { type: 'text',
         name: 'project_url',
         placeholder: "#{ENDPOINT}/example/project" },
-      
+
       { type: 'checkbox',
         name: 'enable_ssl_verification',
         title: "Enable SSL verification" }

app/models/project_services/issue_tracker_service.rb

@@ -21,7 +21,7 @@
 
 class IssueTrackerService < Service
 
-  validates :project_url, :issues_url, :new_issue_url, presence: true, if: :activated?
+  validates :project_url, :issues_url, :new_issue_url, presence: true, url: true, if: :activated?
 
   default_value_for :category, 'issue_tracker'
 

app/models/project_services/jira_service.rb

@@ -28,6 +28,8 @@ class JiraService < IssueTrackerService
   prop_accessor :username, :password, :api_url, :jira_issue_transition_id,
                 :title, :description, :project_url, :issues_url, :new_issue_url
 
+  validates :api_url, presence: true, url: true, if: :activated?
+
   before_validation :set_api_url, :set_jira_issue_transition_id
 
   before_update :reset_password

app/models/project_services/slack_service.rb

@@ -22,7 +22,7 @@
 class SlackService < Service
   prop_accessor :webhook, :username, :channel
   boolean_accessor :notify_only_broken_builds
-  validates :webhook, presence: true, if: :activated?
+  validates :webhook, presence: true, url: true, if: :activated?
 
   def initialize_properties
     if properties.nil?

app/models/project_snippet.rb

@@ -22,4 +22,6 @@ class ProjectSnippet < Snippet
 
   # Scopes
   scope :fresh, -> { order("created_at DESC") }
+
+  participant :author, :notes
 end

app/models/repository.rb

@@ -457,7 +457,7 @@ class Repository
   def changelog
     cache.fetch(:changelog) do
       tree(:head).blobs.find do |file|
-        file.name =~ /\A(changelog|history)/i
+        file.name =~ /\A(changelog|history|changes|news)/i
       end
     end
   end
@@ -466,8 +466,8 @@ class Repository
     return nil if !exists? || empty?
 
     cache.fetch(:license_blob) do
-      if licensee_project.license
-        blob_at_branch(root_ref, licensee_project.matched_file.filename)
+      tree(:head).blobs.find do |file|
+        file.name =~ /\A(licen[sc]e|copying)(\..+|\z)/i
       end
     end
   end
@@ -476,7 +476,7 @@ class Repository
     return nil if !exists? || empty?
 
     cache.fetch(:license_key) do
-      licensee_project.license.try(:key) || 'no-license'
+      Licensee.license(path).try(:key)
     end
   end
 
@@ -938,6 +938,16 @@ class Repository
     raw_repository.ls_files(actual_ref)
   end
 
+  def copy_gitattributes(ref)
+    actual_ref = ref || root_ref
+    begin
+      raw_repository.copy_gitattributes(actual_ref)
+      true
+    rescue Gitlab::Git::Repository::InvalidRef
+      false
+    end
+  end
+
   def main_language
     return if empty? || rugged.head_unborn?
 
@@ -959,8 +969,4 @@ class Repository
   def cache
     @cache ||= RepositoryCache.new(path_with_namespace)
   end
-
-  def licensee_project
-    @licensee_project ||= Licensee.project(path)
-  end
 end

app/models/snippet.rb

@@ -112,6 +112,10 @@ class Snippet < ActiveRecord::Base
     visibility_level
   end
 
+  def no_highlighting?
+    content.lines.count > 1000
+  end
+
   class << self
     # Searches for snippets with a matching title or file name.
     #

app/models/user.rb

@@ -91,7 +91,7 @@ class User < ActiveRecord::Base
   devise :two_factor_backupable, otp_number_of_backup_codes: 10
   serialize :otp_backup_codes, JSON
 
-  devise :lockable, :async, :recoverable, :rememberable, :trackable,
+  devise :lockable, :recoverable, :rememberable, :trackable,
     :validatable, :omniauthable, :confirmable, :registerable
 
   attr_accessor :force_random_password

app/services/git_push_service.rb

@@ -42,7 +42,12 @@ class GitPushService < BaseService
       # Collect data for this git push
       @push_commits = @project.repository.commits_between(params[:oldrev], params[:newrev])
       process_commit_messages
+
+      # Update the bare repositories info/attributes file using the contents of the default branches
+      # .gitattributes file
+      update_gitattributes if is_default_branch?
     end
+
     # Update merge requests that may be affected by this push. A new branch
     # could cause the last commit of a merge request to change.
     update_merge_requests
@@ -54,6 +59,10 @@ class GitPushService < BaseService
     perform_housekeeping
   end
 
+  def update_gitattributes
+    @project.repository.copy_gitattributes(params[:ref])
+  end
+
   def update_main_language
     # Performance can be bad so for now only check main_language once
     # See https://gitlab.com/gitlab-org/gitlab-ce/issues/14937

app/services/issuable_base_service.rb

@@ -37,8 +37,9 @@ class IssuableBaseService < BaseService
   end
 
   def filter_params(issuable_ability_name = :issue)
-    params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
-    params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
+    filter_assignee
+    filter_milestone
+    filter_labels
 
     ability = :"admin_#{issuable_ability_name}"
 
@@ -49,6 +50,29 @@ class IssuableBaseService < BaseService
     end
   end
 
+  def filter_assignee
+    if params[:assignee_id] == IssuableFinder::NONE
+      params[:assignee_id] = ''
+    end
+  end
+
+  def filter_milestone
+    milestone_id = params[:milestone_id]
+    return unless milestone_id
+
+    if milestone_id == IssuableFinder::NONE ||
+        project.milestones.find_by(id: milestone_id).nil?
+      params[:milestone_id] = ''
+    end
+  end
+
+  def filter_labels
+    return if params[:label_ids].to_a.empty?
+
+    params[:label_ids] =
+      project.labels.where(id: params[:label_ids]).pluck(:id)
+  end
+
   def update(issuable)
     change_state(issuable)
     filter_params

app/services/merge_requests/build_service.rb

@@ -7,6 +7,9 @@ module MergeRequests
       merge_request.can_be_created = false
       merge_request.compare_commits = []
       merge_request.source_project = project unless merge_request.source_project
+
+      merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
       merge_request.target_project ||= (project.forked_from_project || project)
       merge_request.target_branch ||= merge_request.target_project.default_branch
 

app/services/notes/create_service.rb

@@ -5,6 +5,8 @@ module Notes
       note.author = current_user
       note.system = false
 
+      return unless valid_project?(note)
+
       if note.save
         # Finish the harder work in the background
         NewNoteWorker.perform_in(2.seconds, note.id, params)
@@ -13,5 +15,14 @@ module Notes
 
       note
     end
+
+    private
+
+    def valid_project?(note)
+      return false unless project
+      return true if note.for_commit?
+
+      note.noteable.try(:project) == project
+    end
   end
 end

app/services/projects/transfer_service.rb

@@ -34,6 +34,8 @@ module Projects
           raise TransferError.new("Project with same path in target namespace already exists")
         end
 
+        project.expire_caches_before_rename(old_path)
+
         # Apply new namespace id and visibility level
         project.namespace = new_namespace
         project.visibility_level = new_namespace.visibility_level unless project.visibility_level_allowed_by_group?