Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ee into rebase-use-shared

.gitlab-ci.yml

@@ -87,4 +87,12 @@ flay:
   tags:
     - ruby
     - mysql
+
+bundler:audit:
+  script: 
+    - "bundle exec bundle-audit update"
+    - "bundle exec bundle-audit check"
+  tags:
+    - ruby
+    - mysql
   allow_failure: true

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.3.0 (unreleased)
+  - Fix: Assignee selector is empty when 'Unassigned' is selected (Jose Corcuera)
+
+v 8.2.1
+  - Forcefully update builds that didn't want to update with state machine
+  - Fix: saving GitLabCiService as Admin Template
 
 v 8.2.0
+v 8.0.1
+v 8.1.0 (unreleased)
+v 8.2.0 (unreleased)
+v 8.3.0 (unreleased)
+
+v 8.2.0
+  - Improved performance of finding projects and groups in various places
+  - Improved performance of rendering user profile pages and Atom feeds
+  - Fix grouping of contributors by email in graph.
+  - Improved performance of finding projects and groups in various places
+  - Improved performance of rendering user profile pages and Atom feeds
+  - Expose build artifacts path as config option
+  - Fix grouping of contributors by email in graph.
+  - Improved performance of finding issues with/without labels
   - Remove CSS property preventing hard tabs from rendering in Chromium 45 (Stan Hu)
   - Fix Drone CI service template not saving properly (Stan Hu)
   - Fix avatars not showing in Atom feeds and project issues when Gravatar disabled (Stan Hu)
@@ -10,6 +29,10 @@ v 8.2.0
   - Upgrade gitlab_git to 7.2.20 and rugged to 0.23.3 (Stan Hu)
   - Improved performance of finding users by one of their Email addresses
   - Add allow_failure field to commit status API (Stan Hu)
+  - Commits without .gitlab-ci.yml are marked as skipped
+  - Save detailed error when YAML syntax is invalid
+  - Since GitLab CI is enabled by default, remove enabling it by pushing .gitlab-ci.yml
+  - Added build artifacts
   - Improved performance of replacing references in comments
   - Show last project commit to default branch on project home page
   - Highlight comment based on anchor in URL
@@ -27,6 +50,7 @@ v 8.2.0
   - Allow to define cache in `.gitlab-ci.yml`
   - Fix: 500 error returned if destroy request without HTTP referer (Kazuki Shimizu)
   - Remove deprecated CI events from project settings page
+  - Improve personal snippet access workflow (Douglas Alexandre)
   - [API] Add ability to fetch the commit ID of the last commit that actually touched a file
   - Fix omniauth documentation setting for omnibus configuration (Jon Cairns)
   - Add "New file" link to dropdown on project page
@@ -34,6 +58,7 @@ v 8.2.0
   - Add "added", "modified" and "removed" properties to commit object in webhook
   - Rename "Back to" links to "Go to" because its not always a case it point to place user come from
   - Allow groups to appear in the search results if the group owner allows it
+  - Add email notification to former assignee upon unassignment (Adam Lieskovský)
   - New design for project graphs page
   - Remove deprecated dumped yaml file generated from previous job definitions
   - Fix incoming email config defaults
@@ -47,6 +72,9 @@ v 8.2.0
   - Fix trailing whitespace issue in merge request/issue title
   - Fix bug when milestone/label filter was empty for dashboard issues page
   - Add ability to create milestone in group projects from single form
+  - Add option to create merge request when editing/creating a file (Dirceu Tiegs)
+  - Prevent the last owner of a group from being able to delete themselves by 'adding' themselves as a master (James Lopez)
+  - Add Award Emoji to issue and merge request pages
 
 v 8.1.4
   - Fix bug where manually merged branches in a MR would end up with an empty diff (Stan Hu)
@@ -116,7 +144,6 @@ v 8.1.0
   - Show CI status on Your projects page and Starred projects page
   - Remove "Continuous Integration" page from dashboard
   - Add notes and SSL verification entries to hook APIs (Ben Boeckel)
-  - Added build artifacts
   - Fix grammar in admin area "labels" .nothing-here-block when no labels exist.
   - Move CI runners page to project settings area
   - Move CI variables page to project settings area

CHANGELOG-EE

@@ -8,6 +8,7 @@ v 8.2.0
   - Fix "Rebase onto master"
   - Ensure a comment is properly recorded in JIRA when a merge request is accepted
   - Allow groups to appear in the `Share with group` share if the group owner allows it
+  - Add option to mirror an upstream repository.
 
 v 8.1.4
   - Fix bug in JIRA integration which prevented merge requests from being accepted when using issue closing pattern
@@ -22,6 +23,7 @@ v 8.1.1
   - Removed, see 8.1.2
 
 v 8.1.0
+  - Add documentation for "Share project with group" API call
   - Added an issues template (Hannes Rosenögger)
   - Add documentation for "Share project with group" API call 
   - Abiliy to disable 'Share with Group' feature (via UI and API)
@@ -69,7 +71,7 @@ v 7.14.0
   - Fix importing projects from GitHub Enterprise Edition.
   - Automatic approver suggestions (based on an authority of the code)
   - Add support for Jenkins unstable status
-  - Automatic approver suggestions (based on an authority of the code)  
+  - Automatic approver suggestions (based on an authority of the code)
   - Support Kerberos ticket-based authentication for Git HTTP access
 
 v 7.13.3

CONTRIBUTING.md

@@ -10,7 +10,7 @@ By submitting code as an individual you agree to the [individual contributor lic
 
 ## Security vulnerability disclosure
 
-Please report suspected security vulnerabilities in private to support@gitlab.com, also see the [disclosure section on the GitLab.com website](http://about.gitlab.com/disclosure/). Please do NOT create publicly viewable issues for suspected security vulnerabilities.
+Please report suspected security vulnerabilities in private to support@gitlab.com, also see the [disclosure section on the GitLab.com website](https://about.gitlab.com/disclosure/). Please do NOT create publicly viewable issues for suspected security vulnerabilities.
 
 ## Closing policy for issues and merge requests
 
@@ -23,8 +23,8 @@ Issues and merge requests should be in English and contain appropriate language
 ## Helping others
 
 Please help other GitLab users when you can.
-The channnels people will reach out on can be found on the [getting help page](https://about.gitlab.com/getting-help/).
-Sign up for the mailinglist, answer GitLab questions on StackOverflow or respond in the irc channel.
+The channels people will reach out on can be found on the [getting help page](https://about.gitlab.com/getting-help/).
+Sign up for the mailinglist, answer GitLab questions on StackOverflow or respond in the IRC channel.
 You can also sign up on [CodeTriage](http://www.codetriage.com/gitlabhq/gitlabhq) to help with one issue every day.
 
 ## Issue tracker
@@ -35,7 +35,7 @@ The [GitLab CE issue tracker on GitLab.com](https://gitlab.com/gitlab-org/gitlab
 
 Do not use the issue tracker for feature requests. We have a specific [feature request forum](http://feedback.gitlab.com) for this purpose. Please keep feature requests as small and simple as possible, complex ones might be edited to make them small and simple.
 
-Please send a merge request with a tested solution or a merge request with a failing test instead of opening an issue if you can. If you're unsure where to post, post to the [mailing list](https://groups.google.com/forum/#!forum/gitlabhq) or [Stack Overflow](http://stackoverflow.com/questions/tagged/gitlab) first. There are a lot of helpful GitLab users there who may be able to help you quickly. If your particular issue turns out to be a bug, it will find its way from there.
+Please send a merge request with a tested solution or a merge request with a failing test instead of opening an issue if you can. If you're unsure where to post, post to the [mailing list](https://groups.google.com/forum/#!forum/gitlabhq) or [Stack Overflow](https://stackoverflow.com/questions/tagged/gitlab) first. There are a lot of helpful GitLab users there who may be able to help you quickly. If your particular issue turns out to be a bug, it will find its way from there.
 
 ### Issue tracker guidelines
 
@@ -59,7 +59,7 @@ We welcome merge requests with fixes and improvements to GitLab code, tests, and
 
 Merge requests can be filed either at [gitlab.com](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests) or [github.com](https://github.com/gitlabhq/gitlabhq/pulls).
 
-If you are new to GitLab development (or web development in general), search for the label `easyfix` ([gitlab.com](https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name=easyfix), [github](https://github.com/gitlabhq/gitlabhq/labels/easyfix)). Those are issues easy to fix, marked by the GitLab core-team. If you are unsure how to proceed but want to help, mention one of the core-team members to give you a hint.
+If you are new to GitLab development (or web development in general), search for the label `easyfix` ([GitLab.com](https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name=easyfix), [GitHub](https://github.com/gitlabhq/gitlabhq/labels/easyfix)). Those are issues easy to fix, marked by the GitLab core-team. If you are unsure how to proceed but want to help, mention one of the core-team members to give you a hint.
 
 To start with GitLab download the [GitLab Development Kit](https://gitlab.com/gitlab-org/gitlab-development-kit) and see [Development section](doc/development/README.md) in the help file.
 
@@ -72,7 +72,7 @@ If you can, please submit a merge request with the fix or improvements including
 1. Write [tests](https://gitlab.com/gitlab-org/gitlab-development-kit#running-the-tests) and code
 1. Add your changes to the [CHANGELOG](CHANGELOG)
 1. If you are changing the README, some documentation or other things which have no effect on the tests, add `[ci skip]` somewhere in the commit message
-1. If you have multiple commits please combine them into one commit by [squashing them](http://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
+1. If you have multiple commits please combine them into one commit by [squashing them](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
 1. Push the commit to your fork
 1. Submit a merge request (MR) to the master branch
 1. The MR title should describe the change you want to make
@@ -99,7 +99,7 @@ If you contribute to GitLab please know that changes involve more than just code
 We have the following [definition of done](http://guide.agilealliance.org/guide/definition-of-done.html).
 Please ensure you support the feature you contribute through all of these steps.
 
-1. Description explaning the relevancy (see following item)
+1. Description explaining the relevancy (see following item)
 1. Working and clean code that is commented where needed
 1. Unit and integration tests that pass on the CI server
 1. Documented in the /doc directory
@@ -163,7 +163,7 @@ If you add a dependency in GitLab (such as an operating system package) please c
 1.  [Markdown](http://www.cirosantilli.com/markdown-styleguide)
 1.  [Database Migrations](doc/development/migration_style_guide.md)
 1.  [Documentation styleguide](doc_styleguide.md)
-1.  Interface text should be written subjectively instead of objectively. It should be the gitlab core team addressing a person. It should be written in present time and never use past tense (has been/was). For example instead of "prohibited this user from being saved due to the following errors:" the text should be "sorry, we could not create your account because:". Also these [excellent writing guidelines](https://github.com/NARKOZ/guides#writing).
+1.  Interface text should be written subjectively instead of objectively. It should be the GitLab core team addressing a person. It should be written in present time and never use past tense (has been/was). For example instead of "prohibited this user from being saved due to the following errors:" the text should be "sorry, we could not create your account because:". Also these [excellent writing guidelines](https://github.com/NARKOZ/guides#writing).
 
 This is also the style used by linting tools such as [RuboCop](https://github.com/bbatsov/rubocop), [PullReview](https://www.pullreview.com/) and [Hound CI](https://houndci.com).
 
@@ -181,4 +181,4 @@ This code of conduct applies both within project spaces and in public spaces whe
 
 Instances of abusive, harassing, or otherwise unacceptable behavior can be reported by emailing contact@gitlab.com
 
-This Code of Conduct is adapted from the [Contributor Covenant](http:contributor-covenant.org), version 1.1.0, available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/)
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.1.0, available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/)

GITLAB_SHELL_VERSION

-2.6.6
+2.6.7

GITLAB_WORKHORSE

-0.4.1

GITLAB_WORKHORSE_VERSION

-0.3.1
+0.4.2

Gemfile

 source "https://rubygems.org"
 
-gem 'rails', '4.1.12'
+gem 'rails', '4.1.14'
 
 # Specify a sprockets version due to security issue
 # See https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
@@ -206,7 +206,7 @@ gem 'request_store',      '~> 1.2.0'
 gem 'select2-rails',      '~> 3.5.9'
 gem 'virtus',             '~> 1.0.1'
 
-gem "gitlab-license", "~> 0.0.2"
+gem "gitlab-license", "~> 0.0.4"
 
 group :development do
   gem "foreman"
@@ -265,6 +265,7 @@ group :development, :test do
   gem 'simplecov', '~> 0.10.0', require: false
   gem 'flog', require: false
   gem 'flay', require: false
+  gem 'bundler-audit', require: false
 
   gem 'benchmark-ips', require: false
 end

Gemfile.lock

@@ -4,25 +4,25 @@ GEM
     CFPropertyList (2.3.1)
     RedCloth (4.2.9)
     ace-rails-ap (2.0.1)
-    actionmailer (4.1.12)
-      actionpack (= 4.1.12)
-      actionview (= 4.1.12)
+    actionmailer (4.1.14)
+      actionpack (= 4.1.14)
+      actionview (= 4.1.14)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.12)
-      actionview (= 4.1.12)
-      activesupport (= 4.1.12)
+    actionpack (4.1.14)
+      actionview (= 4.1.14)
+      activesupport (= 4.1.14)
       rack (~> 1.5.2)
       rack-test (~> 0.6.2)
-    actionview (4.1.12)
-      activesupport (= 4.1.12)
+    actionview (4.1.14)
+      activesupport (= 4.1.14)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-    activemodel (4.1.12)
-      activesupport (= 4.1.12)
+    activemodel (4.1.14)
+      activesupport (= 4.1.14)
       builder (~> 3.1)
-    activerecord (4.1.12)
-      activemodel (= 4.1.12)
-      activesupport (= 4.1.12)
+    activerecord (4.1.14)
+      activemodel (= 4.1.14)
+      activesupport (= 4.1.14)
       arel (~> 5.0.0)
     activerecord-deprecated_finders (1.0.4)
     activerecord-session_store (0.1.1)
@@ -33,7 +33,7 @@ GEM
       activemodel (~> 4.0)
       activesupport (~> 4.0)
       rails-observers (~> 0.1.1)
-    activesupport (4.1.12)
+    activesupport (4.1.14)
       i18n (~> 0.6, >= 0.6.9)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
@@ -90,6 +90,9 @@ GEM
     bullet (4.14.9)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.9.0)
+    bundler-audit (0.4.0)
+      bundler (~> 1.2)
+      thor (~> 0.18)
     byebug (6.0.2)
     cal-heatmap-rails (0.0.1)
     capybara (2.4.4)
@@ -287,7 +290,7 @@ GEM
       diff-lcs (~> 1.1)
       mime-types (~> 1.15)
       posix-spawn (~> 0.3)
-    gitlab-license (0.0.3)
+    gitlab-license (0.0.4)
     gitlab_emoji (0.1.1)
       gemojione (~> 2.0)
     gitlab_git (7.2.20)
@@ -512,21 +515,21 @@ GEM
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.1.12)
-      actionmailer (= 4.1.12)
-      actionpack (= 4.1.12)
-      actionview (= 4.1.12)
-      activemodel (= 4.1.12)
-      activerecord (= 4.1.12)
-      activesupport (= 4.1.12)
+    rails (4.1.14)
+      actionmailer (= 4.1.14)
+      actionpack (= 4.1.14)
+      actionview (= 4.1.14)
+      activemodel (= 4.1.14)
+      activerecord (= 4.1.14)
+      activesupport (= 4.1.14)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.12)
+      railties (= 4.1.14)
       sprockets-rails (~> 2.0)
     rails-observers (0.1.2)
       activemodel (~> 4.0)
-    railties (4.1.12)
-      actionpack (= 4.1.12)
-      activesupport (= 4.1.12)
+    railties (4.1.14)
+      actionpack (= 4.1.14)
+      activesupport (= 4.1.14)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (2.0.0)
@@ -690,7 +693,7 @@ GEM
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.3.2)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
@@ -805,6 +808,7 @@ DEPENDENCIES
   brakeman (= 3.0.1)
   browser (~> 1.0.0)
   bullet
+  bundler-audit
   byebug
   cal-heatmap-rails (~> 0.0.1)
   capybara (~> 2.4.0)
@@ -840,7 +844,7 @@ DEPENDENCIES
   github-linguist (~> 4.7.0)
   github-markup (~> 1.3.1)
   gitlab-flowdock-git-hook (~> 1.0.1)
-  gitlab-license (~> 0.0.2)
+  gitlab-license (~> 0.0.4)
   gitlab_emoji (~> 0.1)
   gitlab_git (~> 7.2.20)
   gitlab_meta (= 7.0)
@@ -892,7 +896,7 @@ DEPENDENCIES
   rack-attack (~> 4.3.0)
   rack-cors (~> 0.4.0)
   rack-oauth2 (~> 1.0.5)
-  rails (= 4.1.12)
+  rails (= 4.1.14)
   raphael-rails (~> 2.1.2)
   rblineprof
   rdoc (~> 3.6)

PROCESS.md

@@ -34,13 +34,18 @@ The most important thing is making sure valid issues receive feedback from the d
 
 ## Workflow labels
 
-Workflow labels are purposely not very detailed since that would be hard to keep updated as you would need to re-evaluate them after every comment. We optionally use functional labels on demand when want to group related issues to get an overview (for example all issues related to RVM, to tackle them in one go) and to add details to the issue. 
+Workflow labels are purposely not very detailed since that would be hard to keep updated as you would need to re-evaluate them after every comment. We optionally use functional labels on demand when want to group related issues to get an overview (for example all issues related to RVM, to tackle them in one go) and to add details to the issue.
 
 -   *Awaiting feedback*: Feedback pending from the reporter
 -   *Awaiting confirmation of fix*: The issue should already be solved in **master** (generally you can avoid this workflow item and just close the issue right away)
 -   *Attached MR*: There is a MR attached and the discussion should happen there
     - We need to let issues stay in sync with the MR's. We can do this with a "Closing #XXXX" or "Fixes #XXXX" comment in the MR. We can't close the issue when there is a merge request because sometimes a MR is not good and we just close the MR, then the issue must stay.
--   *Awaiting developer action/feedback*: Issue needs to be fixed or clarified by a developer
+- *Developer*: needs help from a developer
+- *UX* needs needs help from a UX designer
+- *Frontend* needs help from a Front-end engineer
+- *Graphics* needs help from a Graphics designer
+
+Example workflow: when a UX designer provided a design but it needs frontend work they remove the UX label and add the frontend label.
 
 ## Functional labels
 

README.md

@@ -53,8 +53,6 @@ There are two editions of GitLab:
 - GitLab Community Edition (CE) is available freely under the MIT Expat license.
 - GitLab Enterprise Edition (EE) includes [extra features](https://about.gitlab.com/features/#compare) that are more useful for organizations with more than 100 users. To use EE and get official support please [become a subscriber](https://about.gitlab.com/pricing/).
 
-Included with the GitLab Omnibus Packages is [GitLab CI](https://about.gitlab.com/gitlab-ci/) that can easily build, test and deploy code.
-
 ## Website
 
 On [about.gitlab.com](https://about.gitlab.com/) you can find more information about:

app/assets/javascripts/application.js.coffee

@@ -195,7 +195,8 @@ $ ->
     e.preventDefault()
     btn = $(e.target)
     text = btn.data("confirm-danger-message")
+    warningMessage = btn.data("warning-message")
     form = btn.closest("form")
-    new ConfirmDangerModal(form, text)
+    new ConfirmDangerModal(form, text, warningMessage: warningMessage)
 
   new Aside()

app/assets/javascripts/awards_handler.coffee

+class @AwardsHandler
+  constructor: (@post_emoji_url, @noteable_type, @noteable_id) ->
+
+  addAward: (emoji) ->
+    @postEmoji emoji, =>
+      @addAwardToEmojiBar(emoji)
+    
+  addAwardToEmojiBar: (emoji, custom_path = '') ->
+    if @exist(emoji)
+      if @isActive(emoji)
+        @decrementCounter(emoji)
+      else
+        counter = @findEmojiIcon(emoji).siblings(".counter")
+        counter.text(parseInt(counter.text()) + 1)
+        counter.parent().addClass("active")
+        @addMeToAuthorList(emoji)
+    else
+      @createEmoji(emoji, custom_path)
+
+  exist: (emoji) ->
+    @findEmojiIcon(emoji).length > 0
+
+  isActive: (emoji) ->
+    @findEmojiIcon(emoji).parent().hasClass("active")
+
+  decrementCounter: (emoji) ->
+    counter = @findEmojiIcon(emoji).siblings(".counter")
+
+    if parseInt(counter.text()) > 1
+      counter.text(parseInt(counter.text()) - 1)
+      counter.parent().removeClass("active")
+      @removeMeFromAuthorList(emoji)
+    else
+      award = counter.parent()
+      award.tooltip("destroy")
+      award.remove()
+
+  removeMeFromAuthorList: (emoji) ->
+    award_block = @findEmojiIcon(emoji).parent()
+    authors = award_block.attr("data-original-title").split(", ")
+    authors = _.without(authors, "me").join(", ")
+    award_block.attr("title", authors)
+    @resetTooltip(award_block)
+
+  addMeToAuthorList: (emoji) ->
+    award_block = @findEmojiIcon(emoji).parent()
+    authors = award_block.attr("data-original-title").split(", ")
+    authors.push("me")
+    award_block.attr("title", authors.join(", "))
+    @resetTooltip(award_block)
+
+  resetTooltip: (award) ->
+    award.tooltip("destroy")
+
+    # "destroy" call is asynchronous, this is why we need to set timeout.
+    setTimeout (->
+      award.tooltip()
+    ), 200
+    
+
+  createEmoji: (emoji, custom_path) ->
+    nodes = []
+    nodes.push("<div class='award active' title='me'>")
+    nodes.push("<div class='icon' data-emoji='" + emoji + "'>")
+    nodes.push(@getImage(emoji, custom_path))
+    nodes.push("</div>")
+    nodes.push("<div class='counter'>1")
+    nodes.push("</div></div>")
+
+    $(".awards-controls").before(nodes.join("\n"))
+
+    $(".award").tooltip()
+
+  getImage: (emoji, custom_path) ->
+    if custom_path
+      $("<img>").attr({src: custom_path, width: 20, height: 20}).wrap("<div>").parent().html()
+    else
+      $("li[data-emoji='" + emoji + "']").html()
+
+
+  postEmoji: (emoji, callback) ->
+    $.post @post_emoji_url, { note: {
+      note: ":" + emoji + ":"
+      noteable_type: @noteable_type
+      noteable_id: @noteable_id
+    }},(data) ->
+      if data.ok
+        callback.call()
+
+  findEmojiIcon: (emoji) ->
+    $(".icon[data-emoji='" + emoji + "']")
\ No newline at end of file

app/assets/javascripts/blob/blob_file_dropzone.js.coffee

@@ -23,18 +23,6 @@ class @BlobFileDropzone
       init: ->
         this.on 'addedfile', (file) ->
           $('.dropzone-alerts').html('').hide()
-          commit_message = form.find('#commit_message')[0]
-
-          if /^Upload/.test(commit_message.placeholder)
-            commit_message.placeholder = 'Upload ' + file.name
-
-          return
-
-        this.on 'removedfile', (file) ->
-          commit_message = form.find('#commit_message')[0]
-
-          if /^Upload/.test(commit_message.placeholder)
-            commit_message.placeholder = 'Upload new file'
 
           return
 
@@ -47,8 +35,9 @@ class @BlobFileDropzone
           return
 
         this.on 'sending', (file, xhr, formData) ->
-          formData.append('new_branch', form.find('#new_branch').val())
-          formData.append('commit_message', form.find('#commit_message').val())
+          formData.append('new_branch', form.find('.js-new-branch').val())
+          formData.append('create_merge_request', form.find('.js-create-merge-request').val())
+          formData.append('commit_message', form.find('.js-commit-message').val())
           return
 
       # Override behavior of adding error underneath preview

app/assets/javascripts/confirm_danger_modal.js.coffee

 class @ConfirmDangerModal
-  constructor: (form, text) ->
+  constructor: (form, text, {warningMessage} = {}) ->
     @form = form
-    $('.js-confirm-text').text(text || '')
+    $('.js-confirm-text').html(text || '')
+    $('.js-warning-text').html(warningMessage) if warningMessage
     $('.js-confirm-danger-input').val('')
     $('#modal-confirm-danger').modal('show')
     project_path = $('.js-confirm-danger-match').text()

app/assets/javascripts/copy_to_clipboard.js.coffee

@@ -9,13 +9,24 @@ $ ->
   clipboard.on 'success', (e) ->
     $(e.trigger).
       tooltip(trigger: 'manual', placement: 'auto bottom', title: 'Copied!').
-      tooltip('show')
+      tooltip('show').
+      one('mouseleave', -> $(this).tooltip('hide'))
 
     # Clear the selection and blur the trigger so it loses its border
     e.clearSelection()
     $(e.trigger).blur()
 
-    # Manually hide the tooltip after 1 second
-    setTimeout(->
-      $(e.trigger).tooltip('hide')
-    , 1000)
+  # Safari doesn't support `execCommand`, so instead we inform the user to
+  # copy manually.
+  #
+  # See http://clipboardjs.com/#browser-support
+  clipboard.on 'error', (e) ->
+    if /Mac/i.test(navigator.userAgent)
+      title = "Press ⌘-C to copy"
+    else
+      title = "Press Ctrl-C to copy"
+
+    $(e.trigger).
+      tooltip(trigger: 'manual', placement: 'auto bottom', html: true, title: title).
+      tooltip('show').
+      one('mouseleave', -> $(this).tooltip('hide'))

app/assets/javascripts/dispatcher.js.coffee

@@ -28,6 +28,8 @@ class Dispatcher
       when 'projects:milestones:new', 'projects:milestones:edit'
         new ZenMode()
         new DropzoneInput($('.milestone-form'))
+      when 'groups:milestones:new'
+        new ZenMode()
       when 'projects:compare:show'
         new Diff()
       when 'projects:issues:new','projects:issues:edit'
@@ -102,6 +104,8 @@ class Dispatcher
         new Activities()
       when 'projects:group_links:index'
         new GroupsSelect()
+      when 'projects:mirrors:show', 'projects:mirrors:update'
+        new UsersSelect()
       when 'admin:emails:show'
         new AdminEmailSelect()
 

app/assets/javascripts/new_commit_form.js.coffee

+class @NewCommitForm
+  constructor: (form) ->
+    @newBranch = form.find('.js-new-branch')
+    @originalBranch = form.find('.js-original-branch')
+    @createMergeRequest = form.find('.js-create-merge-request')
+    @createMergeRequestFormGroup = form.find('.js-create-merge-request-form-group')
+
+    @renderDestination()
+    @newBranch.keyup @renderDestination
+
+  renderDestination: =>
+    different = @newBranch.val() != @originalBranch.val()
+
+    if different
+      @createMergeRequestFormGroup.show()
+      @createMergeRequest.prop('checked', true) unless @wasDifferent
+    else
+      @createMergeRequestFormGroup.hide()
+      @createMergeRequest.prop('checked', false)
+
+    @wasDifferent = different

app/assets/javascripts/notes.js.coffee

@@ -29,6 +29,7 @@ class @Notes
     $(document).on "ajax:success", "form.edit_note", @updateNote
 
     # Edit note link
+    $(document).on "click", ".js-note-edit", @showEditForm
     $(document).on "click", ".note-edit-cancel", @cancelEdit
 
     # Reopen and close actions for Issue/MR combined with note form submit
@@ -66,6 +67,7 @@ class @Notes
     $(document).off "ajax:success", ".js-main-target-form"
     $(document).off "ajax:success", ".js-discussion-note-form"
     $(document).off "ajax:success", "form.edit_note"
+    $(document).off "click", ".js-note-edit"
     $(document).off "click", ".note-edit-cancel"
     $(document).off "click", ".js-note-delete"
     $(document).off "click", ".js-note-attachment-delete"
@@ -111,13 +113,16 @@ class @Notes
   renderNote: (note) ->
     # render note if it not present in loaded list
     # or skip if rendered
-    if @isNewNote(note)
+    if @isNewNote(note) && !note.award
       @note_ids.push(note.id)
       $('ul.main-notes-list').
         append(note.html).
         syntaxHighlight()
       @initTaskList()
 
+    if note.award
+      awards_handler.addAwardToEmojiBar(note.note, note.emoji_path)
+
   ###
   Check if note does not exists on page
   ###
@@ -253,7 +258,6 @@ class @Notes
   ###
   addNote: (xhr, note, status) =>
     @renderNote(note)
-    @updateVotes()
 
   ###
   Called in response to the new note form being submitted
@@ -285,14 +289,13 @@ class @Notes
   Adds a hidden div with the original content of the note to fill the edit note form with
   if the user cancels
   ###
-  showEditForm: (note, formHTML) ->
-    nodeText = note.find(".note-text");
-    nodeText.hide()
-    note.find('.note-edit-form').remove()
-    nodeText.after(formHTML)
+  showEditForm: (e) ->
+    e.preventDefault()
+    note = $(this).closest(".note")
     note.find(".note-body > .note-text").hide()
     note.find(".note-header").hide()
-    form = note.find(".note-edit-form")
+    base_form = note.find(".note-edit-form")
+    form = base_form.clone().insertAfter(base_form)
     form.addClass('current-note-edit-form gfm-form')
     form.find('.div-dropzone').remove()
 
@@ -472,9 +475,6 @@ class @Notes
     form = $(e.target).closest(".js-discussion-note-form")
     @removeDiscussionNoteForm(form)
 
-  updateVotes: ->
-    true
-
   ###
   Called after an attachment file has been selected.
 

app/assets/javascripts/stat_graph_contributors_util.js.coffee

@@ -6,7 +6,7 @@ window.ContributorsStatGraphUtil =
     for entry in log
       @add_date(entry.date, total) unless total[entry.date]?
 
-      data = by_author[entry.author_name] #|| by_email[entry.author_email]      
+      data = by_author[entry.author_name] || by_email[entry.author_email]      
       data ?= @add_author(entry, by_author, by_email)
 
       @add_date(entry.date, data) unless data[entry.date]
@@ -95,5 +95,4 @@ window.ContributorsStatGraphUtil =
     if date_range is null || date_range[0] <= new Date(date) <= date_range[1]
       true
     else
-      false
-
+      false
\ No newline at end of file

app/assets/javascripts/users_select.js.coffee

@@ -8,6 +8,7 @@ class @UsersSelect
       @projectId = $(select).data('project-id')
       @groupId = $(select).data('group-id')
       @showCurrentUser = $(select).data('current-user')
+      @pushCodeToProtectedBranches = $(select).data('push-code-to-protected-branches')
       showNullUser = $(select).data('null-user')
       showAnyUser = $(select).data('any-user')
       showEmailUser = $(select).data('email-user')
@@ -59,11 +60,8 @@ class @UsersSelect
 
             query.callback(data)
 
-        initSelection: (element, callback) =>
-          id = $(element).val()
-          if id != "" && id != "0"
-            @user(id, callback)
-
+        initSelection: (args...) =>
+          @initSelection(args...)
         formatResult: (args...) =>
           @formatResult(args...)
         formatSelection: (args...) =>
@@ -72,6 +70,14 @@ class @UsersSelect
         escapeMarkup: (m) -> # we do not want to escape markup since we are displaying html in results
           m
 
+  initSelection: (element, callback) ->
+    id = $(element).val()
+    if id == "0"
+      nullUser = { name: 'Unassigned' }
+      callback(nullUser)
+    else if id != ""
+      @user(id, callback)
+
   formatResult: (user) ->
     if user.avatar_url
       avatar = user.avatar_url
@@ -112,6 +118,7 @@ class @UsersSelect
         group_id: @groupId
         skip_ldap: @skipLdap
         current_user: @showCurrentUser
+        push_code_to_protected_branches: @pushCodeToProtectedBranches
       dataType: "json"
     ).done (users) ->
       callback(users)

app/assets/stylesheets/framework/common.scss

@@ -64,7 +64,7 @@ pre {
 .dropdown-menu > li > a:hover,
 .dropdown-menu > li > a:focus {
   background: $gl-primary;
-  color: #FFF
+  color: #FFF;
 }
 
 .str-truncated {
@@ -337,6 +337,10 @@ table {
   }
 }
 
+.well {
+  margin-bottom: 0;
+}
+
 .search_box {
   @extend .well;
   text-align: center;

app/assets/stylesheets/framework/tw_bootstrap.scss

@@ -172,7 +172,7 @@
   }
 
   .panel-body {
-    form {
+    form, pre {
       margin: 0;
     }
 
@@ -190,6 +190,10 @@
     .btn {
       min-width: 124px;
     }
+
+    .btn-clipboard {
+      min-width: 0px;
+    }
   }
 
   &.panel-small {

app/assets/stylesheets/pages/admin.scss

@@ -61,3 +61,7 @@
   @extend .broadcast-message;
   margin-bottom: 20px;
 }
+
+.license-key-field {
+  font-family: monospace;
+}

app/assets/stylesheets/pages/builds.scss

@@ -21,7 +21,7 @@
 
   .autoscroll-container {
     position: fixed;
-    bottom: 10px;
+    bottom: 20px;
     right: 20px;
     z-index: 100;
   }
@@ -34,7 +34,7 @@
 
     a {
       display: block;
-      margin-bottom: 5px;
+      margin-bottom: 10px;
     }
   }
 

app/assets/stylesheets/pages/commit.scss

@@ -56,6 +56,7 @@
 
     li {
       padding: 3px 0px;
+      line-height: 20px;
     }
   }
   .new-file {

app/assets/stylesheets/pages/issuable.scss

@@ -101,3 +101,71 @@
     background-color: $background-color;
   }
 }
+
+.awards {
+  @include clearfix;
+  line-height: 34px;
+  margin: 2px 0;
+
+  .award {
+    @include border-radius(5px);
+
+    border: 1px solid;
+    padding: 0px 10px;
+    float: left;
+    margin: 0 5px;
+    border-color: $border-color;
+    cursor: pointer;
+
+    &.active {
+      border-color: $border-gray-light;
+      background-color: $gray-light;
+
+      .counter {
+        font-weight: bold;
+      }
+    }
+
+    .icon {
+      float: left;
+      margin-right: 10px;
+    }
+
+    .counter {
+      float: left;
+    }
+  }
+
+  .awards-controls {
+    margin-left: 10px;
+    float: left;
+
+    .add-award {
+      font-size: 24px;
+      color: $gl-gray;
+      position: relative;
+      top: 2px;
+
+      &:hover,
+      &:link {
+        text-decoration: none;
+      }
+    }
+
+    .awards-menu {
+      padding: $gl-padding;
+      min-width: 214px;
+
+      > li {
+        margin: 5px;
+      }
+    }
+  }
+
+  .awards-menu{
+    li {
+      float: left;
+      margin: 3px;
+    }
+  }
+}

app/assets/stylesheets/pages/projects.scss

@@ -106,13 +106,13 @@
   .project-repo-buttons {
     margin-top: 12px;
     margin-bottom: 0px;
+  }
 
-    .btn {
-      @include btn-gray;
+  .btn {
+    @include btn-gray;
 
-      .count {
-        display: inline-block;
-      }
+    .count {
+      display: inline-block;
     }
   }
 }
@@ -205,6 +205,10 @@
   .dropdown-toggle  {
     margin: -5px;
   }
+
+  .update-mirror-button {
+    margin-right: -1px;
+  }
 }
 
 #notification-form {

app/controllers/admin/licenses_controller.rb

@@ -63,6 +63,8 @@ class Admin::LicensesController < Admin::ApplicationController
   end
 
   def license_params
-    params.require(:license).permit(:data_file)
+    license_params = params.require(:license).permit(:data_file, :data)
+    license_params.delete(:data) if license_params[:data_file]
+    license_params
   end
 end

app/controllers/autocomplete_controller.rb

 class AutocompleteController < ApplicationController
   skip_before_action :authenticate_user!, only: [:users]
+  before_action :find_users, only: [:users]
 
   def users
-    begin
-      @users =
-        if params[:project_id].present?
-          project = Project.find(params[:project_id])
-
-          if can?(current_user, :read_project, project)
-            project.team.users
-          end
-        elsif params[:group_id]
-          group = Group.find(params[:group_id])
-
-          if can?(current_user, :read_group, group)
-            group.users
-          end
-        elsif current_user
-          User.all
-        end
-    rescue ActiveRecord::RecordNotFound
-      if current_user
-        return render json: {}, status: 404
-      end
-    end
-
-    if @users.nil? && current_user.nil?
-      authenticate_user!
-    end
-
-    @users ||= User.none
     @users = @users.non_ldap if params[:skip_ldap] == 'true'
     @users = @users.search(params[:search]) if params[:search].present?
     @users = @users.active
     @users = @users.reorder(:name)
-    @users = @users.page(params[:page]).per(PER_PAGE)
+
+    if params[:push_code_to_protected_branches] && project
+      @users = @users.to_a.select { |user| user.can?(:push_code_to_protected_branches, project) }.take(PER_PAGE)
+    else
+      @users = @users.page(params[:page]).per(PER_PAGE)
+    end
 
     unless params[:search].present?
       # Include current user if available to filter by "Me"
@@ -50,4 +28,25 @@ class AutocompleteController < ApplicationController
     @user = User.find(params[:id])
     render json: @user, only: [:name, :username, :id], methods: [:avatar_url]
   end
+
+  private
+
+  def find_users
+    @users =
+      if params[:project_id].present?
+        project = Project.find(params[:project_id])
+        return render_404 unless can?(current_user, :read_project, project)
+
+        project.team.users
+      elsif params[:group_id].present?
+        group = Group.find(params[:group_id])
+        return render_404 unless can?(current_user, :read_group, group)
+
+        group.users
+      elsif current_user
+        User.all
+      else
+        User.none
+      end
+  end
 end

app/controllers/ci/lints_controller.rb

@@ -15,10 +15,10 @@ module Ci
         @builds = @config_processor.builds
         @status = true
       end
-    rescue Ci::GitlabCiYamlProcessor::ValidationError => e
+    rescue Ci::GitlabCiYamlProcessor::ValidationError, Psych::SyntaxError => e
       @error = e.message
       @status = false
-    rescue Exception
+    rescue
       @error = "Undefined error"
       @status = false
     end

app/controllers/concerns/creates_merge_request_for_commit.rb

+module CreatesMergeRequestForCommit
+  extend ActiveSupport::Concern
+
+  def new_merge_request_path
+    if @project.forked?
+      target_project = @project.forked_from_project || @project
+      target_branch = target_project.repository.root_ref
+    else
+      target_project = @project
+      target_branch = @ref
+    end
+
+    new_namespace_project_merge_request_path(
+      @project.namespace,
+      @project,
+      merge_request: {
+        source_project_id: @project.id,
+        target_project_id: target_project.id,
+        source_branch: @new_branch,
+        target_branch: target_branch
+      }
+    )
+  end
+
+  def create_merge_request?
+    params[:create_merge_request] && @new_branch != @ref
+  end
+end

app/controllers/concerns/global_milestones.rb

+module GlobalMilestones
+  extend ActiveSupport::Concern
+
+  def milestones
+    @milestones = MilestonesFinder.new.execute(@projects, params)
+    @milestones = GlobalMilestone.build_collection(@milestones)
+    @milestones = Kaminari.paginate_array(@milestones).page(params[:page]).per(ApplicationController::PER_PAGE)
+  end
+
+  def milestone
+    milestones = Milestone.of_projects(@projects).where(title: params[:title])
+
+    if milestones.present?
+      @milestone = GlobalMilestone.new(params[:title], milestones)
+    else
+      render_404
+    end
+  end
+end

app/controllers/concerns/issues_action.rb

+module IssuesAction
+  extend ActiveSupport::Concern
+
+  def issues
+    @issues = get_issues_collection
+    @issues = @issues.page(params[:page]).per(ApplicationController::PER_PAGE)
+    @issues = @issues.preload(:author, :project)
+
+    respond_to do |format|
+      format.html
+      format.atom { render layout: false }
+    end
+  end
+end

app/controllers/concerns/merge_requests_action.rb

+module MergeRequestsAction
+  extend ActiveSupport::Concern
+
+  def merge_requests
+    @merge_requests = get_merge_requests_collection
+    @merge_requests = @merge_requests.page(params[:page]).per(ApplicationController::PER_PAGE)
+    @merge_requests = @merge_requests.preload(:author, :target_project)
+  end
+end

app/controllers/dashboard/milestones_controller.rb

 class Dashboard::MilestonesController < Dashboard::ApplicationController
-  before_action :load_projects
+  include GlobalMilestones
+
+  before_action :projects
+  before_action :milestones, only: [:index]
+  before_action :milestone, only: [:show]
 
   def index
-    project_milestones = case params[:state]
-                         when 'all'; state
-                         when 'closed'; state('closed')
-                         else state('active')
-                         end
-    @dashboard_milestones = Milestones::GroupService.new(project_milestones).execute
-    @dashboard_milestones = Kaminari.paginate_array(@dashboard_milestones).page(params[:page]).per(PER_PAGE)
   end
 
   def show
-    project_milestones = Milestone.where(project_id: @projects).order("due_date ASC")
-    @dashboard_milestone = Milestones::GroupService.new(project_milestones).milestone(title)
   end
 
   private
 
-  def load_projects
-    @projects = current_user.authorized_projects.sorted_by_activity.non_archived
-  end
-
-  def title
-    params[:title]
-  end
-
-  def state(state = nil)
-    conditions = { project_id: @projects }
-    conditions.reverse_merge!(state: state) if state
-    Milestone.where(conditions).order("title ASC")
+  def projects
+    @projects ||= current_user.authorized_projects.sorted_by_activity.non_archived
   end
 end

app/controllers/dashboard_controller.rb

 class DashboardController < Dashboard::ApplicationController
+  include IssuesAction
+  include MergeRequestsAction
+
   before_action :event_filter, only: :activity
+  before_action :projects, only: [:issues, :merge_requests]
 
   respond_to :html
 
-  def merge_requests
-    @merge_requests = get_merge_requests_collection
-    @merge_requests = @merge_requests.page(params[:page]).per(PER_PAGE)
-    @merge_requests = @merge_requests.preload(:author, :target_project)
-  end
-
-  def issues
-    @issues = get_issues_collection
-    @issues = @issues.page(params[:page]).per(PER_PAGE)
-    @issues = @issues.preload(:author, :project)
-
-    respond_to do |format|
-      format.html
-      format.atom { render layout: false }
-    end
-  end
-
   def activity
     @last_push = current_user.recent_push
 
@@ -47,4 +34,8 @@ class DashboardController < Dashboard::ApplicationController
     @events = @event_filter.apply_filter(@events).with_associations
     @events = @events.limit(20).offset(params[:offset] || 0)
   end
+
+  def projects
+    @projects ||= current_user.authorized_projects.sorted_by_activity.non_archived
+  end
 end

app/controllers/groups/application_controller.rb

 class Groups::ApplicationController < ApplicationController
   layout 'group'
+  before_action :group
 
   private
 

app/controllers/groups/avatars_controller.rb

-class Groups::AvatarsController < ApplicationController
+class Groups::AvatarsController < Groups::ApplicationController
   def destroy
-    @group = Group.find_by(path: params[:group_id])
     @group.remove_avatar!
-
     @group.save
 
     redirect_to edit_group_path(@group)

app/controllers/groups/group_members_controller.rb

 class Groups::GroupMembersController < Groups::ApplicationController
   skip_before_action :authenticate_user!, only: [:index]
-  before_action :group
 
   # Authorize
   before_action :authorize_read_group!
-  before_action :authorize_admin_group!, except: [:index, :leave]
-  before_action :authorize_admin_group_member!, only: [:create, :resend_invite]
+  before_action :authorize_admin_group_member!, except: [:index, :leave]
 
   def index
     @project = @group.projects.find(params[:project_id]) if params[:project_id]
@@ -18,7 +16,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
     end
 
     @members = @members.order('access_level DESC').page(params[:page]).per(50)
-    @group_member = GroupMember.new
+
+    @group_member = @group.group_members.new
   end
 
   def create
@@ -36,30 +35,28 @@ class Groups::GroupMembersController < Groups::ApplicationController
   end
 
   def update
-    @member = @group.group_members.find(params[:id])
+    @group_member = @group.group_members.find(params[:id])
 
-    return render_403 unless can?(current_user, :update_group_member, @member)
+    return render_403 unless can?(current_user, :update_group_member, @group_member)
 
-    old_access_level = @member.human_access
+    old_access_level = @group_member.human_access
 
-    if @member.update_attributes(member_params)
-      log_audit_event(@member, action: :update, old_access_level: old_access_level)
+    if @group_member.update_attributes(member_params)
+      log_audit_event(@group_member, action: :update, old_access_level: old_access_level)
     end
   end
 
   def destroy
     @group_member = @group.group_members.find(params[:id])
 
-    if can?(current_user, :destroy_group_member, @group_member)  # May fail if last owner.
-      @group_member.destroy
-      log_audit_event(@group_member, action: :destroy)
+    return render_403 unless can?(current_user, :destroy_group_member, @group_member)
 
-      respond_to do |format|
-        format.html { redirect_to group_group_members_path(@group), notice: 'User was successfully removed from group.' }
-        format.js { render nothing: true }
-      end
-    else
-      return render_403
+    @group_member.destroy
+    log_audit_event(@group_member, action: :destroy)
+
+    respond_to do |format|
+      format.html { redirect_to group_group_members_path(@group), notice: 'User was successfully removed from group.' }
+      format.js { render nothing: true }
     end
   end
 
@@ -78,7 +75,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
   end
 
   def leave
-    @group_member = @group.group_members.where(user_id: current_user.id).first
+    @group_member = @group.group_members.find_by(user_id: current_user)
 
     if can?(current_user, :destroy_group_member, @group_member)
       @group_member.destroy

app/controllers/groups/milestones_controller.rb

 class Groups::MilestonesController < Groups::ApplicationController
-  before_action :authorize_group_milestone!, only: :update
+  include GlobalMilestones
+
+  before_action :projects
+  before_action :milestones, only: [:index]
+  before_action :milestone, only: [:show, :update]
+  before_action :authorize_group_milestone!, only: [:create, :update]
 
   def index
-    project_milestones = case params[:state]
-                         when 'all'; state
-                         when 'closed'; state('closed')
-                         else state('active')
-                         end
-    @group_milestones = Milestones::GroupService.new(project_milestones).execute
-    @group_milestones = Kaminari.paginate_array(@group_milestones).page(params[:page]).per(PER_PAGE)
   end
 
-  def show
-    project_milestones = Milestone.where(project_id: group.projects).order("due_date ASC")
-    @group_milestone = Milestones::GroupService.new(project_milestones).milestone(title)
+  def new
+    @milestone = Milestone.new
   end
 
-  def update
-    project_milestones = Milestone.where(project_id: group.projects).order("due_date ASC")
-    @group_milestones = Milestones::GroupService.new(project_milestones).milestone(title)
+  def create
+    project_ids = params[:milestone][:project_ids]
+    title = milestone_params[:title]
 
-    @group_milestones.milestones.each do |milestone|
-      Milestones::UpdateService.new(milestone.project, current_user, params[:milestone]).execute(milestone)
+    @group.projects.where(id: project_ids).each do |project|
+      Milestones::CreateService.new(project, current_user, milestone_params).execute
     end
 
-    respond_to do |format|
-      format.js
-      format.html do
-        redirect_to group_milestones_path(group)
-      end
+    redirect_to milestone_path(title)
+  end
+
+  def show
+  end
+
+  def update
+    @milestone.milestones.each do |milestone|
+      Milestones::UpdateService.new(milestone.project, current_user, milestone_params).execute(milestone)
     end
+
+    redirect_back_or_default(default: milestone_path(@milestone.title))
   end
 
   private
 
-  def group
-    @group ||= Group.find_by(path: params[:group_id])
+  def authorize_group_milestone!
+    return render_404 unless can?(current_user, :admin_milestones, group)
   end
 
-  def title
-    params[:title]
+  def milestone_params
+    params.require(:milestone).permit(:title, :description, :due_date, :state_event)
   end
 
-  def state(state = nil)
-    conditions = { project_id: group.projects }
-    conditions.reverse_merge!(state: state) if state
-    Milestone.where(conditions).order("title ASC")
+  def milestone_path(title)
+    group_milestone_path(@group, title.parameterize, title: title)
   end
 
-  def authorize_group_milestone!
-    return render_404 unless can?(current_user, :admin_group, group)
+  def projects
+    @projects ||= @group.projects
   end
 end

app/controllers/groups_controller.rb

 class GroupsController < Groups::ApplicationController
+  include IssuesAction
+  include MergeRequestsAction
+
   skip_before_action :authenticate_user!, only: [:show, :issues, :merge_requests]
   respond_to :html
   before_action :group, except: [:new, :create]
@@ -55,23 +58,6 @@ class GroupsController < Groups::ApplicationController
     end
   end
 
-  def merge_requests
-    @merge_requests = get_merge_requests_collection
-    @merge_requests = @merge_requests.page(params[:page]).per(PER_PAGE)
-    @merge_requests = @merge_requests.preload(:author, :target_project)
-  end
-
-  def issues
-    @issues = get_issues_collection
-    @issues = @issues.page(params[:page]).per(PER_PAGE)
-    @issues = @issues.preload(:author, :project)
-
-    respond_to do |format|
-      format.html
-      format.atom { render layout: false }
-    end
-  end
-
   def edit
   end
 

app/controllers/projects/blob_controller.rb

 # Controller for viewing a file's blame
 class Projects::BlobController < Projects::ApplicationController
   include ExtractsPath
+  include CreatesMergeRequestForCommit
   include ActionView::Helpers::SanitizeHelper
 
   # Raised when given an invalid file path
@@ -22,21 +23,9 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def create
-    result = Files::CreateService.new(@project, current_user, @commit_params).execute
-
-    if result[:status] == :success
-      flash[:notice] = "The changes have been successfully committed"
-      respond_to do |format|
-        format.html { redirect_to namespace_project_blob_path(@project.namespace, @project, File.join(@target_branch, @file_path)) }
-        format.json { render json: { message: "success", filePath: namespace_project_blob_path(@project.namespace, @project, File.join(@target_branch, @file_path)) } }
-      end
-    else
-      flash[:alert] = result[:message]
-      respond_to do |format|
-        format.html { render :new }
-        format.json { render json: { message: "failed", filePath: namespace_project_blob_path(@project.namespace, @project, @id) } }
-      end
-    end
+    create_commit(Files::CreateService, success_path: after_create_path,
+                                        failure_view: :new,
+                                        failure_path: namespace_project_new_blob_path(@project.namespace, @project, @ref))
   end
 
   def show
@@ -47,21 +36,9 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def update
-    result = Files::UpdateService.new(@project, current_user, @commit_params).execute
-
-    if result[:status] == :success
-      flash[:notice] = "Your changes have been successfully committed"
-      respond_to do |format|
-        format.html { redirect_to after_edit_path }
-        format.json { render json: { message: "success", filePath: after_edit_path } }
-      end
-    else
-      flash[:alert] = result[:message]
-      respond_to do |format|
-        format.html { render :edit }
-        format.json { render json: { message: "failed", filePath: namespace_project_new_blob_path(@project.namespace, @project, @id) } }
-      end
-    end
+    create_commit(Files::UpdateService, success_path: after_edit_path,
+                                        failure_view: :edit,
+                                        failure_path: namespace_project_blob_path(@project.namespace, @project, @id))
   end
 
   def preview
@@ -77,7 +54,7 @@ class Projects::BlobController < Projects::ApplicationController
 
     if result[:status] == :success
       flash[:notice] = "Your changes have been successfully committed"
-      redirect_to namespace_project_tree_path(@project.namespace, @project, @target_branch)
+      redirect_to after_destroy_path
     else
       flash[:alert] = result[:message]
       render :show
@@ -131,15 +108,51 @@ class Projects::BlobController < Projects::ApplicationController
     render_404
   end
 
+  def create_commit(service, success_path:, failure_view:, failure_path:)
+    result = service.new(@project, current_user, @commit_params).execute
+
+    if result[:status] == :success
+      flash[:notice] = "Your changes have been successfully committed"
+      respond_to do |format|
+        format.html { redirect_to success_path }
+        format.json { render json: { message: "success", filePath: success_path } }
+      end
+    else
+      flash[:alert] = result[:message]
+      respond_to do |format|
+        format.html { render failure_view }
+        format.json { render json: { message: "failed", filePath: failure_path } }
+      end
+    end
+  end
+
+  def after_create_path
+    @after_create_path ||=
+      if create_merge_request?
+        new_merge_request_path
+      else
+        namespace_project_blob_path(@project.namespace, @project, File.join(@new_branch, @file_path))
+      end
+  end
+
   def after_edit_path
     @after_edit_path ||=
-      if from_merge_request
+      if create_merge_request?
+        new_merge_request_path
+      elsif from_merge_request && @new_branch == @ref
         diffs_namespace_project_merge_request_path(from_merge_request.target_project.namespace, from_merge_request.target_project, from_merge_request) +
           "#file-path-#{hexdigest(@path)}"
-      elsif @target_branch.present?
-        namespace_project_blob_path(@project.namespace, @project, File.join(@target_branch, @path))
       else
-        namespace_project_blob_path(@project.namespace, @project, @id)
+        namespace_project_blob_path(@project.namespace, @project, File.join(@new_branch, @path))
+      end
+  end
+
+  def after_destroy_path
+    @after_destroy_path ||=
+      if create_merge_request?
+        new_merge_request_path
+      else
+        namespace_project_tree_path(@project.namespace, @project, @new_branch)
       end
   end
 
@@ -154,7 +167,7 @@ class Projects::BlobController < Projects::ApplicationController
 
   def editor_variables
     @current_branch = @ref
-    @target_branch = params[:new_branch].present? ? sanitized_new_branch_name : @ref
+    @new_branch = params[:new_branch].present? ? sanitized_new_branch_name : @ref
 
     @file_path =
       if action_name.to_s == 'create'
@@ -174,7 +187,7 @@ class Projects::BlobController < Projects::ApplicationController
     @commit_params = {
       file_path: @file_path,
       current_branch: @current_branch,
-      target_branch: @target_branch,
+      target_branch: @new_branch,
       commit_message: params[:commit_message],
       file_content: params[:content],
       file_content_encoding: params[:encoding]

app/controllers/projects/compare_controller.rb

@@ -20,8 +20,8 @@ class Projects::CompareController < Projects::ApplicationController
     if compare_result
       @commits = Commit.decorate(compare_result.commits, @project)
       @diffs = compare_result.diffs
-      @commit = @commits.last
-      @first_commit = @commits.first
+      @commit = @project.commit(head_ref)
+      @first_commit = @project.commit(base_ref)
       @line_notes = []
     end
   end

app/controllers/projects/imports_controller.rb

@@ -8,9 +8,7 @@ class Projects::ImportsController < Projects::ApplicationController
   end
 
   def create
-    @project.import_url = params[:project][:import_url]
-
-    if @project.save
+    if @project.update_attributes(import_params)
       @project.reload
 
       if @project.import_failed?
@@ -28,8 +26,8 @@ class Projects::ImportsController < Projects::ApplicationController
       if @project.import_finished?
         redirect_to(project_path(@project)) and return
       else
-        redirect_to new_namespace_project_import_path(@project.namespace,
-                                                      @project) && return
+        redirect_to(new_namespace_project_import_path(@project.namespace,
+                                                      @project)) and return
       end
     end
   end
@@ -48,4 +46,8 @@ class Projects::ImportsController < Projects::ApplicationController
         return
     end
   end
+
+  def import_params
+    params.require(:project).permit(:import_url, :mirror, :mirror_user_id)
+  end
 end

app/controllers/projects/issues_controller.rb

@@ -66,7 +66,7 @@ class Projects::IssuesController < Projects::ApplicationController
   def show
     @participants = @issue.participants(current_user)
     @note = @project.notes.new(noteable: @issue)
-    @notes = @issue.notes.with_associations.fresh
+    @notes = @issue.notes.nonawards.with_associations.fresh
     @noteable = @issue
 
     respond_with(@issue)

app/controllers/projects/merge_requests_controller.rb

@@ -294,7 +294,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
 
     # Build a note object for comment form
     @note = @project.notes.new(noteable: @merge_request)
-    @notes = @merge_request.mr_and_commit_notes.inc_author.fresh
+    @notes = @merge_request.mr_and_commit_notes.nonawards.inc_author.fresh
     @discussions = Note.discussions_from_notes(@notes)
     @noteable = @merge_request
 

app/controllers/projects/mirrors_controller.rb

+class Projects::MirrorsController < Projects::ApplicationController
+  # Authorize
+  before_action :require_non_empty_project
+  before_action :authorize_admin_project!, except: [:update_now]
+  before_action :authorize_push_code!, only: [:update_now]
+
+  layout "project_settings"
+
+  def show
+
+  end
+
+  def update
+    if @project.update_attributes(mirror_params)
+      if @project.mirror?
+        @project.update_mirror
+
+        flash[:notice] = "Mirroring settings were successfully updated. The project is being updated."
+      elsif @project.mirror_changed?
+        flash[:notice] = "Mirroring was successfully disabled."
+      else
+        flash[:notice] = "Mirroring settings were successfully updated."
+      end
+
+      redirect_to namespace_project_mirror_path(@project.namespace, @project)
+    else
+      render :show
+    end
+  end
+
+  def update_now
+    @project.update_mirror
+
+    flash[:notice] = "The repository is being updated..."
+    redirect_back_or_default(default: namespace_project_path(@project.namespace, @project))
+  end
+
+  private
+
+  def mirror_params
+    params.require(:project).permit(:mirror, :import_url, :mirror_user_id)
+  end
+end

app/controllers/projects/notes_controller.rb

@@ -3,7 +3,7 @@ class Projects::NotesController < Projects::ApplicationController
   before_action :authorize_read_note!
   before_action :authorize_create_note!, only: [:create]
   before_action :authorize_admin_note!, only: [:update, :destroy]
-  before_action :find_current_user_notes, except: [:destroy, :edit, :delete_attachment]
+  before_action :find_current_user_notes, except: [:destroy, :delete_attachment, :award_toggle]
 
   def index
     current_fetched_at = Time.now.to_i
@@ -29,11 +29,6 @@ class Projects::NotesController < Projects::ApplicationController
     end
   end
 
-  def edit
-    @note = note
-    render layout: false
-  end
-
   def update
     @note = Notes::UpdateService.new(project, current_user, note_params).execute(note)
 
@@ -63,6 +58,30 @@ class Projects::NotesController < Projects::ApplicationController
     end
   end
 
+  def award_toggle
+    noteable = if note_params[:noteable_type] == "issue"
+                 project.issues.find(note_params[:noteable_id])
+               else
+                 project.merge_requests.find(note_params[:noteable_id])
+               end
+
+    data = {
+      author: current_user,
+      is_award: true,
+      note: note_params[:note].gsub(":", '')
+    }
+
+    note = noteable.notes.find_by(data)
+
+    if note
+      note.destroy
+    else
+      Notes::CreateService.new(project, current_user, note_params).execute
+    end
+
+    render json: { ok: true }
+  end
+
   private
 
   def note
@@ -116,6 +135,9 @@ class Projects::NotesController < Projects::ApplicationController
       id: note.id,
       discussion_id: note.discussion_id,
       html: note_to_html(note),
+      award: note.is_award,
+      emoji_path: note.is_award ? view_context.image_url(::AwardEmoji.path_to_emoji_image(note.note)) : "",
+      note: note.note,
       discussion_html: note_to_discussion_html(note),
       discussion_with_diff_html: note_to_discussion_with_diff_html(note)
     }

app/controllers/projects/project_members_controller.rb

 class Projects::ProjectMembersController < Projects::ApplicationController
   # Authorize
-  before_action :authorize_admin_project!, except: :leave
+  before_action :authorize_admin_project_member!, except: :leave
 
   def index
     @project_members = @project.project_members
@@ -30,10 +30,6 @@ class Projects::ProjectMembersController < Projects::ApplicationController
     @project_group_links = @project.project_group_links
   end
 
-  def new
-    @project_member = @project.project_members.new
-  end
-
   def create
     @project.team.add_users(params[:user_ids].split(','), params[:access_level], current_user)
     members = @project.project_members.where(user_id: params[:user_ids].split(','))
@@ -47,6 +43,9 @@ class Projects::ProjectMembersController < Projects::ApplicationController
 
   def update
     @project_member = @project.project_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :update_project_member, @project_member)
+
     old_access_level = @project_member.human_access
 
     if @project_member.update_attributes(member_params)
@@ -56,7 +55,11 @@ class Projects::ProjectMembersController < Projects::ApplicationController
 
   def destroy
     @project_member = @project.project_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :destroy_project_member, @project_member)
+
     @project_member.destroy
+
     log_audit_event(@project_member, action: :destroy)
 
     respond_to do |format|
@@ -82,18 +85,24 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   end
 
   def leave
-    if @project.namespace == current_user.namespace
-      message = 'You can not leave your own project. Transfer or delete the project.'
-      return redirect_back_or_default(default: { action: 'index' }, options: { alert: message })
-    end
-
     @project_member = @project.project_members.find_by(user_id: current_user)
-    @project_member.destroy
-    log_audit_event(@project_member, action: :destroy)
 
-    respond_to do |format|
-      format.html { redirect_to dashboard_projects_path }
-      format.js { render nothing: true }
+    if can?(current_user, :destroy_project_member, @project_member)
+      @project_member.destroy
+
+      log_audit_event(@project_member, action: :destroy)
+
+      respond_to do |format|
+        format.html { redirect_to dashboard_projects_path, notice: "You left the project." }
+        format.js { render nothing: true }
+      end
+    else
+      if current_user == @project.owner
+        message = 'You can not leave your own project. Transfer or delete the project.'
+        redirect_back_or_default(default: { action: 'index' }, options: { alert: message })
+      else
+        render_403
+      end
     end
   end
 

app/controllers/projects/tree_controller.rb

 # Controller for viewing a repository's file structure
 class Projects::TreeController < Projects::ApplicationController
   include ExtractsPath
+  include CreatesMergeRequestForCommit
   include ActionView::Helpers::SanitizeHelper
 
   before_action :require_non_empty_project, except: [:new, :create]
@@ -43,7 +44,7 @@ class Projects::TreeController < Projects::ApplicationController
     if result && result[:status] == :success
       flash[:notice] = "The directory has been successfully created"
       respond_to do |format|
-        format.html { redirect_to namespace_project_blob_path(@project.namespace, @project, File.join(@new_branch, @dir_name)) }
+        format.html { redirect_to after_create_dir_path }
       end
     else
       flash[:alert] = message
@@ -53,6 +54,8 @@ class Projects::TreeController < Projects::ApplicationController
     end
   end
 
+  private
+
   def assign_dir_vars
     @new_branch = params[:new_branch].present? ? sanitize(strip_tags(params[:new_branch])) : @ref
     @dir_name = File.join(@path, params[:dir_name])
@@ -63,4 +66,12 @@ class Projects::TreeController < Projects::ApplicationController
       commit_message: params[:commit_message],
     }
   end
+
+  def after_create_dir_path
+    if create_merge_request?
+      new_merge_request_path
+    else
+      namespace_project_blob_path(@project.namespace, @project, File.join(@new_branch, @dir_name))
+    end
+  end
 end

app/controllers/projects_controller.rb

@@ -88,7 +88,8 @@ class ProjectsController < ApplicationController
   end
 
   def show
-    if @project.import_in_progress?
+    # If we're importing while we do have a repository, we're simply updating the mirror.
+    if @project.import_in_progress? && !@project.updating_mirror?
       redirect_to namespace_project_import_path(@project.namespace, @project)
       return
     end
@@ -235,6 +236,8 @@ class ProjectsController < ApplicationController
       :merge_requests_ff_only_enabled,
       :merge_requests_rebase_enabled,
       :merge_requests_template,
+      :mirror,
+      :mirror_user_id,
       :reset_approvals_on_push
     )
   end

app/controllers/snippets_controller.rb

 class SnippetsController < ApplicationController
   before_action :snippet, only: [:show, :edit, :destroy, :update, :raw]
 
+  # Allow read snippet
+  before_action :authorize_read_snippet!, only: [:show]
+
   # Allow modify snippet
   before_action :authorize_update_snippet!, only: [:edit, :update]
 
@@ -79,10 +82,14 @@ class SnippetsController < ApplicationController
                      [Snippet::PUBLIC, Snippet::INTERNAL]).
                      find(params[:id])
                  else
-                   PersonalSnippet.are_public.find(params[:id])
+                   PersonalSnippet.find(params[:id])
                  end
   end
 
+  def authorize_read_snippet!
+    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+  end
+
   def authorize_update_snippet!
     return render_404 unless can?(current_user, :update_personal_snippet, @snippet)
   end

app/controllers/users_controller.rb

@@ -3,14 +3,11 @@ class UsersController < ApplicationController
   before_action :set_user
 
   def show
-    @contributed_projects = contributed_projects.joined(@user).
-      reject(&:forked?)
+    @contributed_projects = contributed_projects.joined(@user).reject(&:forked?)
 
-    @projects = @user.personal_projects.
-      where(id: authorized_projects_ids).includes(:namespace)
+    @projects = PersonalProjectsFinder.new(@user).execute(current_user)
 
-    # Collect only groups common for both users
-    @groups = @user.groups & GroupsFinder.new.execute(current_user)
+    @groups = JoinedGroupsFinder.new(@user).execute(current_user)
 
     respond_to do |format|
       format.html
@@ -53,16 +50,8 @@ class UsersController < ApplicationController
     @user = User.find_by_username!(params[:username])
   end
 
-  def authorized_projects_ids
-    # Projects user can view
-    @authorized_projects_ids ||=
-      ProjectsFinder.new.execute(current_user).pluck(:id)
-  end
-
   def contributed_projects
-    @contributed_projects = Project.
-      where(id: authorized_projects_ids & @user.contributed_projects_ids).
-      includes(:namespace)
+    ContributedProjectsFinder.new(@user).execute(current_user)
   end
 
   def contributions_calendar
@@ -73,9 +62,13 @@ class UsersController < ApplicationController
   def load_events
     # Get user activity feed for projects common for both users
     @events = @user.recent_events.
-      where(project_id: authorized_projects_ids).
-      with_associations
+      merge(projects_for_current_user).
+      references(:project).
+      with_associations.
+      limit_recent(20, params[:offset])
+  end
 
-    @events = @events.limit(20).offset(params[:offset] || 0)
+  def projects_for_current_user
+    ProjectsFinder.new.execute(current_user)
   end
 end

app/finders/contributed_projects_finder.rb

+class ContributedProjectsFinder
+  def initialize(user)
+    @user = user
+  end
+
+  # Finds the projects "@user" contributed to, limited to either public projects
+  # or projects visible to the given user.
+  #
+  # current_user - When given the list of the projects is limited to those only
+  #                visible by this user.
+  #
+  # Returns an ActiveRecord::Relation.
+  def execute(current_user = nil)
+    if current_user
+      relation = projects_visible_to_user(current_user)
+    else
+      relation = public_projects
+    end
+
+    relation.includes(:namespace).order_id_desc
+  end
+
+  private
+
+  def projects_visible_to_user(current_user)
+    authorized = @user.contributed_projects.visible_to_user(current_user)
+
+    union = Gitlab::SQL::Union.
+      new([authorized.select(:id), public_projects.select(:id)])
+
+    Project.where("projects.id IN (#{union.to_sql})")
+  end
+
+  def public_projects
+    @user.contributed_projects.public_only
+  end
+end

app/finders/groups_finder.rb

 class GroupsFinder
-  def execute(current_user, options = {})
-    all_groups(current_user)
+  # Finds the groups available to the given user.
+  #
+  # current_user - The user to find the groups for.
+  #
+  # Returns an ActiveRecord::Relation.
+  def execute(current_user = nil)
+    if current_user
+      relation = groups_visible_to_user(current_user)
+    else
+      relation = public_groups
+    end
+
+    relation.order_id_desc
   end
 
   private
 
-  def all_groups(current_user)
-    group_ids = if current_user
-                  if current_user.authorized_groups.any?
-                    # User has access to groups
-                    #
-                    # Return only:
-                    #   groups with public projects
-                    #   groups with internal projects
-                    #   groups with joined projects
-                    #
-                    Project.public_and_internal_only.pluck(:namespace_id) +
-                      current_user.authorized_groups.pluck(:id)
-                  else
-                    # User has no group membership
-                    #
-                    # Return only:
-                    #   groups with public projects
-                    #   groups with internal projects
-                    #
-                    Project.public_and_internal_only.pluck(:namespace_id)
-                  end
-                else
-                  # Not authenticated
-                  #
-                  # Return only:
-                  #   groups with public projects
-                  Project.public_only.pluck(:namespace_id)
-                end
-
-    Group.where("public IS TRUE OR id IN(?)", group_ids)
+  # This method returns the groups "current_user" can see.
+  def groups_visible_to_user(current_user)
+    base = groups_for_projects(public_and_internal_projects)
+
+    union = Gitlab::SQL::Union.
+      new([base.select(:id), current_user.authorized_groups.select(:id)])
+
+    Group.where("namespaces.id IN (#{union.to_sql})")
+  end
+
+  def public_groups
+    groups_for_projects(public_projects)
+  end
+
+  def groups_for_projects(projects)
+    Group.public_and_given_groups(projects.select(:namespace_id))
+  end
+
+  def public_projects
+    Project.unscoped.public_only
+  end
+
+  def public_and_internal_projects
+    Project.unscoped.public_and_internal_only
   end
 end

app/finders/issuable_finder.rb

@@ -62,10 +62,10 @@ class IssuableFinder
 
     if project?
       @project = Project.find(params[:project_id])
-      
+
       unless Ability.abilities.allowed?(current_user, :read_project, @project)
         @project = nil
-      end 
+      end
     else
       @project = nil
     end
@@ -77,11 +77,11 @@ class IssuableFinder
     return @projects if defined?(@projects)
 
     if project?
-      project
+      @projects = project
     elsif current_user && params[:authorized_only].presence && !current_user_related?
-      current_user.authorized_projects
+      @projects = current_user.authorized_projects
     else
-      ProjectsFinder.new.execute(current_user)
+      @projects = ProjectsFinder.new.execute(current_user)
     end
   end
 
@@ -190,8 +190,10 @@ class IssuableFinder
 
   def by_project(items)
     items =
-      if projects
-        items.of_projects(projects).references(:project)
+      if project?
+        items.of_projects(projects).references_project
+      elsif projects
+        items.merge(projects.reorder(nil)).join_project
       else
         items.none
       end
@@ -206,7 +208,9 @@ class IssuableFinder
   end
 
   def sort(items)
-    items.sort(params[:sort])
+    # Ensure we always have an explicit sort order (instead of inheriting
+    # multiple orders when combining ActiveRecord::Relation objects).
+    params[:sort] ? items.sort(params[:sort]) : items.reorder(id: :desc)
   end
 
   def by_assignee(items)

app/finders/joined_groups_finder.rb

+# Class for finding the groups a user is a member of.
+class JoinedGroupsFinder
+  def initialize(user = nil)
+    @user = user
+  end
+
+  # Finds the groups of the source user, optionally limited to those visible to
+  # the current user.
+  #
+  # current_user - If given the groups of "@user" will only include the groups
+  #                "current_user" can also see.
+  #
+  # Returns an ActiveRecord::Relation.
+  def execute(current_user = nil)
+    if current_user
+      relation = groups_visible_to_user(current_user)
+    else
+      relation = public_groups
+    end
+
+    relation.order_id_desc
+  end
+
+  private
+
+  # Returns the groups the user in "current_user" can see.
+  #
+  # This list includes all public/internal projects as well as the projects of
+  # "@user" that "current_user" also has access to.
+  def groups_visible_to_user(current_user)
+    base  = @user.authorized_groups.visible_to_user(current_user)
+    extra = public_and_internal_groups
+    union = Gitlab::SQL::Union.new([base.select(:id), extra.select(:id)])
+
+    Group.where("namespaces.id IN (#{union.to_sql})")
+  end
+
+  def public_groups
+    groups_for_projects(@user.authorized_projects.public_only)
+  end
+
+  def public_and_internal_groups
+    groups_for_projects(@user.authorized_projects.public_and_internal_only)
+  end
+
+  def groups_for_projects(projects)
+    @user.groups.public_and_given_groups(projects.select(:namespace_id))
+  end
+end

app/finders/milestones_finder.rb

+class MilestonesFinder
+  def execute(projects, params)
+    milestones = Milestone.of_projects(projects)
+    milestones = milestones.order("due_date ASC")
+
+    case params[:state]
+    when 'closed' then milestones.closed
+    when 'all' then milestones
+    else milestones.active
+    end
+  end
+end

app/finders/notes_finder.rb

@@ -12,9 +12,9 @@ class NotesFinder
       when "commit"
         project.notes.for_commit_id(target_id).not_inline
       when "issue"
-        project.issues.find(target_id).notes.inc_author
+        project.issues.find(target_id).notes.nonawards.inc_author
       when "merge_request"
-        project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
+        project.merge_requests.find(target_id).mr_and_commit_notes.nonawards.inc_author
       when "snippet", "project_snippet"
         project.snippets.find(target_id).notes
       else

app/finders/personal_projects_finder.rb

+class PersonalProjectsFinder
+  def initialize(user)
+    @user = user
+  end
+
+  # Finds the projects belonging to the user in "@user", limited to either
+  # public projects or projects visible to the given user.
+  #
+  # current_user - When given the list of projects is limited to those only
+  #                visible by this user.
+  #
+  # Returns an ActiveRecord::Relation.
+  def execute(current_user = nil)
+    if current_user
+      relation = projects_visible_to_user(current_user)
+    else
+      relation = public_projects
+    end
+
+    relation.includes(:namespace).order_id_desc
+  end
+
+  private
+
+  def projects_visible_to_user(current_user)
+    authorized = @user.personal_projects.visible_to_user(current_user)
+
+    union = Gitlab::SQL::Union.
+      new([authorized.select(:id), public_and_internal_projects.select(:id)])
+
+    Project.where("projects.id IN (#{union.to_sql})")
+  end
+
+  def public_projects
+    @user.personal_projects.public_only
+  end
+
+  def public_and_internal_projects
+    @user.personal_projects.public_and_internal_only
+  end
+end

app/finders/projects_finder.rb

 class ProjectsFinder
-  def execute(current_user, options = {})
+  # Returns all projects, optionally including group projects a user has access
+  # to.
+  #
+  # ## Examples
+  #
+  # Retrieving all public projects:
+  #
+  #     ProjectsFinder.new.execute
+  #
+  # Retrieving all public/internal projects and those the given user has access
+  # to:
+  #
+  #     ProjectsFinder.new.execute(some_user)
+  #
+  # Retrieving all public/internal projects as well as the group's projects the
+  # user has access to:
+  #
+  #     ProjectsFinder.new.execute(some_user, group: some_group)
+  #
+  # Returns an ActiveRecord::Relation.
+  def execute(current_user = nil, options = {})
     group = options[:group]
 
     if group
-      group_projects(current_user, group)
+      segments = group_projects(current_user, group)
     else
-      all_projects(current_user)
+      segments = all_projects(current_user)
+    end
+
+    if segments.length > 1
+      union = Gitlab::SQL::Union.new(segments.map { |s| s.select(:id) })
+
+      Project.where("projects.id IN (#{union.to_sql})")
+    else
+      segments.first
     end
   end
 
@@ -13,89 +41,37 @@ class ProjectsFinder
 
   def group_projects(current_user, group)
     if current_user
-      if group.users.include?(current_user)
-        # User is group member
-        #
-        # Return ALL group projects
-        group.projects
-      else
-        projects_members = ProjectMember.in_projects(group.projects).
-          with_user(current_user)
-
-        if projects_members.any?
-          # User is a project member
-          #
-          # Return only:
-          #   public projects
-          #   internal projects
-          #   joined projects
-          #
-          group.projects.where(
-            "projects.id IN (?) OR projects.visibility_level IN (?)",
-            projects_members.pluck(:source_id),
-            Project.public_and_internal_levels
-          )
-        else
-          # User has no access to group or group projects
-          # or has access through shared project
-          #
-          # Return only:
-          #   public projects
-          #   internal projects
-          #   shared projects
-          projects_ids = []
-          ProjectGroupLink.where(project_id: group.projects).each do |shared_project|
-            if shared_project.group.users.include?(current_user) || shared_project.project.users.include?(current_user)
-              projects_ids << shared_project.project.id
-            end
-          end
-
-          group.projects.where(
-            "projects.id IN (?) OR projects.visibility_level IN (?)",
-            projects_ids,
-            Project.public_and_internal_levels
-          )
-        end
-      end
+      [
+        group_projects_for_user(current_user, group),
+        group.projects.public_and_internal_only,
+        group.shared_projects.visible_to_user(current_user)
+      ]
     else
-      # Not authenticated
-      #
-      # Return only:
-      #   public projects
-      group.projects.public_only
+      [group.projects.public_only]
     end
   end
 
   def all_projects(current_user)
     if current_user
-      if current_user.authorized_projects.any?
-        # User has access to private projects
-        #
-        # Return only:
-        #   public projects
-        #   internal projects
-        #   joined projects
-        #
-        Project.where(
-          "projects.id IN (?) OR projects.visibility_level IN (?)",
-          current_user.authorized_projects.pluck(:id),
-          Project.public_and_internal_levels
-        )
-      else
-        # User has no access to private projects
-        #
-        # Return only:
-        #   public projects
-        #   internal projects
-        #
-        Project.public_and_internal_only
-      end
+      [current_user.authorized_projects, public_and_internal_projects]
+    else
+      [Project.public_only]
+    end
+  end
+
+  def group_projects_for_user(current_user, group)
+    if group.users.include?(current_user)
+      group.projects
     else
-      # Not authenticated
-      #
-      # Return only:
-      #   public projects
-      Project.public_only
+      group.projects.visible_to_user(current_user)
     end
   end
+
+  def public_projects
+    Project.unscoped.public_only
+  end
+
+  def public_and_internal_projects
+    Project.unscoped.public_and_internal_only
+  end
 end

app/helpers/diff_helper.rb

 module DiffHelper
+  def diff_view
+    params[:view] == 'parallel' ? 'parallel' : 'inline'
+  end
+
   def allowed_diff_size
     if diff_hard_limit_enabled?
       Commit::DIFF_HARD_LIMIT_FILES
@@ -132,25 +136,11 @@ module DiffHelper
   end
 
   def inline_diff_btn
-    params_copy = params.dup
-    params_copy[:view] = 'inline'
-    # Always use HTML to handle case where JSON diff rendered this button
-    params_copy.delete(:format)
-
-    link_to url_for(params_copy), id: "inline-diff-btn", class: (params[:view] != 'parallel' ? 'btn active' : 'btn') do
-      'Inline'
-    end
+    diff_btn('Inline', 'inline', diff_view == 'inline')
   end
 
   def parallel_diff_btn
-    params_copy = params.dup
-    params_copy[:view] = 'parallel'
-    # Always use HTML to handle case where JSON diff rendered this button
-    params_copy.delete(:format)
-
-    link_to url_for(params_copy), id: "parallel-diff-btn", class: (params[:view] == 'parallel' ? 'btn active' : 'btn') do
-      'Side-by-side'
-    end
+    diff_btn('Side-by-side', 'parallel', diff_view == 'parallel')
   end
 
   def submodule_link(blob, ref, repository = @repository)
@@ -171,7 +161,7 @@ module DiffHelper
   def commit_for_diff(diff)
     if diff.deleted_file
       first_commit = @first_commit || @commit
-      first_commit.parent
+      first_commit.parent || @first_commit
     else
       @commit
     end
@@ -187,4 +177,18 @@ module DiffHelper
   def editable_diff?(diff)
     !diff.deleted_file && @merge_request && @merge_request.source_project
   end
+
+  private
+
+  def diff_btn(title, name, selected)
+    params_copy = params.dup
+    params_copy[:view] = name
+
+    # Always use HTML to handle case where JSON diff rendered this button
+    params_copy.delete(:format)
+
+    link_to url_for(params_copy), id: "#{name}-diff-btn", class: (selected ? 'btn active' : 'btn') do
+      title
+    end
+  end
 end

app/helpers/gitlab_markdown_helper.rb

@@ -46,39 +46,13 @@ module GitlabMarkdownHelper
   end
 
   def markdown(text, context = {})
-    return "" unless text.present?
-
-    context.reverse_merge!(
-      path:         @path,
-      pipeline:     :default,
-      project:      @project,
-      project_wiki: @project_wiki,
-      ref:          @ref
-    )
-
-    user = current_user if defined?(current_user)
-
-    html = Gitlab::Markdown.render(text, context)
-    Gitlab::Markdown.post_process(html, pipeline: context[:pipeline], project: @project, user: user)
+    process_markdown(text, context)
   end
 
   # TODO (rspeicher): Remove all usages of this helper and just call `markdown`
   # with a custom pipeline depending on the content being rendered
   def gfm(text, options = {})
-    return "" unless text.present?
-
-    options.reverse_merge!(
-      path:         @path,
-      pipeline:     :default,
-      project:      @project,
-      project_wiki: @project_wiki,
-      ref:          @ref
-    )
-
-    user = current_user if defined?(current_user)
-
-    html = Gitlab::Markdown.gfm(text, options)
-    Gitlab::Markdown.post_process(html, pipeline: options[:pipeline], project: @project, user: user)
+    process_markdown(text, options, :gfm)
   end
 
   def asciidoc(text)
@@ -204,4 +178,26 @@ module GitlabMarkdownHelper
       ''
     end
   end
+
+  def process_markdown(text, options, method = :markdown)
+    return "" unless text.present?
+
+    options.reverse_merge!(
+      path:         @path,
+      pipeline:     :default,
+      project:      @project,
+      project_wiki: @project_wiki,
+      ref:          @ref
+    )
+
+    user = current_user if defined?(current_user)
+
+    html = if method == :gfm
+             Gitlab::Markdown.gfm(text, options)
+           else
+             Gitlab::Markdown.render(text, options)
+           end
+
+    Gitlab::Markdown.post_process(html, pipeline: options[:pipeline], project: @project, user: user)
+  end
 end

app/helpers/group_members_helper.rb

+module GroupMembersHelper
+  def clear_ldap_permission_cache_message
+    markdown(<<-EOT.strip_heredoc
+      Be careful, all members of this group (except you)  will have their
+      **access level temporarily downgraded** to `Guest`. The next time that a group member
+      signs in to GitLab (or after one hour, whichever occurs first) their access level will
+      be updated to the one specified on the Group settings page.
+      EOT
+    )
+  end
+end

app/helpers/groups_helper.rb

@@ -12,7 +12,7 @@ module GroupsHelper
   end
 
   def should_user_see_group_roles?(user, group)
-    if user
+    if user && group
       user.is_admin? || group.members.exists?(user_id: user.id)
     else
       false

app/helpers/issues_helper.rb

@@ -87,6 +87,33 @@ module IssuesHelper
     merge_requests.map(&:to_reference).to_sentence(last_word_connector: ', or ')
   end
 
+  def url_to_emoji(name)
+    emoji_path = ::AwardEmoji.path_to_emoji_image(name)
+    url_to_image(emoji_path)
+  rescue StandardError
+    ""
+  end
+
+  def emoji_author_list(notes, current_user)
+    list = notes.map do |note|
+             note.author == current_user ? "me" : note.author.username
+           end
+
+    list.join(", ")
+  end
+
+  def emoji_list
+    ::AwardEmoji::EMOJI_LIST
+  end
+
+  def note_active_class(notes, current_user)
+    if current_user && notes.pluck(:author_id).include?(current_user.id)
+      "active"
+    else
+      ""
+    end
+  end
+
   # Required for Gitlab::Markdown::IssueReferenceFilter
   module_function :url_for_issue
 end

app/helpers/labels_helper.rb

@@ -100,7 +100,7 @@ module LabelsHelper
         Label.where(project_id: @projects)
       end
 
-    grouped_labels = Labels::GroupService.new(labels).execute
+    grouped_labels = GlobalLabel.build_collection(labels)
     grouped_labels.unshift(Label::None)
     grouped_labels.unshift(Label::Any)
 

app/helpers/merge_requests_helper.rb

@@ -8,14 +8,6 @@ module MergeRequestsHelper
     )
   end
 
-  def new_mr_path_for_fork_from_push_event(event)
-    new_namespace_project_merge_request_path(
-      event.project.namespace,
-      event.project,
-      new_mr_from_push_event(event, event.project.forked_from_project)
-    )
-  end
-
   def new_mr_from_push_event(event, target_project)
     {
       merge_request: {

app/helpers/milestones_helper.rb

@@ -28,7 +28,7 @@ module MilestonesHelper
         Milestone.where(project_id: @projects)
       end.active
 
-    grouped_milestones = Milestones::GroupService.new(milestones).execute
+    grouped_milestones = GlobalMilestone.build_collection(milestones)
     grouped_milestones.unshift(Milestone::None)
     grouped_milestones.unshift(Milestone::Any)
 

app/helpers/namespaces_helper.rb

@@ -17,15 +17,6 @@ module NamespacesHelper
     grouped_options_for_select(options, selected)
   end
 
-  def namespace_select_tag(id, opts = {})
-    css_class = "ajax-namespace-select "
-    css_class << "multiselect " if opts[:multiple]
-    css_class << (opts[:class] || '')
-    value = opts[:selected] || ''
-
-    hidden_field_tag(id, value, class: css_class)
-  end
-
   def namespace_icon(namespace, size = 40)
     if namespace.kind_of?(Group)
       group_icon(namespace)

app/helpers/projects_helper.rb

@@ -253,14 +253,6 @@ module ProjectsHelper
     filename_path(project, :version)
   end
 
-  def hidden_pass_url(original_url)
-    result = URI(original_url)
-    result.password = '*****' unless result.password.nil?
-    result
-  rescue
-    original_url
-  end
-
   def project_wiki_path_with_version(proj, page, version, is_newest)
     url_params = is_newest ? {} : { version_id: version }
     namespace_project_wiki_path(proj.namespace, proj, page, url_params)

app/helpers/selects_helper.rb

@@ -13,6 +13,7 @@ module SelectsHelper
     first_user = opts[:first_user] && current_user ? current_user.username : false
     current_user = opts[:current_user] || false
     project = opts[:project] || @project
+    push_code_to_protected_branches = opts[:push_code_to_protected_branches]
 
     html = {
       class: css_class,
@@ -21,7 +22,8 @@ module SelectsHelper
       'data-any-user' => any_user,
       'data-email-user' => email_user,
       'data-first-user' => first_user,
-      'data-current-user' => current_user
+      'data-current-user' => current_user,
+      'data-push-code-to-protected-branches' => push_code_to_protected_branches
     }
 
     unless opts[:scope] == :all
@@ -44,8 +46,20 @@ module SelectsHelper
   end
 
   def groups_select_tag(id, opts = {})
-    css_class = "ajax-groups-select "
-    css_class << "multiselect " if opts[:multiple]
+    opts[:class] ||= ''
+    opts[:class] << ' ajax-groups-select'
+    select2_tag(id, opts)
+  end
+
+  def namespace_select_tag(id, opts = {})
+    opts[:class] ||= ''
+    opts[:class] << ' ajax-namespace-select'
+    select2_tag(id, opts)
+  end
+
+  def select2_tag(id, opts = {})
+    css_class = ''
+    css_class << 'multiselect ' if opts[:multiple]
     css_class << (opts[:class] || '')
     value = opts[:selected] || ''
 

app/mailers/emails/issues.rb

 module Emails
   module Issues
     def new_issue_email(recipient_id, issue_id)
-      @issue = Issue.find(issue_id)
-      @project = @issue.project
-      @target_url = namespace_project_issue_url(@project.namespace, @project, @issue)
-      mail_new_thread(@issue,
-                      from: sender(@issue.author_id),
-                      to: recipient(recipient_id),
-                      subject: subject("#{@issue.title} (##{@issue.iid})"))
-
-      SentNotification.record(@issue, recipient_id, reply_key)
+      issue_mail_with_notification(issue_id, recipient_id) do
+        mail_new_thread(@issue, issue_thread_options(@issue.author_id, recipient_id))
+      end
     end
 
     def reassigned_issue_email(recipient_id, issue_id, previous_assignee_id, updated_by_user_id)
-      @issue = Issue.find(issue_id)
-      @previous_assignee = User.find_by(id: previous_assignee_id) if previous_assignee_id
-      @project = @issue.project
-      @target_url = namespace_project_issue_url(@project.namespace, @project, @issue)
-      mail_answer_thread(@issue,
-                         from: sender(updated_by_user_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@issue.title} (##{@issue.iid})"))
-
-      SentNotification.record(@issue, recipient_id, reply_key)
+      issue_mail_with_notification(issue_id, recipient_id) do
+        @previous_assignee = User.find_by(id: previous_assignee_id) if previous_assignee_id
+        mail_answer_thread(@issue, issue_thread_options(updated_by_user_id, recipient_id))
+      end
     end
 
     def closed_issue_email(recipient_id, issue_id, updated_by_user_id)
-      @issue = Issue.find issue_id
-      @project = @issue.project
-      @updated_by = User.find updated_by_user_id
-      @target_url = namespace_project_issue_url(@project.namespace, @project, @issue)
-      mail_answer_thread(@issue,
-                         from: sender(updated_by_user_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@issue.title} (##{@issue.iid})"))
-
-      SentNotification.record(@issue, recipient_id, reply_key)
+      issue_mail_with_notification(issue_id, recipient_id) do
+        @updated_by = User.find updated_by_user_id
+        mail_answer_thread(@issue, issue_thread_options(updated_by_user_id, recipient_id))
+      end
     end
 
     def issue_status_changed_email(recipient_id, issue_id, status, updated_by_user_id)
-      @issue = Issue.find issue_id
-      @issue_status = status
+      issue_mail_with_notification(issue_id, recipient_id) do
+        @issue_status = status
+        @updated_by = User.find updated_by_user_id
+        mail_answer_thread(@issue, issue_thread_options(updated_by_user_id, recipient_id))
+      end
+    end
+
+    private
+
+    def issue_thread_options(sender_id, recipient_id)
+      {
+        from: sender(sender_id),
+        to: recipient(recipient_id),
+        subject: subject("#{@issue.title} (##{@issue.iid})")
+      }
+    end
+
+    def issue_mail_with_notification(issue_id, recipient_id)
+      @issue = Issue.find(issue_id)
       @project = @issue.project
-      @updated_by = User.find updated_by_user_id
       @target_url = namespace_project_issue_url(@project.namespace, @project, @issue)
-      mail_answer_thread(@issue,
-                         from: sender(updated_by_user_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@issue.title} (##{@issue.iid})"))
+
+      yield
 
       SentNotification.record(@issue, recipient_id, reply_key)
     end

app/mailers/emails/notes.rb

 module Emails
   module Notes
     def note_commit_email(recipient_id, note_id)
-      @note = Note.find(note_id)
-      @commit = @note.noteable
-      @project = @note.project
-      @target_url = namespace_project_commit_url(@project.namespace, @project,
-                                                 @commit, anchor:
-                                                 "note_#{@note.id}")
-      mail_answer_thread(@commit,
-                         from: sender(@note.author_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@commit.title} (#{@commit.short_id})"))
-
-      SentNotification.record_note(@note, recipient_id, reply_key)
+      note_mail_with_notification(note_id, recipient_id) do
+        @commit = @note.noteable
+        @target_url = namespace_project_commit_url(*note_target_url_options)
+
+        mail_answer_thread(@commit,
+                           from: sender(@note.author_id),
+                           to: recipient(recipient_id),
+                           subject: subject("#{@commit.title} (#{@commit.short_id})"))
+      end
     end
 
     def note_issue_email(recipient_id, note_id)
-      @note = Note.find(note_id)
-      @issue = @note.noteable
-      @project = @note.project
-      @target_url = namespace_project_issue_url(@project.namespace, @project,
-                                                @issue, anchor:
-                                                "note_#{@note.id}")
-      mail_answer_thread(@issue,
-                         from: sender(@note.author_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@issue.title} (##{@issue.iid})"))
-
-      SentNotification.record_note(@note, recipient_id, reply_key)
+      note_mail_with_notification(note_id, recipient_id) do
+        @issue = @note.noteable
+        @target_url = namespace_project_issue_url(*note_target_url_options)
+        mail_answer_thread(@issue, note_thread_options(recipient_id))
+      end
     end
 
     def note_merge_request_email(recipient_id, note_id)
+      note_mail_with_notification(note_id, recipient_id) do
+        @merge_request = @note.noteable
+        @target_url = namespace_project_merge_request_url(*note_target_url_options)
+        mail_answer_thread(@merge_request, note_thread_options(recipient_id))
+      end
+    end
+
+    private
+
+    def note_target_url_options
+      [@project.namespace, @project, @note.noteable, anchor: "note_#{@note.id}"]
+    end
+
+    def note_thread_options(recipient_id)
+      {
+        from: sender(@note.author_id),
+        to: recipient(recipient_id),
+        subject: subject("#{@note.noteable.title} (##{@note.noteable.iid})")
+      }
+    end
+
+    def note_mail_with_notification(note_id, recipient_id)
       @note = Note.find(note_id)
-      @merge_request = @note.noteable
       @project = @note.project
-      @target_url = namespace_project_merge_request_url(@project.namespace,
-                                                        @project,
-                                                        @merge_request, anchor:
-                                                        "note_#{@note.id}")
-      mail_answer_thread(@merge_request,
-                         from: sender(@note.author_id),
-                         to: recipient(recipient_id),
-                         subject: subject("#{@merge_request.title} (##{@merge_request.iid})"))
-
-      SentNotification.record_note(@note, recipient_id, reply_key)
+
+      yield
+
+      SentNotification.record(@note, recipient_id, reply_key)
     end
   end
 end

app/models/ability.rb

 class Ability
   class << self
     def allowed(user, subject)
-      return not_auth_abilities(user, subject) if user.nil?
-      return [] unless user.kind_of?(User)
+      return anonymous_abilities(user, subject) if user.nil?
+      return [] unless user.is_a?(User)
       return [] if user.blocked?
 
-      abilities = 
+      abilities =
         case subject.class.name
-        when "Project"          then project_abilities(user, subject)
-        when "Issue"            then issue_abilities(user, subject)
-        when "Note"             then note_abilities(user, subject)
-        when "ProjectSnippet"   then project_snippet_abilities(user, subject)
-        when "PersonalSnippet"  then personal_snippet_abilities(user, subject)
-        when "MergeRequest"     then merge_request_abilities(user, subject)
-        when "Group"            then group_abilities(user, subject)
-        when "Namespace"        then namespace_abilities(user, subject)
-        when "GroupMember"      then group_member_abilities(user, subject)
+        when "Project" then project_abilities(user, subject)
+        when "Issue" then issue_abilities(user, subject)
+        when "Note" then note_abilities(user, subject)
+        when "ProjectSnippet" then project_snippet_abilities(user, subject)
+        when "PersonalSnippet" then personal_snippet_abilities(user, subject)
+        when "MergeRequest" then merge_request_abilities(user, subject)
+        when "Group" then group_abilities(user, subject)
+        when "Namespace" then namespace_abilities(user, subject)
+        when "GroupMember" then group_member_abilities(user, subject)
+        when "ProjectMember" then project_member_abilities(user, subject)
         else []
         end
 
@@ -35,15 +36,25 @@ class Ability
       ]
     end
 
-    # List of possible abilities
-    # for non-authenticated user
-    def not_auth_abilities(user, subject)
-      project = if subject.kind_of?(Project)
+    # List of possible abilities for anonymous user
+    def anonymous_abilities(user, subject)
+      case true
+      when subject.is_a?(PersonalSnippet)
+        anonymous_personal_snippet_abilities(subject)
+      when subject.is_a?(Project) || subject.respond_to?(:project)
+        anonymous_project_abilities(subject)
+      when subject.is_a?(Group) || subject.respond_to?(:group)
+        anonymous_group_abilities(subject)
+      else
+        []
+      end
+    end
+
+    def anonymous_project_abilities(subject)
+      project = if subject.is_a?(Project)
                   subject
-                elsif subject.respond_to?(:project)
-                  subject.project
                 else
-                  nil
+                  subject.project
                 end
 
       if project && project.public?
@@ -63,19 +74,29 @@ class Ability
 
         rules - project_disabled_features_rules(project)
       else
-        group = if subject.kind_of?(Group)
-                  subject
-                elsif subject.respond_to?(:group)
-                  subject.group
-                else
-                  nil
-                end
+        []
+      end
+    end
 
-        if group && group.public_profile?
-          [:read_group]
-        else
-          []
-        end
+    def anonymous_group_abilities(subject)
+      group = if subject.is_a?(Group)
+                subject
+              else
+                subject.group
+              end
+
+      if group && group.public_profile?
+        [:read_group]
+      else
+        []
+      end
+    end
+
+    def anonymous_personal_snippet_abilities(snippet)
+      if snippet.public?
+        [:read_personal_snippet]
+      else
+        []
       end
     end
 
@@ -247,21 +268,22 @@ class Ability
 
       # Only group masters and group owners can create new projects in group
       if group.has_master?(user) || group.has_owner?(user) || user.admin?
-        rules.push(*[
+        rules += [
           :create_projects,
-        ])
+          :admin_milestones
+        ]
       end
 
       # Only group owner and administrators can admin group
       if group.has_owner?(user) || user.admin?
-        rules.push(*[
+        rules += [
           :admin_group,
           :admin_namespace,
           :admin_group_member
-        ])
+        ]
 
-        unless group.ldap_synced?
-          rules << :admin_group_member
+        if group.ldap_synced?
+          rules.delete(:admin_group_member)
         end
       end
 
@@ -273,16 +295,15 @@ class Ability
 
       # Only namespace owner and administrators can admin it
       if namespace.owner == user || user.admin?
-        rules.push(*[
+        rules += [
           :create_projects,
           :admin_namespace
-        ])
+        ]
       end
 
       rules.flatten
     end
 
-
     [:issue, :merge_request].each do |name|
       define_method "#{name}_abilities" do |user, subject|
         rules = []
@@ -299,7 +320,7 @@ class Ability
       end
     end
 
-    [:note, :project_snippet, :personal_snippet].each do |name|
+    [:note, :project_snippet].each do |name|
       define_method "#{name}_abilities" do |user, subject|
         rules = []
 
@@ -319,19 +340,61 @@ class Ability
       end
     end
 
+    def personal_snippet_abilities(user, snippet)
+      rules = []
+
+      if snippet.author == user
+        rules += [
+          :read_personal_snippet,
+          :update_personal_snippet,
+          :admin_personal_snippet
+        ]
+      end
+
+      if snippet.public? || snippet.internal?
+        rules << :read_personal_snippet 
+      end
+
+      rules
+    end
+
     def group_member_abilities(user, subject)
       rules = []
       target_user = subject.user
       group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group_member)
 
-      if can_manage && (user != target_user)
-        rules << :update_group_member
-        rules << :destroy_group_member
+      unless group.last_owner?(target_user)
+        can_manage = group_abilities(user, group).include?(:admin_group_member)
+
+        if can_manage && user != target_user
+          rules << :update_group_member
+          rules << :destroy_group_member
+        end
+
+        if user == target_user
+          rules << :destroy_group_member
+        end
       end
 
-      if !group.last_owner?(user) && (can_manage || (user == target_user))
-        rules << :destroy_group_member
+      rules
+    end
+
+    def project_member_abilities(user, subject)
+      rules = []
+      target_user = subject.user
+      project = subject.project
+
+      unless target_user == project.owner
+        can_manage = project_abilities(user, project).include?(:admin_project_member)
+
+        if can_manage && user != target_user
+          rules << :update_project_member
+          rules << :destroy_project_member
+        end
+
+        if user == target_user
+          rules << :destroy_project_member
+        end
       end
 
       rules

app/models/application_setting.rb

@@ -100,7 +100,7 @@ class ApplicationSetting < ActiveRecord::Base
       restricted_signup_domains: Settings.gitlab['restricted_signup_domains'],
       import_sources: ['github','bitbucket','gitlab','gitorious','google_code','fogbugz','git'],
       shared_runners_enabled: Settings.gitlab_ci['shared_runners_enabled'],
-      max_artifacts_size: Settings.gitlab_ci['max_artifacts_size'],
+      max_artifacts_size: Settings.artifacts['max_size'],
     )
   end
 

app/models/ci/build.rb

@@ -97,6 +97,8 @@ module Ci
 
     state_machine :status, initial: :pending do
       after_transition any => [:success, :failed, :canceled] do |build, transition|
+        return unless build.gl_project
+
         project = build.project
 
         if project.web_hooks?

app/models/ci/commit.rb

@@ -188,13 +188,13 @@ module Ci
     end
 
     def config_processor
+      return nil unless ci_yaml_file
       @config_processor ||= Ci::GitlabCiYamlProcessor.new(ci_yaml_file, gl_project.path_with_namespace)
-    rescue Ci::GitlabCiYamlProcessor::ValidationError => e
+    rescue Ci::GitlabCiYamlProcessor::ValidationError, Psych::SyntaxError => e
       save_yaml_error(e.message)
       nil
-    rescue Exception => e
-      logger.error e.message + "\n" + e.backtrace.join("\n")
-      save_yaml_error("Undefined yaml error")
+    rescue
+      save_yaml_error("Undefined error")
       nil
     end
 

app/models/concerns/issuable.rb

@@ -35,6 +35,9 @@ module Issuable
     scope :order_milestone_due_desc, -> { joins(:milestone).reorder('milestones.due_date DESC, milestones.id DESC') }
     scope :order_milestone_due_asc, -> { joins(:milestone).reorder('milestones.due_date ASC, milestones.id ASC') }
 
+    scope :join_project, -> { joins(:project) }
+    scope :references_project, -> { references(:project) }
+
     delegate :name,
              :email,
              to: :author,
@@ -89,39 +92,14 @@ module Issuable
     opened? || reopened?
   end
 
-  #
-  # Votes
-  #
-
-  # Return the number of -1 comments (downvotes)
+  # Deprecated. Still exists to preserve API compatibility.
   def downvotes
-    filter_superceded_votes(notes.select(&:downvote?), notes).size
+    0
   end
 
-  def downvotes_in_percent
-    if votes_count.zero?
-      0
-    else
-      100.0 - upvotes_in_percent
-    end
-  end
-
-  # Return the number of +1 comments (upvotes)
+  # Deprecated. Still exists to preserve API compatibility.
   def upvotes
-    filter_superceded_votes(notes.select(&:upvote?), notes).size
-  end
-
-  def upvotes_in_percent
-    if votes_count.zero?
-      0
-    else
-      100.0 / votes_count * upvotes
-    end
-  end
-
-  # Return the total number of votes
-  def votes_count
-    upvotes + downvotes
+    0
   end
 
   def subscribed?(user)
@@ -184,17 +162,8 @@ module Issuable
     notes.includes(:author, :project)
   end
 
-  private
-
-  def filter_superceded_votes(votes, notes)
-    filteredvotes = [] + votes
-
-    votes.each do |vote|
-      if vote.superceded?(notes)
-        filteredvotes.delete(vote)
-      end
-    end
-
-    filteredvotes
+  def updated_tasks
+    Taskable.get_updated_tasks(old_content: previous_changes['description'].first,
+                               new_content: description)
   end
 end

app/models/concerns/sortable.rb

@@ -8,8 +8,9 @@ module Sortable
   included do
     # By default all models should be ordered
     # by created_at field starting from newest
-    default_scope { order(id: :desc) }
+    default_scope { order_id_desc }
 
+    scope :order_id_desc, -> { reorder(id: :desc) }
     scope :order_created_desc, -> { reorder(created_at: :desc) }
     scope :order_created_asc, -> { reorder(created_at: :asc) }
     scope :order_updated_desc, -> { reorder(updated_at: :desc) }

app/models/concerns/taskable.rb

@@ -7,14 +7,39 @@ require 'task_list/filter'
 #
 # Used by MergeRequest and Issue
 module Taskable
+  COMPLETED    = 'completed'.freeze
+  INCOMPLETE   = 'incomplete'.freeze
+  ITEM_PATTERN = /
+    ^
+    (?:\s*[-+*]|(?:\d+\.))? # optional list prefix
+    \s*                     # optional whitespace prefix
+    (\[\s\]|\[[xX]\])       # checkbox
+    (\s.+)                  # followed by whitespace and some text.
+  /x
+
+  def self.get_tasks(content)
+    content.to_s.scan(ITEM_PATTERN).map do |checkbox, label|
+      # ITEM_PATTERN strips out the hyphen, but Item requires it. Rabble rabble.
+      TaskList::Item.new("- #{checkbox}", label.strip)
+    end
+  end
+
+  def self.get_updated_tasks(old_content:, new_content:)
+    old_tasks, new_tasks = get_tasks(old_content), get_tasks(new_content)
+
+    new_tasks.select.with_index do |new_task, i|
+      old_task = old_tasks[i]
+      next unless old_task
+
+      new_task.source == old_task.source && new_task.complete? != old_task.complete?
+    end
+  end
+
   # Called by `TaskList::Summary`
   def task_list_items
     return [] if description.blank?
 
-    @task_list_items ||= description.scan(TaskList::Filter::ItemPattern).collect do |item|
-      # ItemPattern strips out the hyphen, but Item requires it. Rabble rabble.
-      TaskList::Item.new("- #{item}")
-    end
+    @task_list_items ||= Taskable.get_tasks(description)
   end
 
   def tasks

app/models/event.rb

@@ -63,6 +63,16 @@ class Event < ActiveRecord::Base
             Event::PUSHED, ["MergeRequest", "Issue"],
             [Event::CREATED, Event::CLOSED, Event::MERGED])
     end
+
+    def latest_update_time
+      row = select(:updated_at, :project_id).reorder(id: :desc).take
+
+      row ? row.updated_at : nil
+    end
+
+    def limit_recent(limit = 20, offset = nil)
+      recent.limit(limit).offset(offset)
+    end
   end
 
   def proper?

app/models/git_hook.rb

@@ -2,24 +2,30 @@ class GitHook < ActiveRecord::Base
   belongs_to :project
 
   validates :project, presence: true, unless: "is_sample?"
-  
+
+  def commit_validation?
+    commit_message_regex.present? ||
+      author_email_regex.present? ||
+      member_check ||
+      file_name_regex.present? ||
+      max_file_size > 0
+  end
+
   def commit_message_allowed?(message)
-    if commit_message_regex.present?
-      if message =~ Regexp.new(commit_message_regex)
-        true
-      else
-        false
-      end
+    data_valid?(message, commit_message_regex)
+  end
+
+  def author_email_allowed?(email)
+    data_valid?(email, author_email_regex)
+  end
+
+  private
+
+  def data_valid?(data, regex)
+    if regex.present?
+      !!(data =~ Regexp.new(regex))
     else
       true
     end
   end
-
-  def commit_validation?
-    commit_message_regex.present? || 
-      author_email_regex.present? || 
-      member_check || 
-      file_name_regex.present? || 
-      max_file_size > 0
-  end
 end

app/models/group_label.rb → app/models/global_label.rb

-class GroupLabel
+class GlobalLabel
   attr_accessor :title, :labels
   alias_attribute :name, :title
 
+  def self.build_collection(labels)
+    labels = labels.group_by(&:title)
+
+    labels.map do |title, label|
+      new(title, label)
+    end
+  end
+
   def initialize(title, labels)
     @title = title
     @labels = labels

app/models/group_milestone.rb → app/models/global_milestone.rb

-class GroupMilestone
+class GlobalMilestone
   attr_accessor :title, :milestones
   alias_attribute :name, :title
 
+  def self.build_collection(milestones)
+    milestones = milestones.group_by(&:title)
+
+    milestones.map do |title, milestones|
+      new(title, milestones)
+    end
+  end
+
   def initialize(title, milestones)
     @title = title
     @milestones = milestones
@@ -10,7 +18,7 @@ class GroupMilestone
   def safe_title
     @title.parameterize
   end
-  
+
   def projects
     milestones.map { |milestone| milestone.project }
   end
@@ -60,15 +68,15 @@ class GroupMilestone
   end
 
   def issues
-    @group_issues ||= milestones.map(&:issues).flatten.group_by(&:state)
+    @issues ||= milestones.map(&:issues).flatten.group_by(&:state)
   end
 
   def merge_requests
-    @group_merge_requests ||= milestones.map(&:merge_requests).flatten.group_by(&:state)
+    @merge_requests ||= milestones.map(&:merge_requests).flatten.group_by(&:state)
   end
 
   def participants
-    @group_participants ||= milestones.map(&:participants).flatten.compact.uniq
+    @participants ||= milestones.map(&:participants).flatten.compact.uniq
   end
 
   def opened_issues
@@ -86,4 +94,8 @@ class GroupMilestone
   def closed_merge_requests
     merge_requests.values_at("closed", "merged", "locked").compact.flatten
   end
+
+  def complete?
+    total_items_count == closed_items_count
+  end
 end

app/models/group.rb

@@ -20,8 +20,9 @@ require 'file_size_validator'
 class Group < Namespace
   include Gitlab::ConfigHelper
   include Referable
-
+  
   has_many :group_members, dependent: :destroy, as: :source, class_name: 'GroupMember'
+  alias_method :members, :group_members
   has_many :users, through: :group_members
   has_many :project_group_links, dependent: :destroy
   has_many :shared_projects, through: :project_group_links, source: :project
@@ -52,6 +53,14 @@ class Group < Namespace
     def reference_pattern
       User.reference_pattern
     end
+
+    def public_and_given_groups(ids)
+      where('public IS TRUE OR namespaces.id IN (?)', ids)
+    end
+
+    def visible_to_user(user)
+      where(id: user.authorized_groups.select(:id).reorder(nil))
+    end
   end
 
   def to_reference(_from_project = nil)
@@ -114,10 +123,6 @@ class Group < Namespace
     has_owner?(user) && owners.size == 1
   end
 
-  def members
-    group_members
-  end
-
   def avatar_type
     unless self.avatar.image?
       self.errors.add :avatar, "only images allowed"

app/models/license.rb

@@ -44,7 +44,7 @@ class License < ActiveRecord::Base
   def license
     return nil unless self.data
 
-    @license ||= 
+    @license ||=
       begin
         Gitlab::License.import(self.data)
       rescue Gitlab::License::ImportError
@@ -89,7 +89,7 @@ class License < ActiveRecord::Base
   def valid_license
     return if license?
 
-    self.errors.add(:base, "The license file is invalid. Make sure it is exactly as you received it from GitLab B.V..")
+    self.errors.add(:base, "The license key is invalid. Make sure it is exactly as you received it from GitLab Inc.")
   end
 
   def active_user_count
@@ -99,7 +99,7 @@ class License < ActiveRecord::Base
 
     date_range = (self.starts_at - 1.year)..self.starts_at
     active_user_count = HistoricalData.during(date_range).maximum(:active_user_count) || 0
-    
+
     return unless active_user_count
 
     return if active_user_count < restricted_user_count

app/models/member.rb

@@ -31,13 +31,22 @@ class Member < ActiveRecord::Base
 
   validates :user, presence: true, unless: :invite?
   validates :source, presence: true
-  validates :user_id, uniqueness: { scope: [:source_type, :source_id], 
+  validates :user_id, uniqueness: { scope: [:source_type, :source_id],
                                     message: "already exists in source",
                                     allow_nil: true }
   validates :access_level, inclusion: { in: Gitlab::Access.all_values }, presence: true
-  validates :invite_email,  presence: { if: :invite? }, 
-                            email: { strict_mode: true, allow_nil: true }, 
-                            uniqueness: { scope: [:source_type, :source_id], allow_nil: true }
+  validates :invite_email,
+    presence: {
+      if: :invite?
+    },
+    email: {
+      strict_mode: true,
+      allow_nil: true
+    },
+    uniqueness: {
+      scope: [:source_type, :source_id],
+      allow_nil: true
+    }
 
   scope :invite, -> { where(user_id: nil) }
   scope :non_invite, -> { where("user_id IS NOT NULL") }
@@ -74,7 +83,7 @@ class Member < ActiveRecord::Base
 
     def add_user(members, user_id, access_level, current_user = nil, skip_notification: false)
       user = user_for_id(user_id)
-      
+
       # `user` can be either a User object or an email to be invited
       if user.is_a?(User)
         member = members.find_or_initialize_by(user_id: user.id)
@@ -83,12 +92,23 @@ class Member < ActiveRecord::Base
         member.invite_email = user
       end
 
-      member.created_by ||= current_user
-      member.access_level = access_level
+      if can_update_member?(current_user, member)
+        member.created_by ||= current_user
+        member.access_level = access_level
+
+        member.skip_notification = skip_notification
+
+        member.save
+      end
+    end
 
-      member.skip_notification = skip_notification
+    private
 
-      member.save
+    def can_update_member?(current_user, member)
+      # There is no current user for bulk actions, in which case anything is allowed
+      !current_user ||
+        current_user.can?(:update_group_member, member) ||
+        current_user.can?(:update_project_member, member)
     end
   end
 
@@ -98,7 +118,7 @@ class Member < ActiveRecord::Base
 
   def accept_invite!(new_user)
     return false unless invite?
-    
+
     self.invite_token = nil
     self.invite_accepted_at = Time.now.utc
 

app/models/merge_request.rb

@@ -135,6 +135,8 @@ class MergeRequest < ActiveRecord::Base
   scope :merged, -> { with_state(:merged) }
   scope :closed, -> { with_state(:closed) }
   scope :closed_and_merged, -> { with_states(:closed, :merged) }
+  scope :join_project, -> { joins(:target_project) }
+  scope :references_project, -> { references(:target_project) }
 
   participant :approvers_left
 
@@ -545,7 +547,7 @@ class MergeRequest < ActiveRecord::Base
   end
 
   def ci_commit
-    if last_commit
+    if last_commit and source_project
       source_project.ci_commit(last_commit.id)
     end
   end

app/models/note.rb

@@ -40,16 +40,20 @@ class Note < ActiveRecord::Base
   delegate :name, :email, to: :author, prefix: true
 
   validates :note, :project, presence: true
+  validates :note, uniqueness: { scope: [:author, :noteable_type, :noteable_id] }, if: ->(n) { n.is_award }
   validates :line_code, format: { with: /\A[a-z0-9]+_\d+_\d+\Z/ }, allow_blank: true
   # Attachments are deprecated and are handled by Markdown uploader
   validates :attachment, file_size: { maximum: :max_attachment_size }
 
   validates :noteable_id, presence: true, if: ->(n) { n.noteable_type.present? && n.noteable_type != 'Commit' }
   validates :commit_id, presence: true, if: ->(n) { n.noteable_type == 'Commit' }
+  validates :author, presence: true
 
   mount_uploader :attachment, AttachmentUploader
 
   # Scopes
+  scope :awards, ->{ where(is_award: true) }
+  scope :nonawards, ->{ where(is_award: false) }
   scope :for_commit_id, ->(commit_id) { where(noteable_type: "Commit", commit_id: commit_id) }
   scope :inline, ->{ where("line_code IS NOT NULL") }
   scope :not_inline, ->{ where(line_code: [nil, '']) }
@@ -97,6 +101,12 @@ class Note < ActiveRecord::Base
     def search(query)
       where("LOWER(note) like :query", query: "%#{query.downcase}%")
     end
+
+    def grouped_awards
+      awards.select(:note).distinct.map do |note|
+        [ note.note, where(note: note.note) ]
+      end
+    end
   end
 
   def cross_reference?
@@ -288,44 +298,6 @@ class Note < ActiveRecord::Base
     nil
   end
 
-  DOWNVOTES = %w(-1 :-1: :thumbsdown: :thumbs_down_sign:)
-
-  # Check if the note is a downvote
-  def downvote?
-    votable? && note.start_with?(*DOWNVOTES)
-  end
-
-  UPVOTES = %w(+1 :+1: :thumbsup: :thumbs_up_sign:)
-
-  # Check if the note is an upvote
-  def upvote?
-    votable? && note.start_with?(*UPVOTES)
-  end
-
-  def superceded?(notes)
-    return false unless vote?
-
-    notes.each do |note|
-      next if note == self
-
-      if note.vote? &&
-        self[:author_id] == note[:author_id] &&
-        self[:created_at] <= note[:created_at]
-        return true
-      end
-    end
-
-    false
-  end
-
-  def vote?
-    upvote? || downvote?
-  end
-
-  def votable?
-    for_issue? || (for_merge_request? && !for_diff_line?)
-  end
-
   # Mentionable override.
   def gfm_reference(from_project = nil)
     noteable.gfm_reference(from_project)
@@ -363,6 +335,16 @@ class Note < ActiveRecord::Base
     read_attribute(:system)
   end
 
+  # Deprecated. Still exists to preserve API compatibility.
+  def downvote?
+    false
+  end
+
+  # Deprecated. Still exists to preserve API compatibility.
+  def upvote?
+    false
+  end
+
   def editable?
     !system?
   end

app/models/project.rb

@@ -72,6 +72,7 @@ class Project < ActiveRecord::Base
   belongs_to :creator, foreign_key: 'creator_id', class_name: 'User'
   belongs_to :group, -> { where(type: Group) }, foreign_key: 'namespace_id'
   belongs_to :namespace
+  belongs_to :mirror_user, foreign_key: 'mirror_user_id', class_name: 'User'
 
   has_one :git_hook, dependent: :destroy
   has_one :last_event, -> {order 'events.created_at DESC'}, class_name: 'Event', foreign_key: 'project_id'
@@ -130,9 +131,9 @@ class Project < ActiveRecord::Base
   has_many :releases, dependent: :destroy
   has_many :lfs_objects_projects, dependent: :destroy
   has_many :lfs_objects, through: :lfs_objects_projects
-
   has_many :project_group_links, dependent: :destroy
   has_many :invited_groups, through: :project_group_links, source: :group
+
   has_one :import_data, dependent: :destroy, class_name: "ProjectImportData"
   has_one :gitlab_ci_project, dependent: :destroy, class_name: "Ci::Project", foreign_key: :gitlab_id
 
@@ -161,6 +162,8 @@ class Project < ActiveRecord::Base
   validates :import_url,
     format: { with: /\A#{URI.regexp(%w(ssh git http https))}\z/, message: 'should be a valid url' },
     if: :external_import?
+  validates :import_url, presence: true, if: :mirror?
+  validates :mirror_user, presence: true, if: :mirror?
   validates :star_count, numericality: { greater_than_or_equal_to: 0 }
   validate :check_limit, on: :create
   validate :avatar_type,
@@ -185,6 +188,7 @@ class Project < ActiveRecord::Base
   scope :public_only, -> { where(visibility_level: Project::PUBLIC) }
   scope :public_and_internal_only, -> { where(visibility_level: Project.public_and_internal_levels) }
   scope :non_archived, -> { where(archived: false) }
+  scope :mirror, -> { where(mirror: true) }
 
   state_machine :import_status, initial: :none do
     event :import_start do
@@ -209,6 +213,21 @@ class Project < ActiveRecord::Base
 
     after_transition any => :started, do: :schedule_add_import_job
     after_transition any => :finished, do: :clear_import_data
+
+    after_transition started: :finished do |project, transaction|
+      if project.mirror?
+        timestamp = DateTime.now
+        project.mirror_last_update_at = timestamp
+        project.mirror_last_successful_update_at = timestamp
+        project.save
+      end
+    end
+
+    after_transition started: :failed do |project, transaction|
+      if project.mirror?
+        project.update(mirror_last_update_at: DateTime.now)
+      end
+    end
   end
 
   class << self
@@ -293,6 +312,10 @@ class Project < ActiveRecord::Base
 
       joins(join_body).reorder('join_note_counts.amount DESC')
     end
+
+    def visible_to_user(user)
+      where(id: user.authorized_projects.select(:id).reorder(nil))
+    end
   end
 
   def team
@@ -316,16 +339,26 @@ class Project < ActiveRecord::Base
   end
 
   def add_import_job
-    if forked?
-      unless RepositoryForkWorker.perform_async(id, forked_from_project.path_with_namespace, self.namespace.path)
-        import_fail
+    if repository_exists?
+      if mirror?
+        RepositoryUpdateMirrorWorker.perform_async(self.id)
       end
+
+      return
+    end
+
+    if forked?
+      RepositoryForkWorker.perform_async(self.id, forked_from_project.path_with_namespace, self.namespace.path)
     else
-      RepositoryImportWorker.perform_async(id)
+      RepositoryImportWorker.perform_async(self.id)
     end
   end
 
   def clear_import_data
+    update(import_error: nil)
+
+    ProjectCacheWorker.perform_async(self.id)
+
     self.import_data.destroy if self.import_data
   end
 
@@ -353,6 +386,62 @@ class Project < ActiveRecord::Base
     import_status == 'finished'
   end
 
+  def safe_import_url
+    result = URI.parse(self.import_url)
+    result.password = '*****' unless result.password.nil?
+    result.to_s
+  rescue
+    original_url
+  end
+
+  def mirror_updated?
+    mirror? && self.mirror_last_update_at
+  end
+
+  def updating_mirror?
+    mirror? && import_in_progress? && !empty_repo?
+  end
+
+  def mirror_last_update_status
+    return unless mirror_updated?
+
+    if self.mirror_last_update_at == self.mirror_last_successful_update_at
+      :success
+    else
+      :failed
+    end
+  end
+
+  def mirror_last_update_success?
+    mirror_last_update_status == :success
+  end
+
+  def mirror_last_update_failed?
+    mirror_last_update_status == :failed
+  end
+
+  def mirror_ever_updated_successfully?
+    mirror_updated? && self.mirror_last_successful_update_at
+  end
+
+  def update_mirror
+    return unless mirror?
+
+    return if import_in_progress?
+
+    if import_failed?
+      import_retry
+    else
+      import_start
+    end
+  end
+
+  def fetch_mirror
+    return unless mirror?
+
+    repository.fetch_upstream(self.import_url)
+  end
+
   def check_limit
     unless creator.can_create_project? or namespace.kind == 'group'
       errors[:limit_reached] << ("Your project limit is #{creator.projects_limit} projects! Please contact your administrator to increase it")

app/models/project_services/drone_ci_service.rb

@@ -32,6 +32,8 @@ class DroneCiService < CiService
 
   def compose_service_hook
     hook = service_hook || build_service_hook
+    # If using a service template, project may not be available
+    hook.url = [drone_url, "/api/hook", "?owner=#{project.namespace.path}", "&name=#{project.path}", "&access_token=#{token}"].join if project
     hook.enable_ssl_verification = enable_ssl_verification
     hook.save
   end

app/models/project_services/gitlab_ci_service.rb

@@ -30,6 +30,7 @@ class GitlabCiService < CiService
   end
 
   def ensure_gitlab_ci_project
+    return unless project
     project.ensure_gitlab_ci_project
   end
 

app/models/project_services/slack_service/note_message.rb

@@ -45,30 +45,27 @@ class SlackService
     def create_commit_note(commit)
       commit_sha = commit[:id]
       commit_sha = Commit.truncate_sha(commit_sha)
-      commit_link = "[commit #{commit_sha}](#{@note_url})"
-      title = format_title(commit[:message])
-      @message = "#{@user_name} commented on #{commit_link} in #{project_link}: *#{title}*"
+      commented_on_message(
+        "[commit #{commit_sha}](#{@note_url})",
+        format_title(commit[:message]))
     end
 
     def create_issue_note(issue)
-      issue_iid = issue[:iid]
-      note_link = "[issue ##{issue_iid}](#{@note_url})"
-      title = format_title(issue[:title])
-      @message = "#{@user_name} commented on #{note_link} in #{project_link}: *#{title}*"
+      commented_on_message(
+        "[issue ##{issue[:iid]}](#{@note_url})",
+        format_title(issue[:title]))
     end
 
     def create_merge_note(merge_request)
-      merge_request_id = merge_request[:iid]
-      merge_request_link = "[merge request ##{merge_request_id}](#{@note_url})"
-      title = format_title(merge_request[:title])
-      @message = "#{@user_name} commented on #{merge_request_link} in #{project_link}: *#{title}*"
+      commented_on_message(
+        "[merge request ##{merge_request[:iid]}](#{@note_url})",
+        format_title(merge_request[:title]))
     end
 
     def create_snippet_note(snippet)
-      snippet_id = snippet[:id]
-      snippet_link = "[snippet ##{snippet_id}](#{@note_url})"
-      title = format_title(snippet[:title])
-      @message = "#{@user_name} commented on #{snippet_link} in #{project_link}: *#{title}*"
+      commented_on_message(
+        "[snippet ##{snippet[:id]}](#{@note_url})",
+        format_title(snippet[:title]))
     end
 
     def description_message
@@ -78,5 +75,9 @@ class SlackService
     def project_link
       "[#{@project_name}](#{@project_url})"
     end
+
+    def commented_on_message(target_link, title)
+      @message = "#{@user_name} commented on #{target_link} in #{project_link}: *#{title}*"
+    end
   end
 end

app/models/project_wiki.rb

@@ -86,6 +86,8 @@ class ProjectWiki
     commit = commit_details(:created, message, title)
 
     wiki.write_page(title, format, content, commit)
+
+    update_project_activity
   rescue Gollum::DuplicatePageError => e
     @error_message = "Duplicate page: #{e.message}"
     return false
@@ -95,10 +97,14 @@ class ProjectWiki
     commit = commit_details(:updated, message, page.title)
 
     wiki.update_page(page, page.name, format, content, commit)
+
+    update_project_activity
   end
 
   def delete_page(page, message = nil)
     wiki.delete_page(page, commit_details(:deleted, message, page.title))
+
+    update_project_activity
   end
 
   def page_title_and_dir(title)
@@ -146,4 +152,8 @@ class ProjectWiki
   def path_to_repo
     @path_to_repo ||= File.join(Gitlab.config.gitlab_shell.repos_path, "#{path_with_namespace}.git")
   end
+
+  def update_project_activity
+    @project.touch(:last_activity_at)
+  end
 end

app/models/repository.rb

@@ -4,9 +4,11 @@ class Repository
   class PreReceiveError < StandardError; end
   class CommitError < StandardError; end
 
+  MIRROR_REMOTE = "upstream"
+
   include Gitlab::ShellAdapter
 
-  attr_accessor :raw_repository, :path_with_namespace, :project
+  attr_accessor :path_with_namespace, :project
 
   def self.clean_old_archives
     repository_downloads_path = Gitlab.config.gitlab.repository_downloads_path
@@ -19,14 +21,18 @@ class Repository
   def initialize(path_with_namespace, default_branch = nil, project = nil)
     @path_with_namespace = path_with_namespace
     @project = project
+  end
 
-    if path_with_namespace
-      @raw_repository = Gitlab::Git::Repository.new(path_to_repo)
-      @raw_repository.autocrlf = :input
-    end
+  def raw_repository
+    return nil unless path_with_namespace
 
-  rescue Gitlab::Git::Repository::NoRepository
-    nil
+    @raw_repository ||= begin
+      repo = Gitlab::Git::Repository.new(path_to_repo)
+      repo.autocrlf = :input
+      repo
+    rescue Gitlab::Git::Repository::NoRepository
+      nil
+    end
   end
 
   # Return absolute path to repository
@@ -105,37 +111,47 @@ class Repository
   end
 
   def add_branch(branch_name, ref)
-    cache.expire(:branch_names)
-    @branches = nil
+    expire_branches_cache
 
     gitlab_shell.add_branch(path_with_namespace, branch_name, ref)
   end
 
   def add_tag(tag_name, ref, message = nil)
-    cache.expire(:tag_names)
-    @tags = nil
+    expire_tags_cache
 
     gitlab_shell.add_tag(path_with_namespace, tag_name, ref, message)
   end
 
   def rm_branch(branch_name)
-    cache.expire(:branch_names)
-    @branches = nil
+    expire_branches_cache
 
     gitlab_shell.rm_branch(path_with_namespace, branch_name)
   end
 
   def rm_tag(tag_name)
-    cache.expire(:tag_names)
-    @tags = nil
+    expire_tags_cache
 
     gitlab_shell.rm_tag(path_with_namespace, tag_name)
   end
 
+  def add_remote(name, url)
+    raw_repository.remote_add(name, url)
+  rescue Rugged::ConfigError
+    raw_repository.remote_update(name, url: url)
+  end
+
+  def fetch_remote(remote)
+    gitlab_shell.fetch_remote(path_with_namespace, remote)
+  end
+
   def branch_names
     cache.fetch(:branch_names) { raw_repository.branch_names }
   end
 
+  def branch_exists?(name)
+    branch_names.include?(name)
+  end
+
   def tag_names
     cache.fetch(:tag_names) { raw_repository.tag_names }
   end
@@ -169,6 +185,16 @@ class Repository
     end
   end
 
+  def expire_tags_cache
+    cache.expire(:tag_names)
+    @tags = nil
+  end
+
+  def expire_branches_cache
+    cache.expire(:branch_names)
+    @branches = nil
+  end
+
   def expire_cache
     cache_keys.each do |key|
       cache.expire(key)
@@ -496,16 +522,49 @@ class Repository
     root_ref_commit = commit(root_ref)
 
     if branch_commit
-      rugged.merge_base(root_ref_commit.id, branch_commit.id) == branch_commit.id
+      is_ancestor?(branch_commit.id, root_ref_commit.id)
     else
       nil
     end
   end
 
+  def fetch_upstream(url)
+    add_remote(Repository::MIRROR_REMOTE, url)
+    fetch_remote(Repository::MIRROR_REMOTE)
+  end
+
+  def upstream_branches
+    rugged.references.each("refs/remotes/#{Repository::MIRROR_REMOTE}/*").map do |ref|
+      name = ref.name.sub(/\Arefs\/remotes\/#{Repository::MIRROR_REMOTE}\//, "")
+
+      begin
+        Gitlab::Git::Branch.new(name, ref.target)
+      rescue Rugged::ReferenceError
+        # Omit invalid branch
+      end
+    end.compact
+  end
+
+  def diverged_from_upstream?(branch_name)
+    branch_commit = commit(branch_name)
+    upstream_commit = commit("refs/remotes/#{MIRROR_REMOTE}/#{branch_name}")
+
+    if upstream_commit
+      !is_ancestor?(branch_commit.id, upstream_commit.id)
+    else
+      false
+    end
+  end
+
   def merge_base(first_commit_id, second_commit_id)
     rugged.merge_base(first_commit_id, second_commit_id)
   end
 
+  def is_ancestor?(ancestor_id, descendant_id)
+    merge_base(ancestor_id, descendant_id) == ancestor_id
+  end
+
+
   def search_files(query, ref)
     offset = 2
     args = %W(#{Gitlab.config.git.bin_path} grep -i -n --before-context #{offset} --after-context #{offset} -e #{query} #{ref || root_ref})

app/models/user.rb

@@ -417,43 +417,23 @@ class User < ActiveRecord::Base
     end
   end
 
-  # Groups user has access to
+  # Returns the groups a user has access to
   def authorized_groups
-    @authorized_groups ||= begin
-                             group_ids = (groups.pluck(:id) + authorized_projects.pluck(:namespace_id))
-                             Group.where(id: group_ids)
-                           end
-  end
+    union = Gitlab::SQL::Union.
+      new([groups.select(:id), authorized_projects.select(:namespace_id)])
 
-  def authorized_projects_id
-    @authorized_projects_id ||= begin
-      project_ids = personal_projects.pluck(:id)
-      project_ids.push(*groups_projects.pluck(:id))
-      project_ids.push(*projects.pluck(:id).uniq)
-      project_ids.push(*groups.joins(:shared_projects).pluck(:project_id))
-    end
-  end
-
-  def master_or_owner_projects_id
-    @master_or_owner_projects_id ||= begin
-      scope = { access_level: [ Gitlab::Access::MASTER, Gitlab::Access::OWNER ] }
-      project_ids = personal_projects.pluck(:id)
-      project_ids.push(*groups_projects.where(members: scope).pluck(:id))
-      project_ids.push(*projects.where(members: scope).pluck(:id).uniq)
-    end
+    Group.where("namespaces.id IN (#{union.to_sql})")
   end
 
-  # Projects user has access to
+  # Returns the groups a user is authorized to access.
   def authorized_projects
-    @authorized_projects ||= Project.where(id: authorized_projects_id)
+    Project.where("projects.id IN (#{projects_union.to_sql})")
   end
 
   def owned_projects
     @owned_projects ||=
-      begin
-        namespace_ids = owned_groups.pluck(:id).push(namespace.id)
-        Project.in_namespace(namespace_ids).joins(:namespace)
-      end
+      Project.where('namespace_id IN (?) OR namespace_id = ?',
+                    owned_groups.select(:id), namespace.id).joins(:namespace)
   end
 
   # Team membership in authorized projects
@@ -772,12 +752,25 @@ class User < ActiveRecord::Base
     Doorkeeper::AccessToken.where(resource_owner_id: self.id, revoked_at: nil)
   end
 
-  def contributed_projects_ids
-    Event.contributions.where(author_id: self).
+  # Returns the projects a user contributed to in the last year.
+  #
+  # This method relies on a subquery as this performs significantly better
+  # compared to a JOIN when coupled with, for example,
+  # `Project.visible_to_user`. That is, consider the following code:
+  #
+  #     some_user.contributed_projects.visible_to_user(other_user)
+  #
+  # If this method were to use a JOIN the resulting query would take roughly 200
+  # ms on a database with a similar size to GitLab.com's database. On the other
+  # hand, using a subquery means we can get the exact same data in about 40 ms.
+  def contributed_projects
+    events = Event.select(:project_id).
+      contributions.where(author_id: self).
       where("created_at > ?", Time.now - 1.year).
-      reorder(project_id: :desc).
-      select(:project_id).
-      uniq.map(&:project_id)
+      uniq.
+      reorder(nil)
+
+    Project.where(id: events)
   end
 
   def restricted_signup_domains
@@ -810,8 +803,28 @@ class User < ActiveRecord::Base
   def ci_authorized_runners
     @ci_authorized_runners ||= begin
       runner_ids = Ci::RunnerProject.joins(:project).
-        where(ci_projects: { gitlab_id: master_or_owner_projects_id }).select(:runner_id)
+        where("ci_projects.gitlab_id IN (#{ci_projects_union.to_sql})").
+        select(:runner_id)
+
       Ci::Runner.specific.where(id: runner_ids)
     end
   end
+
+  private
+
+  def projects_union
+    Gitlab::SQL::Union.new([personal_projects.select(:id),
+                            groups_projects.select(:id),
+                            projects.select(:id),
+                            groups.joins(:shared_projects).select(:project_id)])
+  end
+
+  def ci_projects_union
+    scope  = { access_level: [Gitlab::Access::MASTER, Gitlab::Access::OWNER] }
+    groups = groups_projects.where(members: scope)
+    other  = projects.where(members: scope)
+
+    Gitlab::SQL::Union.new([personal_projects.select(:id), groups.select(:id),
+                            other.select(:id)])
+  end
 end

app/services/create_release_service.rb

+require_relative 'base_service'
+
+class CreateReleaseService < BaseService
+  def execute(tag_name, release_description)
+
+    repository = project.repository
+    existing_tag = repository.find_tag(tag_name)
+
+    # Only create a release if the tag exists
+    if existing_tag
+      release = project.releases.find_by(tag: tag_name)
+
+      if release
+        error('Release already exists', 409)
+      else
+        release = project.releases.new({ tag: tag_name, description: release_description })
+        release.save
+
+        success(release)
+      end
+    else
+      error('Tag does not exist', 404)
+    end
+  end
+
+  def success(release)
+    out = super()
+    out[:release] = release
+    out
+  end
+end

app/services/create_tag_service.rb

@@ -19,16 +19,16 @@ class CreateTagService < BaseService
     new_tag = repository.find_tag(tag_name)
 
     if new_tag
-      if release_description
-        release = project.releases.find_or_initialize_by(tag: tag_name)
-        release.update_attributes(description: release_description)
-      end
-
       push_data = create_push_data(project, current_user, new_tag)
       EventCreateService.new.push(project, current_user, push_data)
       project.execute_hooks(push_data.dup, :tag_push_hooks)
       project.execute_services(push_data.dup, :tag_push_hooks)
 
+      if release_description
+        CreateReleaseService.new(@project, @current_user).
+          execute(tag_name, release_description)
+      end
+
       success(new_tag)
     else
       error('Invalid reference name')