Merge branch 'master' into 22604-manual-actions

* master: (28 commits) Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' ... Merge branch 'html-safe-diff-line-content' into 'security' Merge branch 'rs-filter-authentication_token' into 'security' Merge branch 'destroy-session' into 'security' Updating reference to database password Update CHANGELOG.md for 8.13.9 Update CHANGELOG.md for 8.14.4 Don't check if stage name doesn't exist Various small emoji positioning adjustments Add nested groups support on data level Update factory_girl_rails to 4.7.0 Correct previous stable branch used in 8.14 to 8.15 update guide Enable display of admonition icons in Asciidoc. add link_to_if helper on target_branch link on Merge Request ... Fade out should be white instead of gray Do nothing if file is undefined fix: 24982- Remove'Signed in successfully' message After this ... adds impersonator variable and makes sudo usage overall more clear Reenables /user API request to return private-token if user is ... Fixed timeago re-rendering every element ...

Merge branch 'master' into 22604-manual-actions
* master: (28 commits) Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' ... Merge branch 'html-safe-diff-line-content' into 'security' Merge branch 'rs-filter-authentication_token' into 'security' Merge branch 'destroy-session' into 'security' Updating reference to database password Update CHANGELOG.md for 8.13.9 Update CHANGELOG.md for 8.14.4 Don't check if stage name doesn't exist Various small emoji positioning adjustments Add nested groups support on data level Update factory_girl_rails to 4.7.0 Correct previous stable branch used in 8.14 to 8.15 update guide Enable display of admonition icons in Asciidoc. add link_to_if helper on target_branch link on Merge Request ... Fade out should be white instead of gray Do nothing if file is undefined fix: 24982- Remove'Signed in successfully' message After this ... adds impersonator variable and makes sudo usage overall more clear Reenables /user API request to return private-token if user is ... Fixed timeago re-rendering every element ...
78757a0d · Grzegorz Bizon · b64cf840 · 1413c94a · 78757a0d · 78757a0d
Commit 78757a0d authored Dec 09, 2016 by Grzegorz Bizon
117 changed files
--- a/.eslintrc
+++ b/.eslintrc
@@ -8,7 +8,8 @@
  "globals": {
    "_": false,
    "gl": false,
-    "gon": false
+    "gon": false,
+    "localStorage": false
  },
  "plugins": [
    "filenames"

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,19 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 8.14.4 (2016-12-08)
+- Fix diff view permalink highlighting. !7090
+- Fix pipeline author for Slack and use pipeline id for pipeline link. !7506
+- Fix compatibility with Internet Explorer 11 for merge requests. !7525 (Steffen Rauh)
+- Reenables /user API request to return private-token if user is admin and request is made with sudo. !7615
+- Fix Cicking on tabs on pipeline page should set URL. !7709
+- Authorize users into imported GitLab project.
+- Destroy a user's session when they delete their own account.
+- Don't accidentally mark unsafe diff lines as HTML safe.
+- Replace MR access checks with use of MergeRequestsFinder.
+- Remove visible content caching.
 ## 8.14.3 (2016-12-02)
 - Pass commit data to ProcessCommitWorker to reduce Git overhead. !7744
@@ -251,6 +264,11 @@ entry.
 - Fix "Without projects" filter. !6611 (Ben Bodenmiller)
 - Fix 404 when visit /projects page
+## 8.13.9 (2016-12-08)
+- Reenables /user API request to return private-token if user is admin and request is made with sudo. !7615
+- Replace MR access checks with use of MergeRequestsFinder.
 ## 8.13.8 (2016-12-02)
 - Pass tag SHA to post-receive hook when tag is created via UI. !7700

--- a/Gemfile
+++ b/Gemfile
@@ -271,7 +271,7 @@ group :development, :test do
  gem 'fuubar', '~> 2.0.0'
  gem 'database_cleaner',   '~> 1.5.0'
-  gem 'factory_girl_rails', '~> 4.6.0'
+  gem 'factory_girl_rails', '~> 4.7.0'
  gem 'rspec-rails',        '~> 3.5.0'
  gem 'rspec-retry',        '~> 0.4.5'
  gem 'spinach-rails',      '~> 0.2.1'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,10 +177,10 @@ GEM
    excon (0.52.0)
    execjs (2.6.0)
    expression_parser (0.9.0)
-    factory_girl (4.5.0)
+    factory_girl (4.7.0)
      activesupport (>= 3.0.0)
-    factory_girl_rails (4.6.0)
+    factory_girl_rails (4.7.0)
-      factory_girl (~> 4.5.0)
+      factory_girl (~> 4.7.0)
      railties (>= 3.0.0)
    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
@@ -819,7 +819,7 @@ DEPENDENCIES
  dropzonejs-rails (~> 0.7.1)
  email_reply_parser (~> 0.5.8)
  email_spec (~> 1.6.0)
-  factory_girl_rails (~> 4.6.0)
+  factory_girl_rails (~> 4.7.0)
  ffaker (~> 2.0.0)
  flay (~> 2.6.1)
  fog-aws (~> 0.9)

--- a/app/assets/javascripts/blob/template_selector.js.es6
+++ b/app/assets/javascripts/blob/template_selector.js.es6
@@ -70,6 +70,8 @@
      // e.g.
      // Api.gitignoreText item.name, @requestFileSuccess.bind(@)
      requestFileSuccess(file, { skipFocus } = {}) {
+        if (!file) return;
        const oldValue = this.editor.getValue();
        let newValue = file.content;

--- a/app/assets/javascripts/dispatcher.js.es6
+++ b/app/assets/javascripts/dispatcher.js.es6
@@ -24,6 +24,7 @@
      switch (page) {
        case 'sessions:new':
          new UsernameValidator();
+          new ActiveTabMemoizer();
          break;
        case 'projects:boards:show':
        case 'projects:boards:index':

--- a/app/assets/javascripts/lib/utils/datetime_utility.js
+++ b/app/assets/javascripts/lib/utils/datetime_utility.js
@@ -29,7 +29,7 @@
        setTimeago = true;
      }
-      $timeagoEls.each(function() {
+      $timeagoEls.filter(':not([data-timeago-rendered])').each(function() {
        var $el = $(this);
        $el.attr('title', gl.utils.formatDate($el.attr('datetime')));
@@ -39,6 +39,8 @@
            template: '<div class="tooltip local-timeago" role="tooltip"><div class="tooltip-arrow"></div><div class="tooltip-inner"></div></div>'
          });
        }
+        $el.attr('data-timeago-rendered', true);
        gl.utils.renderTimeago($el);
      });
    };

--- a/app/assets/javascripts/signin_tabs_memoizer.js.es6
+++ b/app/assets/javascripts/signin_tabs_memoizer.js.es6
+/* eslint no-param-reassign: ["error", { "props": false }]*/
+/* eslint no-new: "off" */
+((global) => {
+  /**
+   * Memorize the last selected tab after reloading a page.
+   * Does that setting the current selected tab in the localStorage
+   */
+  class ActiveTabMemoizer {
+    constructor({ currentTabKey = 'current_signin_tab', tabSelector = 'ul.nav-tabs' } = {}) {
+      this.currentTabKey = currentTabKey;
+      this.tabSelector = tabSelector;
+      this.bootstrap();
+    }
+    bootstrap() {
+      const tabs = document.querySelectorAll(this.tabSelector);
+      if (tabs.length > 0) {
+        tabs[0].addEventListener('click', (e) => {
+          if (e.target && e.target.nodeName === 'A') {
+            const anchorName = e.target.getAttribute('href');
+            this.saveData(anchorName);
+          }
+        });
+      }
+      this.showTab();
+    }
+    showTab() {
+      const anchorName = this.readData();
+      if (anchorName) {
+        const tab = document.querySelector(`${this.tabSelector} a[href="${anchorName}"]`);
+        if (tab) {
+          tab.click();
+        }
+      }
+    }
+    saveData(val) {
+      localStorage.setItem(this.currentTabKey, val);
+    }
+    readData() {
+      return localStorage.getItem(this.currentTabKey);
+    }
+  }
+  global.ActiveTabMemoizer = ActiveTabMemoizer;
+})(window);
--- a/app/assets/stylesheets/framework.scss
+++ b/app/assets/stylesheets/framework.scss
@@ -6,6 +6,7 @@
 @import "framework/animations.scss";
 @import "framework/avatar.scss";
+@import "framework/asciidoctor.scss";
 @import "framework/blocks.scss";
 @import "framework/buttons.scss";
 @import "framework/calendar.scss";

--- a/app/assets/stylesheets/framework/asciidoctor.scss
+++ b/app/assets/stylesheets/framework/asciidoctor.scss
+.admonitionblock td.icon {
+  width: 1%;
+  [class^="fa icon-"] {
+    @extend .fa-2x;
+  }
+  .icon-note {
+    @extend .fa-thumb-tack;
+  }
+  .icon-tip {
+    @extend .fa-lightbulb-o;
+  }
+  .icon-warning {
+    @extend .fa-exclamation-triangle;
+  }
+  .icon-caution {
+    @extend .fa-fire;
+  }
+  .icon-important {
+    @extend .fa-exclamation-circle;
+  }
+}
--- a/app/assets/stylesheets/framework/awards.scss
+++ b/app/assets/stylesheets/framework/awards.scss
 .awards {
  .emoji-icon {
-    width: 19px;
+    width: 20px;
-    height: 19px;
+    height: 20px;
  }
 }
@@ -136,5 +136,6 @@
  .award-control-icon {
    color: $award-emoji-new-btn-icon-color;
+    margin-top: 1px;
  }
 }
--- a/app/assets/stylesheets/framework/common.scss
+++ b/app/assets/stylesheets/framework/common.scss
@@ -255,6 +255,7 @@ img.emoji {
  height: 20px;
  vertical-align: top;
  width: 20px;
+  margin-top: 1px;
 }
 .chart {

--- a/app/assets/stylesheets/pages/notes.scss
+++ b/app/assets/stylesheets/pages/notes.scss
@@ -124,7 +124,7 @@ ul.notes {
            position: absolute;
            left: 0;
            bottom: 0;
-            background: linear-gradient(rgba($gray-light, 0.1) -100px, $white-light 100%);
+            background: linear-gradient(rgba($white-light, 0.1) -100px, $white-light 100%);
          }
          &.hide-shade {
@@ -413,7 +413,6 @@ ul.notes {
  .fa {
    color: $notes-action-color;
    position: relative;
-    top: 1px;
    font-size: 17px;
  }

--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -56,7 +56,7 @@ class Admin::GroupsController < Admin::ApplicationController
  private
  def group
-    @group ||= Group.find_by(path: params[:id])
+    @group ||= Group.find_by_full_path(params[:id])
  end
  def group_params

--- a/app/controllers/concerns/creates_commit.rb
+++ b/app/controllers/concerns/creates_commit.rb
@@ -81,10 +81,8 @@ module CreatesCommit
  def merge_request_exists?
    return @merge_request if defined?(@merge_request)
-    @merge_request = @mr_target_project.merge_requests.opened.find_by(
+    @merge_request = MergeRequestsFinder.new(current_user, project_id: @mr_target_project.id).execute.opened.
-      source_branch: @mr_source_branch,
+      find_by(source_branch: @mr_source_branch, target_branch: @mr_target_branch)
-      target_branch: @mr_target_branch
-    )
  end
  def different_project?

--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -9,7 +9,7 @@ class Groups::ApplicationController < ApplicationController
  def group
    unless @group
      id = params[:group_id] || params[:id]
-      @group = Group.find_by(path: id)
+      @group = Group.find_by_full_path(id)
      unless @group && can?(current_user, :read_group, @group)
        @group = nil

--- a/app/controllers/projects/commit_controller.rb
+++ b/app/controllers/projects/commit_controller.rb
@@ -65,7 +65,7 @@ class Projects::CommitController < Projects::ApplicationController
    return render_404 if @target_branch.blank?
-    create_commit(Commits::RevertService, success_notice: "The #{@commit.change_type_title} has been successfully reverted.",
+    create_commit(Commits::RevertService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully reverted.",
                                          success_path: successful_change_path, failure_path: failed_change_path)
  end
@@ -74,26 +74,24 @@ class Projects::CommitController < Projects::ApplicationController
    return render_404 if @target_branch.blank?
-    create_commit(Commits::CherryPickService, success_notice: "The #{@commit.change_type_title} has been successfully cherry-picked.",
+    create_commit(Commits::CherryPickService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully cherry-picked.",
                                              success_path: successful_change_path, failure_path: failed_change_path)
  end
  private
  def successful_change_path
-    return referenced_merge_request_url if @commit.merged_merge_request
+    referenced_merge_request_url || namespace_project_commits_url(@project.namespace, @project, @target_branch)
-    namespace_project_commits_url(@project.namespace, @project, @target_branch)
  end
  def failed_change_path
-    return referenced_merge_request_url if @commit.merged_merge_request
+    referenced_merge_request_url || namespace_project_commit_url(@project.namespace, @project, params[:id])
-    namespace_project_commit_url(@project.namespace, @project, params[:id])
  end
  def referenced_merge_request_url
-    namespace_project_merge_request_url(@project.namespace, @project, @commit.merged_merge_request)
+    if merge_request = @commit.merged_merge_request(current_user)
+      namespace_project_merge_request_url(@project.namespace, @project, merge_request)
+    end
  end
  def commit

--- a/app/controllers/projects/commits_controller.rb
+++ b/app/controllers/projects/commits_controller.rb
@@ -21,7 +21,7 @@ class Projects::CommitsController < Projects::ApplicationController
    @note_counts = project.notes.where(commit_id: @commits.map(&:id)).
      group(:commit_id).count
-    @merge_request = @project.merge_requests.opened.
+    @merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.
      find_by(source_project: @project, source_branch: @ref, target_branch: @repository.root_ref)
    respond_to do |format|

--- a/app/controllers/projects/compare_controller.rb
+++ b/app/controllers/projects/compare_controller.rb
@@ -53,7 +53,7 @@ class Projects::CompareController < Projects::ApplicationController
  end
  def merge_request
-    @merge_request ||= @project.merge_requests.opened.
+    @merge_request ||= MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.
      find_by(source_project: @project, source_branch: @head_ref, target_branch: @start_ref)
  end
 end
--- a/app/controllers/projects/discussions_controller.rb
+++ b/app/controllers/projects/discussions_controller.rb
@@ -24,7 +24,7 @@ class Projects::DiscussionsController < Projects::ApplicationController
  private
  def merge_request
-    @merge_request ||= @project.merge_requests.find_by!(iid: params[:merge_request_id])
+    @merge_request ||= MergeRequestsFinder.new(current_user, project_id: @project.id).find_by!(iid: params[:merge_request_id])
  end
  def discussion

--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -10,14 +10,38 @@ class Projects::ProjectMembersController < Projects::ApplicationController
    @project_members = @project.project_members
    @project_members = @project_members.non_invite unless can?(current_user, :admin_project, @project)
+    group = @project.group
+    if group
+      # We need `.where.not(user_id: nil)` here otherwise when a group has an
+      # invitee, it would make the following query return 0 rows since a NULL
+      # user_id would be present in the subquery
+      # See http://stackoverflow.com/questions/129077/not-in-clause-and-null-values
+      # FIXME: This whole logic should be moved to a finder!
+      non_null_user_ids = @project_members.where.not(user_id: nil).select(:user_id)
+      group_members = group.group_members.where.not(user_id: non_null_user_ids)
+      group_members = group_members.non_invite unless can?(current_user, :admin_group, @group)
+    end
    if params[:search].present?
-      users = @project.users.search(params[:search]).to_a
+      user_ids = @project.users.search(params[:search]).select(:id)
-      @project_members = @project_members.where(user_id: users)
+      @project_members = @project_members.where(user_id: user_ids)
+      if group_members
+        user_ids = group.users.search(params[:search]).select(:id)
+        group_members = group_members.where(user_id: user_ids)
+      end
      @group_links = @project.project_group_links.where(group_id: @project.invited_groups.search(params[:search]).select(:id))
    end
-    @project_members = @project_members.order(access_level: :desc).page(params[:page])
+    member_ids = @project_members.pluck(:id)
+    if group_members
+      member_ids += group_members.pluck(:id)
+    end
+    @project_members = Member.where(id: member_ids).order(access_level: :desc).page(params[:page])
    @requesters = AccessRequestsFinder.new(@project).execute(current_user)

--- a/app/controllers/projects/todos_controller.rb
+++ b/app/controllers/projects/todos_controller.rb
@@ -18,7 +18,7 @@ class Projects::TodosController < Projects::ApplicationController
      when "issue"
        IssuesFinder.new(current_user, project_id: @project.id).find(params[:issuable_id])
      when "merge_request"
-        @project.merge_requests.find(params[:issuable_id])
+        MergeRequestsFinder.new(current_user, project_id: @project.id).find(params[:issuable_id])
      end
    end
  end

--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -27,7 +27,10 @@ class RegistrationsController < Devise::RegistrationsController
    DeleteUserService.new(current_user).execute(current_user)
    respond_to do |format|
-      format.html { redirect_to new_user_session_path, notice: "Account successfully removed." }
+      format.html do
+        session.try(:destroy)
+        redirect_to new_user_session_path, notice: "Account successfully removed."
+      end 
    end
  end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -31,6 +31,8 @@ class SessionsController < Devise::SessionsController
        resource.update_attributes(reset_password_token: nil,
                                   reset_password_sent_at: nil)
      end
+      # hide the signed-in notification
+      flash[:notice] = nil
      log_audit_event(current_user, with: authentication_method)
    end
  end

--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -77,6 +77,10 @@ class IssuableFinder
    counts
  end
+  def find_by!(*params)
+    execute.find_by!(*params)
+  end
  def group
    return @group if defined?(@group)

--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -14,7 +14,7 @@ class NotesFinder
      when "issue"
        IssuesFinder.new(current_user, project_id: project.id).find(target_id).notes.inc_author
      when "merge_request"
-        project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
+        MergeRequestsFinder.new(current_user, project_id: project.id).find(target_id).mr_and_commit_notes.inc_author
      when "snippet", "project_snippet"
        project.snippets.find(target_id).notes
      else

--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -130,7 +130,7 @@ module CommitsHelper
  def revert_commit_link(commit, continue_to_path, btn_class: nil, has_tooltip: true)
    return unless current_user
-    tooltip = "Revert this #{commit.change_type_title} in a new merge request" if has_tooltip
+    tooltip = "Revert this #{commit.change_type_title(current_user)} in a new merge request" if has_tooltip
    if can_collaborate_with_project?
      btn_class = "btn btn-warning btn-#{btn_class}" unless btn_class.nil?
@@ -154,7 +154,7 @@ module CommitsHelper
  def cherry_pick_commit_link(commit, continue_to_path, btn_class: nil, has_tooltip: true)
    return unless current_user
-    tooltip = "Cherry-pick this #{commit.change_type_title} in a new merge request"
+    tooltip = "Cherry-pick this #{commit.change_type_title(current_user)} in a new merge request"
    if can_collaborate_with_project?
      btn_class = "btn btn-default btn-#{btn_class}" unless btn_class.nil?

--- a/app/helpers/diff_helper.rb
+++ b/app/helpers/diff_helper.rb
@@ -55,7 +55,9 @@ module DiffHelper
    if line.blank?
      "&nbsp;".html_safe
    else
-      line.sub(/^[\-+ ]/, '').html_safe
+      # We can't use `sub` because the HTML-safeness of `line` will not survive.
+      line[0] = '' if line.start_with?('+', '-', ' ')
+      line
    end
  end

--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -5,7 +5,7 @@ module GroupsHelper
  def group_icon(group)
    if group.is_a?(String)
-      group = Group.find_by(path: group)
+      group = Group.find_by_full_path(group)
    end
    group.try(:avatar_url) || image_path('no_group_avatar.png')

--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -245,44 +245,47 @@ class Commit
    project.repository.next_branch("cherry-pick-#{short_id}", mild: true)
  end
-  def revert_description
+  def revert_description(user)
-    if merged_merge_request
+    if merged_merge_request?(user)
-      "This reverts merge request #{merged_merge_request.to_reference}"
+      "This reverts merge request #{merged_merge_request(user).to_reference}"
    else
      "This reverts commit #{sha}"
    end
  end
-  def revert_message
+  def revert_message(user)
-    %Q{Revert "#{title.strip}"\n\n#{revert_description}}
+    %Q{Revert "#{title.strip}"\n\n#{revert_description(user)}}
  end
-  def reverts_commit?(commit)
+  def reverts_commit?(commit, user)
-    description? && description.include?(commit.revert_description)
+    description? && description.include?(commit.revert_description(user))
  end
  def merge_commit?
    parents.size > 1
  end
-  def merged_merge_request
+  def merged_merge_request(current_user)
-    return @merged_merge_request if defined?(@merged_merge_request)
+    # Memoize with per-user access check
+    @merged_merge_request_hash ||= Hash.new do |hash, user|
-    @merged_merge_request = project.merge_requests.find_by(merge_commit_sha: id) if merge_commit?
+      hash[user] = merged_merge_request_no_cache(user)
+    end
+    @merged_merge_request_hash[current_user]
  end
-  def has_been_reverted?(current_user = nil, noteable = self)
+  def has_been_reverted?(current_user, noteable = self)
    ext = all_references(current_user)
    noteable.notes_with_associations.system.each do |note|
      note.all_references(current_user, extractor: ext)
    end
-    ext.commits.any? { |commit_ref| commit_ref.reverts_commit?(self) }
+    ext.commits.any? { |commit_ref| commit_ref.reverts_commit?(self, current_user) }
  end
-  def change_type_title
+  def change_type_title(user)
-    merged_merge_request ? 'merge request' : 'commit'
+    merged_merge_request?(user) ? 'merge request' : 'commit'
  end
  # Get the URI type of the given path
@@ -350,4 +353,12 @@ class Commit
    changes
  end
+  def merged_merge_request?(user)
+    !!merged_merge_request(user)
+  end
+  def merged_merge_request_no_cache(user)
+    MergeRequestsFinder.new(user, project_id: project.id).find_by(merge_commit_sha: id) if merge_commit?
+  end
 end
--- a/app/models/concerns/milestoneish.rb
+++ b/app/models/concerns/milestoneish.rb
 module Milestoneish
-  def closed_items_count(user = nil)
+  def closed_items_count(user)
    issues_visible_to_user(user).closed.size + merge_requests.closed_and_merged.size
  end
-  def total_items_count(user = nil)
+  def total_items_count(user)
    issues_visible_to_user(user).size + merge_requests.size
  end
-  def complete?(user = nil)
+  def complete?(user)
    total_items_count(user) > 0 && total_items_count(user) == closed_items_count(user)
  end
-  def percent_complete(user = nil)
+  def percent_complete(user)
    ((closed_items_count(user) * 100) / total_items_count(user)).abs
  rescue ZeroDivisionError
    0
@@ -29,7 +29,7 @@ module Milestoneish
    (Date.today - start_date).to_i
  end
-  def issues_visible_to_user(user = nil)
+  def issues_visible_to_user(user)
    issues.visible_to_user(user)
  end

--- a/app/models/concerns/routable.rb
+++ b/app/models/concerns/routable.rb
+# Store object full path in separate table for easy lookup and uniq validation
+# Object must have path db field and respond to full_path and full_path_changed? methods.
+module Routable
+  extend ActiveSupport::Concern
+  included do
+    has_one :route, as: :source, autosave: true, dependent: :destroy
+    validates_associated :route
+    before_validation :update_route_path, if: :full_path_changed?
+  end
+  class_methods do
+    # Finds a single object by full path match in routes table.
+    #
+    # Usage:
+    #
+    #     Klass.find_by_full_path('gitlab-org/gitlab-ce')
+    #
+    # Returns a single object, or nil.
+    def find_by_full_path(path)
+      # On MySQL we want to ensure the ORDER BY uses a case-sensitive match so
+      # any literal matches come first, for this we have to use "BINARY".
+      # Without this there's still no guarantee in what order MySQL will return
+      # rows.
+      binary = Gitlab::Database.mysql? ? 'BINARY' : ''
+      order_sql = "(CASE WHEN #{binary} routes.path = #{connection.quote(path)} THEN 0 ELSE 1 END)"
+      where_paths_in([path]).reorder(order_sql).take
+    end
+    # Builds a relation to find multiple objects by their full paths.
+    #
+    # Usage:
+    #
+    #     Klass.where_paths_in(%w{gitlab-org/gitlab-ce gitlab-org/gitlab-ee})
+    #
+    # Returns an ActiveRecord::Relation.
+    def where_paths_in(paths)
+      wheres = []
+      cast_lower = Gitlab::Database.postgresql?
+      paths.each do |path|
+        path = connection.quote(path)
+        where = "(routes.path = #{path})"
+        if cast_lower
+          where = "(#{where} OR (LOWER(routes.path) = LOWER(#{path})))"
+        end
+        wheres << where
+      end
+      if wheres.empty?
+        none
+      else
+        joins(:route).where(wheres.join(' OR '))
+      end
+    end
+  end
+  private
+  def update_route_path
+    route || build_route(source: self)
+    route.path = full_path
+  end
+end
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -805,7 +805,7 @@ class MergeRequest < ActiveRecord::Base
    @merge_commit ||= project.commit(merge_commit_sha) if merge_commit_sha
  end
-  def can_be_reverted?(current_user = nil)
+  def can_be_reverted?(current_user)
    merge_commit && !merge_commit.has_been_reverted?(current_user, self)
  end

--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -4,12 +4,16 @@ class Namespace < ActiveRecord::Base
  include CacheMarkdownField
  include Sortable
  include Gitlab::ShellAdapter
+  include Routable
  cache_markdown_field :description, pipeline: :description
  has_many :projects, dependent: :destroy
  belongs_to :owner, class_name: "User"
+  belongs_to :parent, class_name: "Namespace"
+  has_many :children, class_name: "Namespace", foreign_key: :parent_id
  validates :owner, presence: true, unless: ->(n) { n.type == "Group" }
  validates :name,
    presence: true,
@@ -86,7 +90,7 @@ class Namespace < ActiveRecord::Base
  end
  def to_param
-    path
+    full_path
  end
  def human_name
@@ -150,6 +154,14 @@ class Namespace < ActiveRecord::Base
    Gitlab.config.lfs.enabled
  end
+  def full_path
+    if parent
+      parent.full_path + '/' + path
+    else
+      path
+    end
+  end
  private
  def repository_storage_paths
@@ -185,4 +197,8 @@ class Namespace < ActiveRecord::Base
      where(projects: { namespace_id: id }).
      find_each(&:refresh_members_authorized_projects)
  end
+  def full_path_changed?
+    path_changed? || parent_id_changed?
+  end
 end
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -14,6 +14,7 @@ class Project < ActiveRecord::Base
  include TokenAuthenticatable
  include ProjectFeaturesCompatibility
  include SelectForProjectAuthorization
+  include Routable
  extend Gitlab::ConfigHelper
@@ -324,87 +325,6 @@ class Project < ActiveRecord::Base
      non_archived.where(table[:name].matches(pattern))
    end
-    # Finds a single project for the given path.
-    #
-    # path - The full project path (including namespace path).
-    #
-    # Returns a Project, or nil if no project could be found.
-    def find_with_namespace(path)
-      namespace_path, project_path = path.split('/', 2)
-      return unless namespace_path && project_path
-      namespace_path = connection.quote(namespace_path)
-      project_path = connection.quote(project_path)
-      # On MySQL we want to ensure the ORDER BY uses a case-sensitive match so
-      # any literal matches come first, for this we have to use "BINARY".
-      # Without this there's still no guarantee in what order MySQL will return
-      # rows.
-      binary = Gitlab::Database.mysql? ? 'BINARY' : ''
-      order_sql = "(CASE WHEN #{binary} namespaces.path = #{namespace_path} " \
-        "AND #{binary} projects.path = #{project_path} THEN 0 ELSE 1 END)"
-      where_paths_in([path]).reorder(order_sql).take
-    end
-    # Builds a relation to find multiple projects by their full paths.
-    #
-    # Each path must be in the following format:
-    #
-    #     namespace_path/project_path
-    #
-    # For example:
-    #
-    #     gitlab-org/gitlab-ce
-    #
-    # Usage:
-    #
-    #     Project.where_paths_in(%w{gitlab-org/gitlab-ce gitlab-org/gitlab-ee})
-    #
-    # This would return the projects with the full paths matching the values
-    # given.
-    #
-    # paths - An Array of full paths (namespace path + project path) for which
-    #         to find the projects.
-    #
-    # Returns an ActiveRecord::Relation.
-    def where_paths_in(paths)
-      wheres = []
-      cast_lower = Gitlab::Database.postgresql?
-      paths.each do |path|
-        namespace_path, project_path = path.split('/', 2)
-        next unless namespace_path && project_path
-        namespace_path = connection.quote(namespace_path)
-        project_path = connection.quote(project_path)
-        where = "(namespaces.path = #{namespace_path}
-          AND projects.path = #{project_path})"
-        if cast_lower
-          where = "(
-            #{where}
-            OR (
-              LOWER(namespaces.path) = LOWER(#{namespace_path})
-              AND LOWER(projects.path) = LOWER(#{project_path})
-            )
-          )"
-        end
-        wheres << where
-      end
-      if wheres.empty?
-        none
-      else
-        joins(:namespace).where(wheres.join(' OR '))
-      end
-    end
    def visibility_levels
      Gitlab::VisibilityLevel.options
    end
@@ -440,6 +360,10 @@ class Project < ActiveRecord::Base
    def group_ids
      joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id)
    end
+    # Add alias for Routable method for compatibility with old code.
+    # In future all calls `find_with_namespace` should be replaced with `find_by_full_path`
+    alias_method :find_with_namespace, :find_by_full_path
  end
  def lfs_enabled?
@@ -879,13 +803,14 @@ class Project < ActiveRecord::Base
  end
  alias_method :human_name, :name_with_namespace
-  def path_with_namespace
+  def full_path
-    if namespace
+    if namespace && path
-      namespace.path + '/' + path
+      namespace.full_path + '/' + path
    else
      path
    end
  end
+  alias_method :path_with_namespace, :full_path
  def execute_hooks(data, hooks_scope = :push_hooks)
    hooks.send(hooks_scope).each do |hook|
@@ -1373,4 +1298,8 @@ class Project < ActiveRecord::Base
  def validate_board_limit(board)
    raise BoardLimitExceeded, 'Number of permitted boards exceeded' if boards.size >= NUMBER_OF_PERMITTED_BOARDS
  end
+  def full_path_changed?
+    path_changed? || namespace_id_changed?
+  end
 end
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -950,7 +950,7 @@ class Repository
    update_branch_with_hooks(user, base_branch) do
      committer = user_to_committer(user)
      source_sha = Rugged::Commit.create(rugged,
-        message: commit.revert_message,
+        message: commit.revert_message(user),
        author: committer,
        committer: committer,
        tree: revert_tree_id,

--- a/app/models/route.rb
+++ b/app/models/route.rb
+class Route < ActiveRecord::Base
+  belongs_to :source, polymorphic: true
+  validates :source, presence: true
+  validates :path,
+    length: { within: 1..255 },
+    presence: true,
+    uniqueness: { case_sensitive: false }
+  after_update :rename_children, if: :path_changed?
+  def rename_children
+    # We update each row separately because MySQL does not have regexp_replace.
+    # rubocop:disable Rails/FindEach
+    Route.where('path LIKE ?', "#{path_was}%").each do |route|
+      # Note that update column skips validation and callbacks.
+      # We need this to avoid recursive call of rename_children method
+      route.update_column(:path, route.path.sub(path_was, path))
+    end
+  end
+end
--- a/app/services/commits/change_service.rb
+++ b/app/services/commits/change_service.rb
@@ -34,7 +34,7 @@ module Commits
        repository.public_send(action, current_user, @commit, into, tree_id)
        success
      else
-        error_msg = "Sorry, we cannot #{action.to_s.dasherize} this #{@commit.change_type_title} automatically.
+        error_msg = "Sorry, we cannot #{action.to_s.dasherize} this #{@commit.change_type_title(current_user)} automatically.
                     It may have already been #{action.to_s.dasherize}, or a more recent commit may have updated some of its content."
        raise ChangeError, error_msg
      end

--- a/app/services/destroy_group_service.rb
+++ b/app/services/destroy_group_service.rb
@@ -20,6 +20,10 @@ class DestroyGroupService
      ::Projects::DestroyService.new(project, current_user, skip_repo: true).execute
    end
+    group.children.each do |group|
+      DestroyGroupService.new(group, current_user).async_execute
+    end
    group.really_destroy!
  end
 end
--- a/app/views/devise/sessions/new.html.haml
+++ b/app/views/devise/sessions/new.html.haml
 - page_title "Sign in"
 %div
  - if form_based_providers.any?
    = render 'devise/shared/tabs_ldap'

--- a/app/views/layouts/nav/_project.html.haml
+++ b/app/views/layouts/nav/_project.html.haml
@@ -77,7 +77,7 @@
        = link_to namespace_project_merge_requests_path(@project.namespace, @project), title: 'Merge Requests', class: 'shortcuts-merge_requests' do
          %span
            Merge Requests
-            %span.badge.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
+            %span.badge.count.merge_counter= number_with_delimiter(MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.count)
    - if project_nav_tab? :wiki
      = nav_link(controller: :wikis) do

--- a/app/views/projects/_merge_request_merge_settings.html.haml
+++ b/app/views/projects/_merge_request_merge_settings.html.haml
+- form = local_assigns.fetch(:form)
+.form-group
+  .checkbox.builds-feature
+    = form.label :only_allow_merge_if_build_succeeds do
+      = form.check_box :only_allow_merge_if_build_succeeds
+      %strong Only allow merge requests to be merged if the build succeeds
+      %br
+      %span.descr
+        Builds need to be configured to enable this feature.
+        = link_to icon('question-circle'), help_page_path('user/project/merge_requests/merge_when_build_succeeds', anchor: 'only-allow-merge-requests-to-be-merged-if-the-build-succeeds')
+  .checkbox
+    = form.label :only_allow_merge_if_all_discussions_are_resolved do
+      = form.check_box :only_allow_merge_if_all_discussions_are_resolved
+      %strong Only allow merge requests to be merged if all discussions are resolved
--- a/app/views/projects/_merge_request_settings.html.haml
+++ b/app/views/projects/_merge_request_settings.html.haml
-.merge-requests-feature
+- form = local_assigns.fetch(:form)
-  %fieldset.builds-feature
-    %hr
+%fieldset.features.merge-requests-feature.append-bottom-default
-    %h5.prepend-top-0
+  %hr
-      Merge Requests
+  %h5.prepend-top-0
-    .form-group
+    Merge Requests
-      .checkbox
-        = f.label :only_allow_merge_if_build_succeeds do
+  = render 'projects/merge_request_merge_settings', form: form
-          = f.check_box :only_allow_merge_if_build_succeeds
-          %strong Only allow merge requests to be merged if the build succeeds
-          %br
-          %span.descr
-            Builds need to be configured to enable this feature.
-            = link_to icon('question-circle'), help_page_path('user/project/merge_requests/merge_when_build_succeeds', anchor: 'only-allow-merge-requests-to-be-merged-if-the-build-succeeds')
-      .checkbox
-        = f.label :only_allow_merge_if_all_discussions_are_resolved do
-          = f.check_box :only_allow_merge_if_all_discussions_are_resolved
-          %strong Only allow merge requests to be merged if all discussions are resolved
--- a/app/views/projects/commit/_change.html.haml
+++ b/app/views/projects/commit/_change.html.haml
@@ -11,7 +11,7 @@
    .modal-content
      .modal-header
        %a.close{href: "#", "data-dismiss" => "modal"} ×
-        %h3.page-title== #{label} this #{commit.change_type_title}
+        %h3.page-title== #{label} this #{commit.change_type_title(current_user)}
      .modal-body
        = form_tag send("#{type.underscore}_namespace_project_commit_path", @project.namespace, @project, commit.id), method: :post, remote: false, class: 'form-horizontal js-#{type}-form js-requires-input' do
          .form-group.branch

--- a/app/views/projects/edit.html.haml
+++ b/app/views/projects/edit.html.haml
@@ -112,7 +112,8 @@
                %span.descr Enable Container Registry for this project
                = link_to icon('question-circle'), help_page_path('user/project/container_registry'), target: '_blank'
-        = render 'merge_request_settings', f: f
+        = render 'merge_request_settings', form: f
        %hr
        %fieldset.features.append-bottom-default
          %h5.prepend-top-0

--- a/app/views/projects/forks/error.html.haml
+++ b/app/views/projects/forks/error.html.haml
@@ -13,7 +13,11 @@
    - if @forked_project && @forked_project.errors.any?
      %p
        &ndash;
-        = @forked_project.errors.full_messages.first
+        - error = @forked_project.errors.full_messages.first
+        - if error.include?("already been taken")
+          Name has already been taken
+        - else
+          = error
    %p
      = link_to new_namespace_project_fork_path(@project.namespace, @project), title: "Fork", class: "btn" do

--- a/app/views/projects/merge_requests/_show.html.haml
+++ b/app/views/projects/merge_requests/_show.html.haml
@@ -31,7 +31,7 @@
        %span.label-branch= source_branch_with_namespace(@merge_request)
        %span into
        %span.label-branch
-          = link_to @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch)
+          = link_to_if @merge_request.target_branch_exists?, @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch)
        - if @merge_request.open? && @merge_request.diverged_from_target_branch?
          %span (#{pluralize(@merge_request.diverged_commits_count, 'commit')} behind)

--- a/app/views/projects/stage/_graph.html.haml
+++ b/app/views/projects/stage/_graph.html.haml
@@ -4,8 +4,7 @@
 %li.stage-column
  .stage-name
    %a{ name: stage.name }
-    - if stage.name
+    = stage.name.titleize
-      = stage.name.titleize
  .builds-container
    %ul
      - status_groups.each do |group_name, grouped_statuses|

--- a/app/views/projects/stage/_stage.html.haml
+++ b/app/views/projects/stage/_stage.html.haml
@@ -4,9 +4,8 @@
      %a{ name: stage.name }
      %span{class: "ci-status-link ci-status-icon-#{stage.status}"}
        = ci_icon_for_status(stage.status)
-      - if stage.name
+      &nbsp;
-        &nbsp;
+      = stage.name.titleize
-        = stage.name.titleize
 = render stage.statuses.latest_ordered, coverage: @project.build_coverage_enabled?, stage: false, ref: false, pipeline_link: false, allow_retry: true
 = render stage.statuses.retried_ordered, coverage: @project.build_coverage_enabled?, stage: false, ref: false, pipeline_link: false, retried: true
 %tr

--- a/app/views/shared/_event_filter.html.haml
+++ b/app/views/shared/_event_filter.html.haml
@@ -4,6 +4,8 @@
    = event_filter_link EventFilter.push, 'Push events'
  - if event_filter_visible(:merge_requests)
    = event_filter_link EventFilter.merged, 'Merge events'
+  - if event_filter_visible(:issues)
+    = event_filter_link EventFilter.issue, 'Issue events'
  - if event_filter_visible(:issues)
    = event_filter_link EventFilter.comments, 'Comments'
  = event_filter_link EventFilter.team, 'Team'
--- a/app/views/shared/members/_member.html.haml
+++ b/app/views/shared/members/_member.html.haml
@@ -20,8 +20,8 @@
          %strong Blocked
      - if source.instance_of?(Group) && !@group
-        = link_to source, class: "member-group-link prepend-left-5" do
+        &middot;
-          = "· #{source.name}"
+        = link_to source.name, source, class: "member-group-link"
      .hidden-xs.cgray
        - if member.request?
@@ -45,7 +45,7 @@
        = time_ago_with_tooltip(member.created_at)
  - if show_roles
    .controls.member-controls
-      - if show_controls
+      - if show_controls && (member.respond_to?(:group) && @group) || (member.respond_to?(:project) && @project)
        - if user != current_user
          = form_for member, remote: true, html: { class: 'form-horizontal js-edit-member-form' } do |f|
            = f.select :access_level, options_for_select(member.class.access_level_roles, member.access_level), {}, class: 'form-control member-form-control append-right-5 js-member-update-control', id: "member_access_level_#{member.id}", disabled: !can_admin_member

--- a/changelogs/unreleased/15081-wrong-login-tab-ldap-frontend.yml
+++ b/changelogs/unreleased/15081-wrong-login-tab-ldap-frontend.yml
+---
+title: Fix wrong tab selected when loggin fails and multiple login tabs exists
+merge_request: 7314
+author: Jacopo Beschi @jacopo-beschi 
--- a/changelogs/unreleased/23696-fix-diff-view-highlighting.yml
+++ b/changelogs/unreleased/23696-fix-diff-view-highlighting.yml
---
-title: Fix diff view permalink highlighting
-merge_request: 7090
-author:
--- a/changelogs/unreleased/24507_remove_deleted_branch_link_in_merge_request.yml
+++ b/changelogs/unreleased/24507_remove_deleted_branch_link_in_merge_request.yml
+---
+title: 'Remove unnecessary target branch link from MR page in case of deleted target branch'
+merge_request: 7916
+author: Rydkin Maxim
--- a/changelogs/unreleased/24814-pipeline-tabs.yml
+++ b/changelogs/unreleased/24814-pipeline-tabs.yml
---
-title: Fix Cicking on tabs on pipeline page should set URL
-merge_request: 7709
-author:
--- a/changelogs/unreleased/24982-ux-improvement-sign-in-success-message.yml
+++ b/changelogs/unreleased/24982-ux-improvement-sign-in-success-message.yml
+---
+title: 'fix: 24982- Remove''Signed in successfully'' message After this change the
+  sign-in-success flash message will not be shown'
+merge_request: 7837
+author: jnoortheen
--- a/changelogs/unreleased/25171-fix-mr-features-settings-hidden-when-builds-are-disabled.yml
+++ b/changelogs/unreleased/25171-fix-mr-features-settings-hidden-when-builds-are-disabled.yml
+---
+title: Remove wrong '.builds-feature' class from the MR settings fieldset
+merge_request: 7930
+author: 
--- a/changelogs/unreleased/destroy-session.yml
+++ b/changelogs/unreleased/destroy-session.yml
+---
+title: Destroy a user's session when they delete their own account
+merge_request: 
+author: 
--- a/changelogs/unreleased/remove-has-visible-content-caching.yml
+++ b/changelogs/unreleased/remove-has-visible-content-caching.yml
 ---
-title: Remove visible content caching
+title: Add nested groups support on data level
 merge_request: 
 author: 
--- a/changelogs/unreleased/enable-asciidoctor-admonition-icons.yml
+++ b/changelogs/unreleased/enable-asciidoctor-admonition-icons.yml
+---
+title: Enable AsciiDoctor admonition icons
+merge_request: 7812
+author: Horacio Sanson
--- a/changelogs/unreleased/fix-compatibility-with-ie11-for-merge-requests.yml
+++ b/changelogs/unreleased/fix-compatibility-with-ie11-for-merge-requests.yml
---
-title: Fix compatibility with Internet Explorer 11 for merge requests
-merge_request: 7525
-author: Steffen Rauh
--- a/changelogs/unreleased/fix-slack-pipeline-event.yml
+++ b/changelogs/unreleased/fix-slack-pipeline-event.yml
---
-title: Fix pipeline author for Slack and use pipeline id for pipeline link
-merge_request: 7506
-author:
--- a/changelogs/unreleased/fix-authorize-users-into-imported-gitlab-project.yml
+++ b/changelogs/unreleased/fix-authorize-users-into-imported-gitlab-project.yml
 ---
-title: Authorize users into imported GitLab project
+title: Shows group members in project members list
 merge_request: 
 author: 
--- a/changelogs/unreleased/html-safe-diff-line-content.yml
+++ b/changelogs/unreleased/html-safe-diff-line-content.yml
+---
+title: Don't accidentally mark unsafe diff lines as HTML safe
+merge_request: 
+author: 
--- a/changelogs/unreleased/issue-events-filter.yml
+++ b/changelogs/unreleased/issue-events-filter.yml
+---
+title: Add issue events filter and make all really show all events
+merge_request: 7673
+author:  Oxan van Leeuwen
--- a/changelogs/unreleased/jej-23867-use-mr-finder-instead-of-access-check.yml
+++ b/changelogs/unreleased/jej-23867-use-mr-finder-instead-of-access-check.yml
+---
+title: Replace MR access checks with use of MergeRequestsFinder
+merge_request: 
+author: 
--- a/changelogs/unreleased/public-tags-api.yml
+++ b/changelogs/unreleased/public-tags-api.yml
+---
+title: Allow public access to some Tag API endpoints
+merge_request: 
+author: 
--- a/changelogs/unreleased/small-emoji-adjustments.yml
+++ b/changelogs/unreleased/small-emoji-adjustments.yml
+---
+title: Various small emoji positioning adjustments
+merge_request:
+author: 
--- a/changelogs/unreleased/timeago-perf-fix.yml
+++ b/changelogs/unreleased/timeago-perf-fix.yml
+---
+title: Fixed timeago re-rendering every timeago
+merge_request: 
+author: 
--- a/config/application.rb
+++ b/config/application.rb
@@ -45,7 +45,7 @@ module Gitlab
    #
    # Parameters filtered:
    # - Password (:password, :password_confirmation)
-    # - Private tokens (:private_token)
+    # - Private tokens (:private_token, :authentication_token)
    # - Two-factor tokens (:otp_attempt)
    # - Repo/Project Import URLs (:import_url)
    # - Build variables (:variables)
@@ -55,6 +55,7 @@ module Gitlab
    # - Sentry DSN (:sentry_dsn)
    # - Deploy keys (:key)
    config.filter_parameters += %i(
+      authentication_token
      certificate
      encrypted_key
      hook

--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -15,7 +15,7 @@ if Rails.env.production?
    Raven.configure do |config|
      config.dsn = current_application_settings.sentry_dsn
      config.release = Gitlab::REVISION
      # Sanitize fields based on those sanitized from Rails.
      config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
      # Sanitize authentication headers

--- a/db/migrate/20161124111390_add_parent_id_to_namespace.rb
+++ b/db/migrate/20161124111390_add_parent_id_to_namespace.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class AddParentIdToNamespace < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    add_column(:namespaces, :parent_id, :integer)
+  end
+end
--- a/db/migrate/20161124111395_add_index_to_parent_id.rb
+++ b/db/migrate/20161124111395_add_index_to_parent_id.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class AddIndexToParentId < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  disable_ddl_transaction!
+  def change
+    add_concurrent_index(:namespaces, [:parent_id, :id], unique: true)
+  end
+end
--- a/db/migrate/20161124111402_add_routes_table.rb
+++ b/db/migrate/20161124111402_add_routes_table.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class AddRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    create_table :routes do |t|
+      t.integer :source_id,    null: false
+      t.string  :source_type,  null: false
+      t.string  :path,         null: false
+      t.timestamps
+    end
+  end
+end
--- a/db/migrate/20161130095245_fill_routes_table.rb
+++ b/db/migrate/20161130095245_fill_routes_table.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class FillRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = true
+  DOWNTIME_REASON = 'No new namespaces should be created during data copy'
+  def up
+    execute <<-EOF
+      INSERT INTO routes
+      (source_id, source_type, path)
+      (SELECT id, 'Namespace', path FROM namespaces)
+    EOF
+  end
+  def down
+    Route.delete_all(source_type: 'Namespace')
+  end
+end
--- a/db/migrate/20161130101252_fill_projects_routes_table.rb
+++ b/db/migrate/20161130101252_fill_projects_routes_table.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class FillProjectsRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = true
+  DOWNTIME_REASON = 'No new projects should be created during data copy'
+  def up
+    execute <<-EOF
+      INSERT INTO routes
+      (source_id, source_type, path)
+      (SELECT projects.id, 'Project', concat(namespaces.path, '/', projects.path) FROM projects
+      INNER JOIN namespaces ON projects.namespace_id = namespaces.id)
+    EOF
+  end
+  def down
+    Route.delete_all(source_type: 'Project')
+  end
+end
--- a/db/migrate/20161202152031_remove_duplicates_from_routes.rb
+++ b/db/migrate/20161202152031_remove_duplicates_from_routes.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class RemoveDuplicatesFromRoutes < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def up
+    select_all("SELECT path FROM #{quote_table_name(:routes)} GROUP BY path HAVING COUNT(*) > 1").each do |row|
+      path = connection.quote(row['path'])
+      execute(%Q{
+        DELETE FROM #{quote_table_name(:routes)}
+        WHERE path = #{path}
+        AND id != (
+          SELECT id FROM (
+            SELECT max(id) AS id
+            FROM #{quote_table_name(:routes)}
+            WHERE path = #{path}
+          ) max_ids
+        )
+      })
+    end
+  end
+  def down
+  end
+end
--- a/db/migrate/20161202152035_add_index_to_routes.rb
+++ b/db/migrate/20161202152035_add_index_to_routes.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class AddIndexToRoutes < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+  disable_ddl_transaction!
+  def change
+    add_concurrent_index(:routes, :path, unique: true)
+    add_concurrent_index(:routes, [:source_type, :source_id], unique: true)
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20161128161412) do
+ActiveRecord::Schema.define(version: 20161202152035) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -98,14 +98,14 @@ ActiveRecord::Schema.define(version: 20161128161412) do
    t.text "help_page_text_html"
    t.text "shared_runners_text_html"
    t.text "after_sign_up_text_html"
-    t.boolean "sidekiq_throttling_enabled", default: false
-    t.string "sidekiq_throttling_queues"
-    t.decimal "sidekiq_throttling_factor"
    t.boolean "housekeeping_enabled", default: true, null: false
    t.boolean "housekeeping_bitmaps_enabled", default: true, null: false
    t.integer "housekeeping_incremental_repack_period", default: 10, null: false
    t.integer "housekeeping_full_repack_period", default: 50, null: false
    t.integer "housekeeping_gc_period", default: 200, null: false
+    t.boolean "sidekiq_throttling_enabled", default: false
+    t.string "sidekiq_throttling_queues"
+    t.decimal "sidekiq_throttling_factor"
    t.boolean "html_emails_enabled", default: true
  end
@@ -737,8 +737,9 @@ ActiveRecord::Schema.define(version: 20161128161412) do
    t.integer "visibility_level", default: 20, null: false
    t.boolean "request_access_enabled", default: false, null: false
    t.datetime "deleted_at"
-    t.boolean "lfs_enabled"
    t.text "description_html"
+    t.boolean "lfs_enabled"
+    t.integer "parent_id"
  end
  add_index "namespaces", ["created_at"], name: "index_namespaces_on_created_at", using: :btree
@@ -746,6 +747,7 @@ ActiveRecord::Schema.define(version: 20161128161412) do
  add_index "namespaces", ["name"], name: "index_namespaces_on_name", unique: true, using: :btree
  add_index "namespaces", ["name"], name: "index_namespaces_on_name_trigram", using: :gin, opclasses: {"name"=>"gin_trgm_ops"}
  add_index "namespaces", ["owner_id"], name: "index_namespaces_on_owner_id", using: :btree
+  add_index "namespaces", ["parent_id", "id"], name: "index_namespaces_on_parent_id_and_id", unique: true, using: :btree
  add_index "namespaces", ["path"], name: "index_namespaces_on_path", unique: true, using: :btree
  add_index "namespaces", ["path"], name: "index_namespaces_on_path_trigram", using: :gin, opclasses: {"path"=>"gin_trgm_ops"}
  add_index "namespaces", ["type"], name: "index_namespaces_on_type", using: :btree
@@ -991,6 +993,17 @@ ActiveRecord::Schema.define(version: 20161128161412) do
  add_index "releases", ["project_id", "tag"], name: "index_releases_on_project_id_and_tag", using: :btree
  add_index "releases", ["project_id"], name: "index_releases_on_project_id", using: :btree
+  create_table "routes", force: :cascade do |t|
+    t.integer "source_id", null: false
+    t.string "source_type", null: false
+    t.string "path", null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+  add_index "routes", ["path"], name: "index_routes_on_path", unique: true, using: :btree
+  add_index "routes", ["source_type", "source_id"], name: "index_routes_on_source_type_and_source_id", unique: true, using: :btree
  create_table "sent_notifications", force: :cascade do |t|
    t.integer "project_id"
    t.integer "noteable_id"
@@ -1206,8 +1219,8 @@ ActiveRecord::Schema.define(version: 20161128161412) do
    t.datetime "otp_grace_period_started_at"
    t.boolean "ldap_email", default: false, null: false
    t.boolean "external", default: false
-    t.string "organization"
    t.string "incoming_email_token"
+    t.string "organization"
    t.boolean "authorized_projects_populated"
  end

--- a/doc/administration/high_availability/database.md
+++ b/doc/administration/high_availability/database.md
@@ -41,7 +41,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL:
    mailroom['enable'] = false
    # PostgreSQL configuration
-    postgresql['sql_password'] = 'DB password'
+    gitlab_rails['db_password'] = 'DB password'
    postgresql['md5_auth_cidr_addresses'] = ['0.0.0.0/0']
    postgresql['listen_address'] = '0.0.0.0'
    ```
@@ -80,7 +80,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL:
 1. Similarly, set the password for the `gitlab` database user. Use the same
   password that you specified in the `/etc/gitlab/gitlab.rb` file for
-   `postgresql['sql_password']`.
+   `gitlab_rails['db_password']`.
    ```
    \password gitlab

--- a/doc/api/tags.md
+++ b/doc/api/tags.md
@@ -2,7 +2,9 @@
 ## List project repository tags
-Get a list of repository tags from a project, sorted by name in reverse alphabetical order.
+Get a list of repository tags from a project, sorted by name in reverse
+alphabetical order. This endpoint can be accessed without authentication if the
+repository is publicly accessible.
 ```
 GET /projects/:id/repository/tags
@@ -40,7 +42,8 @@ Parameters:
 ## Get a single repository tag
-Get a specific repository tag determined by its name.
+Get a specific repository tag determined by its name. This endpoint can be
+accessed without authentication if the repository is publicly accessible.
 ```
 GET /projects/:id/repository/tags/:tag_name

--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -291,7 +291,9 @@ Parameters:
 - `id` (required) - The ID of the user
-## Current user
+## User
+### For normal users
 Gets currently authenticated user.
@@ -335,6 +337,53 @@ GET /user
 }
 ```
+### For admins
+Parameters:
+- `sudo` (required) - the ID of a user
+```
+GET /user
+```
+```json
+{
+  "id": 1,
+  "username": "john_smith",
+  "email": "john@example.com",
+  "name": "John Smith",
+  "state": "active",
+  "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
+  "web_url": "http://localhost:3000/john_smith",
+  "created_at": "2012-05-23T08:00:58Z",
+  "is_admin": false,
+  "bio": null,
+  "location": null,
+  "skype": "",
+  "linkedin": "",
+  "twitter": "",
+  "website_url": "",
+  "organization": "",
+  "last_sign_in_at": "2012-06-01T11:41:01Z",
+  "confirmed_at": "2012-05-23T09:05:22Z",
+  "theme_id": 1,
+  "color_scheme_id": 2,
+  "projects_limit": 100,
+  "current_sign_in_at": "2012-06-02T06:36:55Z",
+  "identities": [
+    {"provider": "github", "extern_uid": "2435223452345"},
+    {"provider": "bitbucket", "extern_uid": "john_smith"},
+    {"provider": "google_oauth2", "extern_uid": "8776128412476123468721346"}
+  ],
+  "can_create_group": true,
+  "can_create_project": true,
+  "two_factor_enabled": true,
+  "external": false,
+  "private_token": "dd34asd13as"
+}
+```
 ## List SSH keys
 Get a list of currently authenticated user's SSH keys.

--- a/doc/update/8.14-to-8.15.md
+++ b/doc/update/8.14-to-8.15.md
@@ -113,7 +113,7 @@ sudo -u git -H bundle exec rake assets:clean assets:precompile cache:clear RAILS
 There are new configuration options available for [`gitlab.yml`](config/gitlab.yml.example). View them with the command below and apply them manually to your current `gitlab.yml`:
 ```sh
-git diff origin/8-13-stable:config/gitlab.yml.example origin/8-15-stable:config/gitlab.yml.example
+git diff origin/8-14-stable:config/gitlab.yml.example origin/8-15-stable:config/gitlab.yml.example
 ```
 #### Git configuration
@@ -131,10 +131,10 @@ Ensure you're still up-to-date with the latest NGINX configuration changes:
 ```sh
 # For HTTPS configurations
-git diff origin/8-13-stable:lib/support/nginx/gitlab-ssl origin/8-15-stable:lib/support/nginx/gitlab-ssl
+git diff origin/8-14-stable:lib/support/nginx/gitlab-ssl origin/8-15-stable:lib/support/nginx/gitlab-ssl
 # For HTTP configurations
-git diff origin/8-13-stable:lib/support/nginx/gitlab origin/8-15-stable:lib/support/nginx/gitlab
+git diff origin/8-14-stable:lib/support/nginx/gitlab origin/8-15-stable:lib/support/nginx/gitlab
 ```
 If you are using Apache instead of NGINX please see the updated [Apache templates].

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -22,7 +22,7 @@ module API
      expose :provider, :extern_uid
    end
-    class UserFull < User
+    class UserPublic < User
      expose :last_sign_in_at
      expose :confirmed_at
      expose :email
@@ -34,7 +34,7 @@ module API
      expose :external
    end
-    class UserLogin < UserFull
+    class UserWithPrivateToken < UserPublic
      expose :private_token
    end
@@ -289,7 +289,7 @@ module API
    end
    class SSHKeyWithUser < SSHKey
-      expose :user, using: Entities::UserFull
+      expose :user, using: Entities::UserPublic
    end
    class Note < Grape::Entity

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -44,11 +44,14 @@ module API
        return nil
      end
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
-      # If the sudo is the current user do nothing
+      if identifier
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+        # We check for private_token because we cannot allow PAT to be used
        forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+        @impersonator = @current_user
        @current_user = User.by_username_or_id(identifier)
        not_found!("No user id or username for: #{identifier}") if @current_user.nil?
      end
@@ -108,7 +111,7 @@ module API
      if id =~ /^\d+$/
        Group.find_by(id: id)
      else
-        Group.find_by(path: id)
+        Group.find_by_full_path(id)
      end
    end
@@ -383,6 +386,10 @@ module API
      links.join(', ')
    end
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
    def secret_token
      Gitlab::Shell.secret_token
    end

--- a/lib/api/session.rb
+++ b/lib/api/session.rb
 module API
  class Session < Grape::API
    desc 'Login to get token' do
-      success Entities::UserLogin
+      success Entities::UserWithPrivateToken
    end
    params do
      optional :login, type: String, desc: 'The username'
@@ -14,7 +14,7 @@ module API
      return unauthorized! unless user
      return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserLogin
+      present user, with: Entities::UserWithPrivateToken
    end
  end
 end
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
 module API
  # Git Tags API
  class Tags < Grape::API
-    before { authenticate! }
    before { authorize! :download_code, user_project }
    params do

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -51,7 +51,7 @@ module API
          users = users.external if params[:external] && current_user.is_admin?
        end
-        entity = current_user.is_admin? ? Entities::UserFull : Entities::UserBasic
+        entity = current_user.is_admin? ? Entities::UserPublic : Entities::UserBasic
        present paginate(users), with: entity
      end
@@ -66,7 +66,7 @@ module API
        not_found!('User') unless user
        if current_user && current_user.is_admin?
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
        elsif can?(current_user, :read_user, user)
          present user, with: Entities::User
        else
@@ -75,7 +75,7 @@ module API
      end
      desc 'Create a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
      end
      params do
        requires :email, type: String, desc: 'The email of the user'
@@ -99,7 +99,7 @@ module API
        end
        if user.save
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
        else
          conflict!('Email has already been taken') if User.
              where(email: user.email).
@@ -114,7 +114,7 @@ module API
      end
      desc 'Update a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
@@ -161,7 +161,7 @@ module API
        user_params.delete(:provider)
        if user.update_attributes(user_params)
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
        else
          render_validation_error!(user)
        end
@@ -350,10 +350,10 @@ module API
    resource :user do
      desc 'Get the currently authenticated user' do
-        success Entities::UserFull
+        success Entities::UserPublic
      end
      get do
-        present current_user, with: Entities::UserFull
+        present current_user, with: @impersonator ? Entities::UserWithPrivateToken : Entities::UserPublic
      end
      desc "Get the currently authenticated user's SSH keys" do

--- a/lib/constraints/group_url_constrainer.rb
+++ b/lib/constraints/group_url_constrainer.rb
@@ -4,7 +4,7 @@ class GroupUrlConstrainer
    return false unless valid?(id)
-    Group.find_by(path: id).present?
+    Group.find_by_full_path(id).present?
  end
  private

--- a/lib/event_filter.rb
+++ b/lib/event_filter.rb
@@ -14,6 +14,10 @@ class EventFilter
      'merged'
    end
+    def issue
+      'issue'
+    end
    def comments
      'comments'
    end
@@ -32,32 +36,20 @@ class EventFilter
  end
  def apply_filter(events)
-    return events unless params.present?
+    return events if params.blank? || params == EventFilter.all
-    filter = params.dup
-    actions = []
-    case filter
+    case params
    when EventFilter.push
-      actions = [Event::PUSHED]
+      events.where(action: Event::PUSHED)
    when EventFilter.merged
-      actions = [Event::MERGED]
+      events.where(action: Event::MERGED)
    when EventFilter.comments
-      actions = [Event::COMMENTED]
+      events.where(action: Event::COMMENTED)
    when EventFilter.team
-      actions = [Event::JOINED, Event::LEFT, Event::EXPIRED]
+      events.where(action: [Event::JOINED, Event::LEFT, Event::EXPIRED])
-    when EventFilter.all
+    when EventFilter.issue
-      actions = [
+      events.where(action: [Event::CREATED, Event::UPDATED, Event::CLOSED, Event::REOPENED])
-        Event::PUSHED,
-        Event::MERGED,
-        Event::COMMENTED,
-        Event::JOINED,
-        Event::LEFT,
-        Event::EXPIRED
-      ]
    end
-    events.where(action: actions)
  end
  def options(key)
@@ -73,6 +65,10 @@ class EventFilter
  end
  def active?(key)
-    params.include? key
+    if params.present?
+      params.include? key
+    else
+      key == EventFilter.all
+    end
  end
 end
--- a/lib/gitlab/asciidoc.rb
+++ b/lib/gitlab/asciidoc.rb
@@ -6,7 +6,7 @@ module Gitlab
  module Asciidoc
    DEFAULT_ADOC_ATTRS = [
      'showtitle', 'idprefix=user-content-', 'idseparator=-', 'env=gitlab',
-      'env-gitlab', 'source-highlighter=html-pipeline'
+      'env-gitlab', 'source-highlighter=html-pipeline', 'icons=font'
    ].freeze
    # Public: Converts the provided Asciidoc markup into HTML.

--- a/lib/gitlab/search_results.rb
+++ b/lib/gitlab/search_results.rb
@@ -68,7 +68,7 @@ module Gitlab
    end
    def merge_requests
-      merge_requests = MergeRequest.in_projects(project_ids_relation)
+      merge_requests = MergeRequestsFinder.new(current_user).execute.in_projects(project_ids_relation)
      if query =~ /[#!](\d+)\z/
        merge_requests = merge_requests.where(iid: $1)
      else

--- a/spec/controllers/projects/todo_controller_spec.rb
+++ b/spec/controllers/projects/todo_controller_spec.rb
@@ -110,7 +110,7 @@ describe Projects::TodosController do
        end
      end
-      context 'when not authorized' do
+      context 'when not authorized for project' do
        it 'does not create todo for merge request user has no access to' do
          sign_in(user)
          expect do
@@ -128,6 +128,19 @@ describe Projects::TodosController do
          expect(response).to have_http_status(302)
        end
      end
+      context 'when not authorized for merge_request' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+          sign_in(user)
+        end
+        it "doesn't create todo" do
+          expect{ go }.not_to change { user.todos.count }
+          expect(response).to have_http_status(404)
+        end
+      end
    end
  end
 end
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -22,7 +22,6 @@ describe SessionsController do
        it 'authenticates user correctly' do
          post(:create, user: { login: user.username, password: user.password })
-          expect(response).to set_flash.to /Signed in successfully/
          expect(subject.current_user). to eq user
        end

--- a/spec/features/merge_requests/target_branch_spec.rb
+++ b/spec/features/merge_requests/target_branch_spec.rb
+require 'spec_helper'
+describe 'Target branch', feature: true do
+  let(:user) { create(:user) }
+  let(:merge_request) { create(:merge_request) }
+  let(:project) { merge_request.project }
+  def path_to_merge_request
+    namespace_project_merge_request_path(
+      project.namespace,
+      project, merge_request
+    )
+  end
+  before do
+    login_as user
+    project.team << [user, :master]
+  end
+  it 'shows link to target branch' do
+    visit path_to_merge_request
+    expect(page).to have_link('feature', href: namespace_project_commits_path(project.namespace, project, merge_request.target_branch))
+  end
+  context 'when branch was deleted' do
+    before do
+      DeleteBranchService.new(project, user).execute('feature')
+      visit path_to_merge_request
+    end
+    it 'shows a message about missing target branch' do
+      expect(page).to have_content(
+        'Target branch feature does not exist'
+      )
+    end
+    it 'does not show link to target branch' do
+      expect(page).not_to have_link('feature')
+    end
+  end
+end
--- a/spec/features/projects/members/group_members_spec.rb
+++ b/spec/features/projects/members/group_members_spec.rb
+require 'spec_helper'
+feature 'Projects members', feature: true do
+  let(:user) { create(:user) }
+  let(:developer) { create(:user) }
+  let(:group) { create(:group, :public, :access_requestable) }
+  let(:project) { create(:empty_project, :public, :access_requestable, creator: user, group: group) }
+  let(:project_invitee) { create(:project_member, project: project, invite_token: '123', invite_email: 'test1@abc.com', user: nil) }
+  let(:group_invitee) { create(:group_member, group: group, invite_token: '123', invite_email: 'test2@abc.com', user: nil) }
+  let(:project_requester) { create(:user) }
+  let(:group_requester) { create(:user) }
+  background do
+    project.team << [developer, :developer]
+    group.add_owner(user)
+    login_as(user)
+  end
+  context 'with a group invitee' do
+    before do
+      group_invitee
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+    scenario 'does not appear in the project members page' do
+      page.within first('.content-list') do
+        expect(page).not_to have_content('test2@abc.com')
+      end
+    end
+  end
+  context 'with a group and a project invitee' do
+    before do
+      group_invitee
+      project_invitee
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+    scenario 'shows the project invitee, the project developer, and the group owner' do
+      page.within first('.content-list') do
+        expect(page).to have_content('test1@abc.com')
+        expect(page).not_to have_content('test2@abc.com')
+        # Project developer
+        expect(page).to have_content(developer.name)
+        # Group owner
+        expect(page).to have_content(user.name)
+        expect(page).to have_content(group.name)
+      end
+    end
+  end
+  context 'with a group requester' do
+    before do
+      group.request_access(group_requester)
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+    scenario 'does not appear in the project members page' do
+      page.within first('.content-list') do
+        expect(page).not_to have_content(group_requester.name)
+      end
+    end
+  end
+  context 'with a group and a project requesters' do
+    before do
+      group.request_access(group_requester)
+      project.request_access(project_requester)
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+    scenario 'shows the project requester, the project developer, and the group owner' do
+      page.within first('.content-list') do
+        expect(page).to have_content(project_requester.name)
+        expect(page).not_to have_content(group_requester.name)
+      end
+      page.within all('.content-list').last do
+        # Project developer
+        expect(page).to have_content(developer.name)
+        # Group owner
+        expect(page).to have_content(user.name)
+        expect(page).to have_content(group.name)
+      end
+    end
+  end
+end
--- a/spec/features/projects/settings/merge_requests_settings_spec.rb
+++ b/spec/features/projects/settings/merge_requests_settings_spec.rb
+require 'spec_helper'
+feature 'Project settings > Merge Requests', feature: true, js: true do
+  include GitlabRoutingHelper
+  let(:project) { create(:empty_project, :public) }
+  let(:user) { create(:user) }
+  background do
+    project.team << [user, :master]
+    login_as(user)
+  end
+  context 'when Merge Request and Builds are initially enabled' do
+    before do
+      project.project_feature.update_attribute('merge_requests_access_level', ProjectFeature::ENABLED)
+    end
+    context 'when Builds are initially enabled' do
+      before do
+        project.project_feature.update_attribute('builds_access_level', ProjectFeature::ENABLED)
+        visit edit_project_path(project)
+      end
+      scenario 'shows the Merge Requests settings' do
+        expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+        select 'Disabled', from: "project_project_feature_attributes_merge_requests_access_level"
+        expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).not_to have_content('Only allow merge requests to be merged if all discussions are resolved')
+      end
+    end
+    context 'when Builds are initially disabled' do
+      before do
+        project.project_feature.update_attribute('builds_access_level', ProjectFeature::DISABLED)
+        visit edit_project_path(project)
+      end
+      scenario 'shows the Merge Requests settings that do not depend on Builds feature' do
+        expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+        select 'Everyone with access', from: "project_project_feature_attributes_builds_access_level"
+        expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+      end
+    end
+  end
+  context 'when Merge Request are initially disabled' do
+    before do
+      project.project_feature.update_attribute('merge_requests_access_level', ProjectFeature::DISABLED)
+      visit edit_project_path(project)
+    end
+    scenario 'does not show the Merge Requests settings' do
+      expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+      expect(page).not_to have_content('Only allow merge requests to be merged if all discussions are resolved')
+      select 'Everyone with access', from: "project_project_feature_attributes_merge_requests_access_level"
+      expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+      expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+    end
+  end
+end
--- a/spec/features/u2f_spec.rb
+++ b/spec/features/u2f_spec.rb
@@ -163,8 +163,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
        click_on "Sign in via U2F device"
        expect(page.body).to match('We heard back from your U2F device')
        click_on "Authenticate via U2F Device"
+        expect(page.body).to match('href="/users/sign_out"')
-        expect(page.body).to match('Signed in successfully')
      end
    end
@@ -178,7 +177,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
        expect(page.body).to match('We heard back from your U2F device')
        click_on "Authenticate via U2F Device"
-        expect(page.body).to match('Signed in successfully')
+        expect(page.body).to match('href="/users/sign_out"')
      end
    end
@@ -234,7 +233,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
          expect(page.body).to match('We heard back from your U2F device')
          click_on "Authenticate via U2F Device"
-          expect(page.body).to match('Signed in successfully')
+          expect(page.body).to match('href="/users/sign_out"')
        end
      end
    end
@@ -275,7 +274,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
          expect(page.body).to match('We heard back from your U2F device')
          click_on "Authenticate via U2F Device"
-          expect(page.body).to match('Signed in successfully')
+          expect(page.body).to match('href="/users/sign_out"')
          logout
        end

--- a/spec/fixtures/api/schemas/user/login.json
+++ b/spec/fixtures/api/schemas/user/login.json
+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external",
+    "private_token"
+  ],
+  "properties": {
+    "$ref": "full.json",
+    "private_token": { "type": "string" }
+  }
+}
--- a/spec/fixtures/api/schemas/user/public.json
+++ b/spec/fixtures/api/schemas/user/public.json
+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external"
+  ],
+  "properties": {
+    "id": { "type": "integer" },
+    "username": { "type": "string" },
+    "email": { 
+      "type": "string",
+      "pattern": "^[^@]+@[^@]+$"
+    },
+    "name": { "type": "string" },
+    "state": { 
+      "type": "string",
+      "enum": ["active", "blocked"] 
+    },
+    "avatar_url": { "type": "string" },
+    "web_url": { "type": "string" },
+    "created_at": { "type": "date" },
+    "is_admin": { "type": "boolean" },
+    "bio": { "type": ["string", "null"] },
+    "location": { "type": ["string", "null"] },
+    "skype": { "type": "string" },
+    "linkedin": { "type": "string" },
+    "twitter": { "type": "string "},
+    "website_url": { "type": "string" },
+    "organization": { "type": ["string", "null"] },
+    "last_sign_in_at": { "type": "date" },
+    "confirmed_at": { "type": ["date", "null"] },
+    "theme_id": { "type": "integer" },
+    "color_scheme_id": { "type": "integer" },
+    "projects_limit": { "type": "integer" },
+    "current_sign_in_at": { "type": "date" },
+    "identities": { 
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "provider": { 
+            "type": "string",
+            "enum": ["github", "bitbucket", "google_oauth2"] 
+          },
+          "extern_uid": { "type": ["number", "string"] }
+        }
+      }
+    },
+    "can_create_group": { "type": "boolean" },
+    "can_create_project": { "type": "boolean" },
+    "two_factor_enabled": { "type": "boolean" },
+    "external": { "type": "boolean" } 
+  }
+}
--- a/spec/helpers/diff_helper_spec.rb
+++ b/spec/helpers/diff_helper_spec.rb
--- a/spec/javascripts/fixtures/event_filter.html.haml
+++ b/spec/javascripts/fixtures/event_filter.html.haml
--- a/spec/javascripts/fixtures/signin_tabs.html.haml
+++ b/spec/javascripts/fixtures/signin_tabs.html.haml
--- a/spec/javascripts/signin_tabs_memoizer_spec.js.es6
+++ b/spec/javascripts/signin_tabs_memoizer_spec.js.es6
--- a/spec/lib/constraints/group_url_constrainer_spec.rb
+++ b/spec/lib/constraints/group_url_constrainer_spec.rb
--- a/spec/lib/event_filter_spec.rb
+++ b/spec/lib/event_filter_spec.rb
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
--- a/spec/lib/gitlab/search_results_spec.rb
+++ b/spec/lib/gitlab/search_results_spec.rb
--- a/spec/models/commit_range_spec.rb
+++ b/spec/models/commit_range_spec.rb
--- a/spec/models/commit_spec.rb
+++ b/spec/models/commit_spec.rb
--- a/spec/models/concerns/routable_spec.rb
+++ b/spec/models/concerns/routable_spec.rb
--- a/spec/models/namespace_spec.rb
+++ b/spec/models/namespace_spec.rb
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
--- a/spec/models/route_spec.rb
+++ b/spec/models/route_spec.rb
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb