Merge branch 'ce-to-ee-2018-05-15' into 'master'

CE upstream - 2018-05-15 09:46 UTC See merge request gitlab-org/gitlab-ee!5711

Merge branch 'ce-to-ee-2018-05-15' into 'master'
CE upstream - 2018-05-15 09:46 UTC See merge request gitlab-org/gitlab-ee!5711
b40594d5 · Stan Hu · 74f69442 · 1844fdd2 · b40594d5 · b40594d5
Commit b40594d5 authored May 16, 2018 by Stan Hu
18 changed files
--- a/app/assets/javascripts/pages/projects/wikis/components/delete_wiki_modal.vue
+++ b/app/assets/javascripts/pages/projects/wikis/components/delete_wiki_modal.vue
+<script>
+import _ from 'underscore';
+import GlModal from '~/vue_shared/components/gl_modal.vue';
+import { s__, sprintf } from '~/locale';
+
+export default {
+  components: {
+    GlModal,
+  },
+  props: {
+    deleteWikiUrl: {
+      type: String,
+      required: true,
+      default: '',
+    },
+    pageTitle: {
+      type: String,
+      required: true,
+      default: '',
+    },
+    csrfToken: {
+      type: String,
+      required: true,
+      default: '',
+    },
+  },
+  computed: {
+    message() {
+      return s__('WikiPageConfirmDelete|Are you sure you want to delete this page?');
+    },
+    title() {
+      return sprintf(
+        s__('WikiPageConfirmDelete|Delete page %{pageTitle}?'),
+        {
+          pageTitle: _.escape(this.pageTitle),
+        },
+        false,
+      );
+    },
+  },
+  methods: {
+    onSubmit() {
+      this.$refs.form.submit();
+    },
+  },
+};
+</script>
+
+<template>
+  <gl-modal
+    id="delete-wiki-modal"
+    :header-title-text="title"
+    footer-primary-button-variant="danger"
+    :footer-primary-button-text="s__('WikiPageConfirmDelete|Delete page')"
+    @submit="onSubmit"
+  >
+    {{ message }}
+    <form
+      ref="form"
+      :action="deleteWikiUrl"
+      method="post"
+      class="form-horizontal js-requires-input"
+    >
+      <input
+        ref="method"
+        type="hidden"
+        name="_method"
+        value="delete"
+      />
+      <input
+        type="hidden"
+        name="authenticity_token"
+        :value="csrfToken"
+      />
+    </form>
+  </gl-modal>
+</template>
--- a/app/assets/javascripts/pages/projects/wikis/index.js
+++ b/app/assets/javascripts/pages/projects/wikis/index.js
 import $ from 'jquery';
+import Vue from 'vue';
+import Translate from '~/vue_shared/translate';
+import csrf from '~/lib/utils/csrf';
 import Wikis from './wikis';
 import ShortcutsWiki from '../../../shortcuts_wiki';
 import ZenMode from '../../../zen_mode';
 import GLForm from '../../../gl_form';
+import deleteWikiModal from './components/delete_wiki_modal.vue';

 document.addEventListener('DOMContentLoaded', () => {
  new Wikis(); // eslint-disable-line no-new
  new ShortcutsWiki(); // eslint-disable-line no-new
  new ZenMode(); // eslint-disable-line no-new
  new GLForm($('.wiki-form'), true); // eslint-disable-line no-new
+
+  const deleteWikiButton = document.getElementById('delete-wiki-button');
+
+  if (deleteWikiButton) {
+    Vue.use(Translate);
+
+    const { deleteWikiUrl, pageTitle } = deleteWikiButton.dataset;
+    const deleteWikiModalEl = document.getElementById('delete-wiki-modal');
+    const deleteModal = new Vue({ // eslint-disable-line
+      el: deleteWikiModalEl,
+      data: {
+        deleteWikiUrl: '',
+      },
+      render(createElement) {
+        return createElement(deleteWikiModal, {
+          props: {
+            pageTitle,
+            deleteWikiUrl,
+            csrfToken: csrf.token,
+          },
+        });
+      },
+    });
+  }
 });
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -183,4 +183,8 @@ class Projects::PipelinesController < Projects::ApplicationController
    # Also see https://gitlab.com/gitlab-org/gitlab-ce/issues/42343
    Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/42339')
  end
+
+  def authorize_update_pipeline!
+    return access_denied! unless can?(current_user, :update_pipeline, @pipeline)
+  end
 end
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -14,11 +14,20 @@ module Ci
      @subject.triggered_by?(@user)
    end

+    condition(:branch_allows_maintainer_push) do
+      @subject.project.branch_allows_maintainer_push?(@user, @subject.ref)
+    end
+
    rule { protected_ref }.policy do
      prevent :update_build
      prevent :erase_build
    end

    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job) }.enable :erase_build
+
+    rule { can?(:public_access) & branch_allows_maintainer_push }.policy do
+      enable :update_build
+      enable :update_commit_status
+    end
  end
 end
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -4,8 +4,16 @@ module Ci

    condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }

+    condition(:branch_allows_maintainer_push) do
+      @subject.project.branch_allows_maintainer_push?(@user, @subject.ref)
+    end
+
    rule { protected_ref }.prevent :update_pipeline

+    rule { can?(:public_access) & branch_allows_maintainer_push }.policy do
+      enable :update_pipeline
+    end
+
    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, project: project)


--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -77,7 +77,7 @@ class ProjectPolicy < BasePolicy
  condition(:request_access_enabled, scope: :subject, score: 0) { project.request_access_enabled }

  desc "Has merge requests allowing pushes to user"
-  condition(:has_merge_requests_allowing_pushes, scope: :subject) do
+  condition(:has_merge_requests_allowing_pushes) do
    project.merge_requests_allowing_push_to_user(user).any?
  end

@@ -355,9 +355,7 @@ class ProjectPolicy < BasePolicy
  # to run pipelines for the branches they have access to.
  rule { can?(:public_access) & has_merge_requests_allowing_pushes }.policy do
    enable :create_build
-    enable :update_build
    enable :create_pipeline
-    enable :update_pipeline
  end

  rule do

--- a/app/views/projects/wikis/edit.html.haml
+++ b/app/views/projects/wikis/edit.html.haml
@@ -28,9 +28,16 @@
      = link_to project_wiki_history_path(@project, @page), class: "btn" do
        = s_("Wiki|Page history")
      - if can?(current_user, :admin_wiki, @project)
-        = link_to project_wiki_path(@project, @page), data: { confirm: s_("WikiPageConfirmDelete|Are you sure you want to delete this page?")}, method: :delete, class: "btn btn-danger" do
-          = _("Delete")
+        %button.btn.btn-danger{ data: { toggle: 'modal',
+          target: '#delete-wiki-modal',
+          delete_wiki_url: project_wiki_path(@project, @page),
+          page_title: @page.title.capitalize },
+          id: 'delete-wiki-button',
+          type: 'button' }
+          = _('Delete')

 = render 'form'

 = render 'sidebar'
+
+#delete-wiki-modal.modal.fade
--- a/changelogs/unreleased/46286-fix-ingress-rbac-default-value.yml
+++ b/changelogs/unreleased/46286-fix-ingress-rbac-default-value.yml
+---
+title: Disables RBAC on nginx-ingress
+merge_request: 18947
+author:
+type: fixed
--- a/changelogs/unreleased/jprovazn-pipeline-policy.yml
+++ b/changelogs/unreleased/jprovazn-pipeline-policy.yml
+---
+title: Allow maintainers to retry pipelines on forked projects (if allowed in merge
+  request)
+merge_request:
+author:
+type: fixed
--- a/changelogs/unreleased/update-wiki-modal.yml
+++ b/changelogs/unreleased/update-wiki-modal.yml
+---
+title: New design for wiki page deletion confirmation
+merge_request: 18712
+author: Constance Okoghenun
+type: added
--- a/doc/user/project/merge_requests/maintainer_access.md
+++ b/doc/user/project/merge_requests/maintainer_access.md
@@ -16,3 +16,5 @@ source project, and only lasts while the merge request is open.
 Enable this functionality while creating a merge request:

 ![Enable maintainer edits](./img/allow_maintainer_push.png)
+
+[ce-17395]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17395
--- a/spec/features/projects/wiki/user_deletes_wiki_page_spec.rb
+++ b/spec/features/projects/wiki/user_deletes_wiki_page_spec.rb
 require 'spec_helper'

-feature 'User deletes wiki page' do
+feature 'User deletes wiki page', :js do
  let(:user) { create(:user) }
  let(:project) { create(:project, :wiki_repo, namespace: user.namespace) }
  let(:wiki_page) { create(:wiki_page, wiki: project.wiki) }
@@ -13,6 +13,7 @@ feature 'User deletes wiki page' do
  it 'deletes a page' do
    click_on('Edit')
    click_on('Delete')
+    find('.js-modal-primary-action').click

    expect(page).to have_content('Page was successfully deleted')
  end

--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -94,6 +94,19 @@ describe Ci::BuildPolicy do
          end
        end
      end
+
+      context 'when maintainer is allowed to push to pipeline branch' do
+        let(:project) { create(:project, :public) }
+        let(:owner) { user }
+
+        it 'enables update_build if user is maintainer' do
+          allow_any_instance_of(Project).to receive(:empty_repo?).and_return(false)
+          allow_any_instance_of(Project).to receive(:branch_allows_maintainer_push?).and_return(true)
+
+          expect(policy).to be_allowed :update_build
+          expect(policy).to be_allowed :update_commit_status
+        end
+      end
    end

    describe 'rules for protected ref' do

--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -62,5 +62,17 @@ describe Ci::PipelinePolicy, :models do
        end
      end
    end
+
+    context 'when maintainer is allowed to push to pipeline branch' do
+      let(:project) { create(:project, :public) }
+      let(:owner) { user }
+
+      it 'enables update_pipeline if user is maintainer' do
+        allow_any_instance_of(Project).to receive(:empty_repo?).and_return(false)
+        allow_any_instance_of(Project).to receive(:branch_allows_maintainer_push?).and_return(true)
+
+        expect(policy).to be_allowed :update_pipeline
+      end
+    end
  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -458,7 +458,7 @@ describe ProjectPolicy do
      )
    end
    let(:maintainer_abilities) do
-      %w(create_build update_build create_pipeline update_pipeline)
+      %w(create_build create_pipeline)
    end

    subject { described_class.new(user, project) }

--- a/spec/serializers/pipeline_serializer_spec.rb
+++ b/spec/serializers/pipeline_serializer_spec.rb
@@ -114,7 +114,9 @@ describe PipelineSerializer do
        Gitlab::GitalyClient.reset_counts
      end

-      shared_examples 'no N+1 queries' do
+      context 'with the same ref' do
+        let(:ref) { 'feature' }
+
        it 'verifies number of queries', :request_store do
          recorded = ActiveRecord::QueryRecorder.new { subject }

@@ -123,12 +125,6 @@ describe PipelineSerializer do
        end
      end

-      context 'with the same ref' do
-        let(:ref) { 'feature' }
-
-        it_behaves_like 'no N+1 queries'
-      end
-
      context 'with different refs' do
        def ref
          @sequence ||= 0
@@ -136,7 +132,16 @@ describe PipelineSerializer do
          "feature-#{@sequence}"
        end

-        it_behaves_like 'no N+1 queries'
+        it 'verifies number of queries', :request_store do
+          recorded = ActiveRecord::QueryRecorder.new { subject }
+
+          # For each ref there is a permission check if maintainer can update
+          # pipeline. With the same ref this check is cached but if refs are
+          # different then there is an extra query per ref
+          # https://gitlab.com/gitlab-org/gitlab-ce/issues/46368
+          expect(recorded.count).to be_within(1).of(56)
+          expect(recorded.cached_count).to eq(0)
+        end
      end

      def create_pipeline(status)

--- a/spec/services/ci/retry_pipeline_service_spec.rb
+++ b/spec/services/ci/retry_pipeline_service_spec.rb
 require 'spec_helper'

 describe Ci::RetryPipelineService, '#execute' do
+  include ProjectForksHelper
+
  let(:user) { create(:user) }
  let(:project) { create(:project) }
  let(:pipeline) { create(:ci_pipeline, project: project) }
@@ -266,6 +268,33 @@ describe Ci::RetryPipelineService, '#execute' do
    end
  end

+  context 'when maintainer is allowed to push to forked project' do
+    let(:user) { create(:user) }
+    let(:project) { create(:project, :public) }
+    let(:forked_project) { fork_project(project) }
+    let(:pipeline) { create(:ci_pipeline, project: forked_project, ref: 'fixes') }
+
+    before do
+      project.add_master(user)
+      create(:merge_request,
+        source_project: forked_project,
+        target_project: project,
+        source_branch: 'fixes',
+        allow_maintainer_to_push: true)
+      create_build('rspec 1', :failed, 1)
+    end
+
+    it 'allows to retry failed pipeline' do
+      allow_any_instance_of(Project).to receive(:fetch_branch_allows_maintainer_push?).and_return(true)
+      allow_any_instance_of(Project).to receive(:empty_repo?).and_return(false)
+
+      service.execute(pipeline)
+
+      expect(build('rspec 1')).to be_pending
+      expect(pipeline.reload).to be_running
+    end
+  end
+
  def statuses
    pipeline.reload.statuses
  end

--- a/vendor/ingress/values.yaml
+++ b/vendor/ingress/values.yaml
@@ -7,3 +7,8 @@ controller:
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "10254"
+
+rbac:
+  create: false
+  createRole: false
+  createClusterRole: false