Ensure logged-out users can't see private refs

https://gitlab.com/gitlab-org/gitlab-ce/issues/18033

I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10.

See merge request !1974
(cherry picked from commit 3a6ebb1f)

Fix privilege escalation issue with OAuth external users

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312

This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.

/cc @douwe

See merge request !1975
(cherry picked from commit 5e6342b7)

Use update_columns to by_pass all the dirty code on active_record

See merge request !4985
(cherry picked from commit ad09fcb5)

Reduce overhead and optimize ProjectTeam#max_member_access performance

See merge request !4973
(cherry picked from commit d33991f8)

Fixes missing avatar on system notes

Closes #17295

![Screen_Shot_2016-06-27_at_12.50.50_PM](/uploads/b142226e608ccfe751a9b6059f57c9ec/Screen_Shot_2016-06-27_at_12.50.50_PM.jpg)

See merge request !4954
(cherry picked from commit 9e8fdead)

Removed fade when filtering results

## What does this MR do?

Removes the `opacity` change when filtering results seeing as we now do `Turbolinks.visit` it isn't required.

Best way to see issue - filter issues & then go back. Will still have opacity styling.

See merge request !4932
(cherry picked from commit bef4294c)

Fixed avatar alignment in new MR view

## What does this MR do?

Fixes the alignment of the avatar in new MR view.
Closes #19076

## Screenshots (if relevant)

![Screen_Shot_2016-06-24_at_12.53.58](/uploads/fc94faf2e48f194852693b7ae79e8fa3/Screen_Shot_2016-06-24_at_12.53.58.png)

See merge request !4901
(cherry picked from commit 3611ee56)

Use memorized tags array when searching tags by name

See merge request !4859
(cherry picked from commit 9d0ef60d)

Fix encrypted data backwards compatibility after upgrading attr_encrypted gem

Adds missing attribute to attr_encrypted so it is fully backwards-compatible. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19073

See merge request !4963
(cherry picked from commit 2c3f3cb3)

Fix rendering of commit notes

See merge request !4953
(cherry picked from commit 9c9b0eef)

Resolve "Pin should show up at 1280px min"

Decreased window min width for pinned sidebar

Closes  #19171
Part of #19200

![Screen_Shot_2016-06-27_at_9.36.13_AM](/uploads/d0a87bca5af1bee808c5b1046c0ecf72/Screen_Shot_2016-06-27_at_9.36.13_AM.png)

See merge request !4947
(cherry picked from commit bbbd0e6c)

Switched mobile button icons to ellipsis and angle

## What does this MR do?
Switches the mobile button icons

## What are the relevant issue numbers?
Closes #19170
Part of #19200

## Screenshots (if relevant)
![Screen_Shot_2016-06-27_at_9.08.28_AM](/uploads/7784489402e342e671d02b24d2ea0d64/Screen_Shot_2016-06-27_at_9.08.28_AM.png)

See merge request !4944
(cherry picked from commit abc6004f)

Correctly return todo ID after creating todo

See merge request !4941
(cherry picked from commit 21842cf9)

Better debugging for memory killer middleware

This adds more info to the warning messages output by `MemoryKiller`.

Previously only the PID was showed, making it difficult to debug issues like https://gitlab.com/gitlab-org/gitlab-ce/issues/19124

This adds the worker class and job ID to the log messages.

See merge request !4936
(cherry picked from commit 3659992c)

Remove duplicate new page btn from edit wiki

## What does this MR do?
Removes duplicate button on wiki page

## What are the relevant issue numbers?
Closes #19075

## Screenshots (if relevant)
![Screen_Shot_2016-06-24_at_9.45.28_AM](/uploads/8dca96c3e75b428d63acaaba6dede9a6/Screen_Shot_2016-06-24_at_9.45.28_AM.png)
![Screen_Shot_2016-06-24_at_9.45.57_AM](/uploads/e6ea97b07e48d2fe6f108d8c5a943583/Screen_Shot_2016-06-24_at_9.45.57_AM.png)

See merge request !4904
(cherry picked from commit 121c5c83)

Use clock_gettime for all performance timestamps

This MR adjusts the performance monitoring code to use `Process.clock_gettime` (thus `clock_gettime(3)`) instead of `Time.now`.

Using `Time.now` / `Time.new` adds more overhead than `Process.clock_gettime`, it also doesn't provide a way of getting timestamps in nanoseconds (which `Process.clock_gettime` does allow).

See merge request !4899
(cherry picked from commit 53ad9522)

[ci skip]

Update omniauth-saml to 1.6.0 to address a security vulnerability in ruby-saml

## What does this MR do?

Updates `omniauth-saml` to bring in the new `ruby-saml` dependency that addresses [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)

Fixes #19206

See merge request !4951

Fix visibility of snippets when searching

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18997

See merge request !1972

Fix an information disclosure when requesting access to a group containing private projects

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19102.

The commit speaks for itself:

    Fix an information disclosure when requesting access to a group containing private projects
    
    The issue was with the `User#groups` and `User#projects` associations
    which goes through the `User#group_members` and `User#project_members`.
    
    Initially I chose to use a secure approach by storing the requester's
    user ID in `Member#created_by_id` instead of `Member#user_id` because I
    was aware that there was a security risk since I didn't know the
    codebase well enough.
    
    Then during the review, we decided to change that and directly store the
    requester's user ID into `Member#user_id` (for the sake of simplifying
    the code I believe), meaning that every `group_members` / `project_members`
    association would include the requesters by default...
    
    My bad for not checking that all the `group_members` / `project_members`
    associations and the ones that go through them (e.g. `Group#users` and
    `Project#users`) were made safe with the `where(requested_at: nil)` /
    `where(members: { requested_at: nil })` scopes.
    
    Now they are all secure.

See merge request !1973

Remove duplicate changelog entry

## What does this MR do?

Removes a changelog entry from 8.9.1, which is only present in 8.10



See merge request !4937

[ci skip]

[ci skip]

Add SMTP as default delivery method to match gitlab-org/omnibus-gitlab!826

Something happened after upgrading to 8.9RC5 that caused mail settings to be set to sendmail by default. gitlab-com/infrastructure#128 describes the issue in more detail. This MR mirrors the change in omnibus with gitlab-org/omnibus-gitlab!826.

Closes #19132

See merge request !4915

Fix a wrong MR status when merge_when_build_succeeds & project.only_allow_merge_if_build_succeeds are true

## What does this MR do?

Fix a wrong MR status when merge_when_build_succeeds & project.only_allow_merge_if_build_succeeds are true.

## Are there points in the code the reviewer needs to double check?

@stanhu I reused your proposal from the issue, I think it's a good enough solution.

## What are the relevant issue numbers?

Fixes #19035.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4912

[ci skip]

Eager load award emoji on notes and participants

See merge request !4628

Fix temp file being deleted after the request while importing a GitLab project

Fixes https://gitlab.com/gitlab-com/infrastructure/issues/151

In production, the temporary uploaded file is getting deleted straight after the request so the Sidekiq worker is unable to find it in `/tmp`

Also, improved erroring/logging of this situation.

See merge request !4894

Remove width restriction for logo on sign-in page.

Follow-up on !4661 since we didn't remove the width restriction on that.

See merge request !4888

Support for rendering/redacting multiple documents

See merge request !4828

Resolve "Scrolling horz on iOS for the secondary nav is broken"

## What does this MR do?
Moves absolutely positioned `div`s outside of the scrolling container because mobile safari causes those elements to jump around on scroll.

## Are there points in the code the reviewer needs to double check?
Check on a real iPhone (was only able to check in iOS simulator)

## Why was this MR needed?
Mobile Safari.

## What are the relevant issue numbers?
Closes #18438

## Screenshots (if relevant)
![mobile-safari-fix](/uploads/b38bba735530eb11507fe03036292dd8/mobile-safari-fix.gif)

See merge request !4869

Apply selected value as label

## What does this MR do?

## Are there points in the code the reviewer needs to double check?

## Why was this MR needed?

## What are the relevant issue numbers?

## Screenshots (if relevant)
![dropdown-label](/uploads/db2ea7cb3cc51fbdeea53c304f1bd7a5/dropdown-label.gif)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4886

Bump gitlab_git to 10.2.3 to fix false truncated warnings with ISO-8559 files

Closes #18690

See merge request !4884

Restore old behavior around diff notes to outdated discussions

Fixes #18569

See merge request !4870

Fix unwanted label unassignment

## What does this MR do?
- When updating the milestone
  - [x] Do not remove labels when assigning a milestone
  - [x] Do not remove labels when unassigning a milestone
  - [x] Do not remove labels when assigning a milestone and adding another label

- When toggling selected issues labels should be kept
  - [x] Select an issue with an assigned label -> pick another label from dropdown-> unselect the issue -> select the issue again -> submit the form: Existing label should not be removed.

## Are there points in the code the reviewer needs to double check?
Labels should not be added or removed to issues when doing bulk actions unless we explicitly select a label from the dropdown

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4863