The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix settings_spec so that it can that run by itself

Running `spec/settings_spec.rb` would fail because it would attempt to load `1_settings.rb`, which would reference `Rails`. This constant was not loaded without `spec_helper.rb`.


See merge request !4893

Replace Haml with Hamlit

What this change does:
- It replaces HAML with [Hamlit](https://github.com/k0kubun/hamlit), a much more efficient implementation of HAML.
- It removes `haml-rails`.
- It adds `hamlit.rb` and removes `haml.rb`.
- It makes things faster and less memory-hungry!

See also #13201.

See merge request !3666

Remove width restriction for logo on sign-in page.

Follow-up on !4661 since we didn't remove the width restriction on that.

See merge request !4888

Resolve "Scrolling horz on iOS for the secondary nav is broken"

## What does this MR do?
Moves absolutely positioned `div`s outside of the scrolling container because mobile safari causes those elements to jump around on scroll.

## Are there points in the code the reviewer needs to double check?
Check on a real iPhone (was only able to check in iOS simulator)

## Why was this MR needed?
Mobile Safari.

## What are the relevant issue numbers?
Closes #18438 

## Screenshots (if relevant)
![mobile-safari-fix](/uploads/b38bba735530eb11507fe03036292dd8/mobile-safari-fix.gif)

See merge request !4869

Apply selected value as label

## What does this MR do?

## Are there points in the code the reviewer needs to double check?

## Why was this MR needed?

## What are the relevant issue numbers?

## Screenshots (if relevant)
![dropdown-label](/uploads/db2ea7cb3cc51fbdeea53c304f1bd7a5/dropdown-label.gif)


## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4886

Fix unwanted label unassignment

## What does this MR do?
- When updating the milestone
  - [x] Do not remove labels when assigning a milestone
  - [x] Do not remove labels when unassigning a milestone
  - [x] Do not remove labels when assigning a milestone and adding another label

- When toggling selected issues labels should be kept
  - [x] Select an issue with an assigned label -> pick another label from dropdown-> unselect the issue -> select the issue again -> submit the form: Existing label should not be removed.

## Are there points in the code the reviewer needs to double check?
Labels should not be added or removed to issues when doing bulk actions unless we explicitly select a label from the dropdown

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4863

Set button label when picking an option from status dropdown

## What does this MR do?
Fixes an issue with the status dropdown. It was not setting up the correct label after picking an option

## What are the relevant issue numbers?
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18536

## Screenshots (if relevant)

**Previous**

![status-select-previous](/uploads/7c6adbd6c5ba2660dc39a762d53d3b68/status-select-previous.gif)

**After**

![status-select](/uploads/91483efed8fbd63a79a01c9ca2154b74/status-select.gif)

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- [ ] Tests
  - [ ] Added for this feature/bug
  - [x] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4771

Use jQuery objects in ref dropdown

## What does this MR do?

Keeps the behaviour the same as the ref dropdown, however it now uses jQuery objects to handle the HTML creation instead of passing strings around. It pretty much worked out the box so not much was changed in the dropdowns themselves. Will be easy to transfer this over to other dropdown menus as well.

cc. @jschatz1 @rspeicher @DouweM 

Do we want this to go into a patch release?

See merge request !4850

Eager load award emoji on notes and participants

See merge request !4628

Restore old behavior around diff notes to outdated discussions

Fixes #18569

See merge request !4870

Bump gitlab_git to 10.2.3 to fix false truncated warnings with ISO-8559 files

Closes #18690


See merge request !4884

Added basic docs for the Emoji Rake tasks

## What does this MR do?

This MR adds basic documentation for the two Emoji Rake tasks.

## Are there points in the code the reviewer needs to double check?

Spelling, that sort of thing.

## Why was this MR needed?

These Rake tasks only had some small amount of source level documentation.

## What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ce/issues/14794

## Does this MR meet the acceptance criteria?

- [x] ~~[CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added~~
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4877

This commit eager loads the award emoji on both the issues and the MRs.
When loading an issue with 108 comments this reduces the query count by
327 queries. On a merge request with the same amount of comments this
saves 148 queries. The large difference is not clear to me at this
point and the total query count is still huge with 387 and 1034
respectively. The biggest problem however, remains the calculation of
participants.

Fix user creation with stronger minimum password requirements

## What does this MR do?

`doc/security/password_length_limits.md` Describes a way to increase minimum requirements of passwords, via `config/initializers/devise_password_length.rb`. However, user creation hardcoded password generation at 8 characters.

If the minimum was set at any more than 8 characters, user creation will fail.

Function now looks up minimum length requirement.

## What are the relevant issue numbers?

Fixes #14563.

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4054

Closes #18690

Fix merge requests project settings help link anchor.

## What does this MR do?

8.9.0 added a new project option for merge requests which has a link for help.   The link contained an anchor which was being encoded as ```%23``` so change the help link to properly configure the anchor.

## Are there points in the code the reviewer needs to double check?

None

## Why was this MR needed?

Current release causes 404 error when clicking on the help link in project settings.

## What are the relevant issue numbers?

Closes #18982 

## Screenshots (if relevant)

## Does this MR meet the acceptance criteria?

- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4873

Use memorized tags array when searching tags by name

See merge request !4859

Fix 404 for pipelines

## What does this MR do?
Allow to access pipelines of public project by logged guest.

## What are the relevant issue numbers?
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17885

## Does this MR meet the acceptance criteria?

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [ ] API support added
- Tests
  - [ ] Added for this feature/bug
  - [ ] All builds are passing
- [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4881