Add latest changes from gitlab-org/gitlab@master

9 files changed, 72 insertions, 25 deletions

diff --git a/app/models/group_group_link.rb b/app/models/group_group_link.rb
index 5a0d9b08cb0..58c188369da 100644
--- a/app/models/group_group_link.rb
+++ b/app/models/group_group_link.rb
@@ -10,11 +10,11 @@ class GroupGroupLink < ApplicationRecord
   validates :shared_group_id, uniqueness: { scope: [:shared_with_group_id],
                                             message: _('The group has already been shared with this group') }
   validates :shared_with_group, presence: true
-  validates :group_access, inclusion: { in: Gitlab::Access.values },
+  validates :group_access, inclusion: { in: Gitlab::Access.all_values },
                            presence: true
 
   def self.access_options
-    Gitlab::Access.options
+    Gitlab::Access.options_with_owner
   end
 
   def self.default_access
diff --git a/app/views/shared/members/_group.html.haml b/app/views/shared/members/_group.html.haml
index 4aeeac87f3c..1d7d18d2ab6 100644
--- a/app/views/shared/members/_group.html.haml
+++ b/app/views/shared/members/_group.html.haml
@@ -31,7 +31,7 @@
           = dropdown_title(_("Change permissions"))
           .dropdown-content
             %ul
-              - Gitlab::Access.options.each do |role, role_id|
+              - Gitlab::Access.options_with_owner.each do |role, role_id|
                 %li
                   = link_to role, '#',
                     class: ("is-active" if group_link.group_access == role_id),
diff --git a/changelogs/unreleased/198480-share_groups_with_groups_fix_owner_access.yml b/changelogs/unreleased/198480-share_groups_with_groups_fix_owner_access.yml
new file mode 100644
index 00000000000..76389baac62
--- /dev/null
+++ b/changelogs/unreleased/198480-share_groups_with_groups_fix_owner_access.yml
@@ -0,0 +1,5 @@
+---
+title: Allow Owner access level for sharing groups with groups
+merge_request: 23868
+author:
+type: fixed
diff --git a/changelogs/unreleased/rubyzip-qa-update.yml b/changelogs/unreleased/rubyzip-qa-update.yml
new file mode 100644
index 00000000000..f84776dc22a
--- /dev/null
+++ b/changelogs/unreleased/rubyzip-qa-update.yml
@@ -0,0 +1,5 @@
+---
+title: Update rubyzip gem in qa tests to 1.3.0 to fix CVE-2019-16892
+merge_request: 24119
+author:
+type: security
diff --git a/doc/user/admin_area/monitoring/convdev.md b/doc/user/admin_area/monitoring/convdev.md
new file mode 100644
index 00000000000..2ba28d4bc1c
--- /dev/null
+++ b/doc/user/admin_area/monitoring/convdev.md
@@ -0,0 +1,5 @@
+---
+redirect_to: '../../instance_statistics/dev_ops_score.md'
+---
+
+Conversational Development Index was renamed to [DevOps Score](../../instance_statistics/dev_ops_score.md) in GitLab 12.6.
diff --git a/doc/user/project/merge_requests/merge_request_approvals.md b/doc/user/project/merge_requests/merge_request_approvals.md
index fa294b82fef..1a61b0b8633 100644
--- a/doc/user/project/merge_requests/merge_request_approvals.md
+++ b/doc/user/project/merge_requests/merge_request_approvals.md
@@ -13,7 +13,7 @@ Merge request approvals enable multiple use cases:
 
 - Enforcing review of all code that gets merged into a repository.
 - Specifying reviewers for a given proposed code change, as well as a minimum number
-  of reviewers, through [Approval rules](#approval-rules)
+  of reviewers, through [Approval rules](#approval-rules).
 - Specifying categories of reviewers, such as backend, frontend, quality assurance,
   database, etc., for all proposed code changes.
 - Automatically designating [Code Owners as eligible approvers](#code-owners-as-eligible-approvers),
@@ -24,10 +24,10 @@ Merge request approvals enable multiple use cases:
 ## Approval rules
 
 Approval rules define how many approvals a merge request must receive before it can
-be merged, and optionally which users should do the approving. This can be defined:
+be merged, and optionally which users should do the approving. Approvals can be defined:
 
-- [As project defaults](#adding--editing-a-default-approval-rule)
-- [Per merge request](#editing--overriding-approval-rules-per-merge-request)
+- [As project defaults](#adding--editing-a-default-approval-rule).
+- [Per merge request](#editing--overriding-approval-rules-per-merge-request).
 
 If no approval rules are defined, any user can approve a merge request, though the default
 minimum number of required approvers can still be set in the [project settings for merge request approvals](#merge-request-approvals-project-settings).
@@ -90,7 +90,7 @@ Alternatively, you can **require**
 
 To add or edit the default merge request approval rule:
 
-1. Navigate to your project's **Settings > General** and expand **Merge request approvals**.
+1. Navigate to your project's **{settings}** **Settings > General** and expand **Merge request approvals**.
 
 1. Click **Add approval rule**, or **Edit**.
    - Add or change the **Rule name**.
@@ -99,7 +99,7 @@ To add or edit the default merge request approval rule:
      merge requests and click the **Add** button to add them as approvers. Before typing
      in the search field, approvers will be suggested based on the previous authors of
      the files being changed by the merge request.
-   - (Optional) Click the **"trashcan"** button next to a group or user to delete it from
+   - (Optional) Click the **{remove}** **Remove** button next to a group or user to delete it from
      the rule.
 1. Click **Add approval rule** or **Update approval rule**.
 
@@ -179,7 +179,7 @@ or a [failed CI/CD pipeline](merge_when_pipeline_succeeds.md).
 ## Merge request approvals project settings
 
 The project settings for Merge request approvals are found by going to
-**Settings > General** and expanding **Merge request approvals**.
+**{settings}** **Settings > General** and expanding **Merge request approvals**.
 
 ### Prevent overriding default approvals
 
@@ -188,7 +188,7 @@ the approval rules for all new merge requests will be determined by the
 [default approval rules](#adding--editing-a-default-approval-rule). To disable this feature:
 
 1. Uncheck the **Can override approvers and approvals required per merge request** checkbox.
-1. Click **Save changes**
+1. Click **Save changes**.
 
 ### Resetting approvals on push
 
@@ -198,7 +198,7 @@ even if there are changes added to the merge request. To enable this feature:
 
 1. Check the **Remove all approvals in a merge request when new commits are pushed to its source branch**
    checkbox.
-1. Click **Save changes**
+1. Click **Save changes**.
 
 NOTE: **Note:**
 Approvals do not get reset when [rebasing a merge request](fast_forward_merge.md)
diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock
index 6d48a9449a5..cd73e1b6539 100644
--- a/qa/Gemfile.lock
+++ b/qa/Gemfile.lock
@@ -94,7 +94,7 @@ GEM
       rspec-core (>= 2, < 4, != 2.12.0)
     ruby-debug-ide (0.7.0)
       rake (>= 0.8.1)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     selenium-webdriver (3.142.6)
       childprocess (>= 0.5, < 4.0)
       rubyzip (>= 1.2.2)
diff --git a/qa/qa/runtime/search.rb b/qa/qa/runtime/search.rb
index 74402301098..29a71b2815c 100644
--- a/qa/qa/runtime/search.rb
+++ b/qa/qa/runtime/search.rb
@@ -35,6 +35,8 @@ module QA
             )
           end
 
+          verify_search_engine_ok(search_term)
+
           find_commit(commit, "commit*#{search_term}")
           find_project(project, "to-search*#{search_term}")
         end
@@ -74,9 +76,7 @@ module QA
       end
 
       def search(scope, term)
-        QA::Runtime::Logger.debug("Search scope '#{scope}' for '#{term}'...")
-        request = Runtime::API::Request.new(api_client, "/search?scope=#{scope}&search=#{term}")
-        response = get(request.url)
+        response = get_response(scope, term)
 
         unless response.code == singleton_class::HTTP_STATUS_OK
           msg = "Search attempt failed. Request returned (#{response.code}): `#{response}`."
@@ -87,6 +87,19 @@ module QA
         parse_body(response)
       end
 
+      def get_response(scope, term)
+        QA::Runtime::Logger.debug("Search scope '#{scope}' for '#{term}'...")
+        request = Runtime::API::Request.new(api_client, "/search?scope=#{scope}&search=#{term}")
+        get(request.url)
+      end
+
+      def verify_search_engine_ok(search_term)
+        response = get_response('commits', search_term)
+        if response.code.to_s =~ /5[0-9][0-9]/
+          raise ElasticSearchServerError, "elasticsearch attempt returned code #{response.code}. Check that search was conducted on the appropriate url and port."
+        end
+      end
+
       def api_client
         @api_client ||= Runtime::API::Client.new(:gitlab)
       end
diff --git a/spec/controllers/groups/group_links_controller_spec.rb b/spec/controllers/groups/group_links_controller_spec.rb
index 04f2e33b26a..fc015471d5c 100644
--- a/spec/controllers/groups/group_links_controller_spec.rb
+++ b/spec/controllers/groups/group_links_controller_spec.rb
@@ -13,12 +13,30 @@ describe Groups::GroupLinksController do
 
   describe '#create' do
     let(:shared_with_group_id) { shared_with_group.id }
+    let(:shared_group_access) { GroupGroupLink.default_access }
 
     subject do
       post(:create,
            params: { group_id: shared_group,
                      shared_with_group_id: shared_with_group_id,
-                     shared_group_access: GroupGroupLink.default_access })
+                     shared_group_access: shared_group_access })
+    end
+
+    shared_examples 'creates group group link' do
+      it 'links group with selected group' do
+        expect { subject }.to change { shared_with_group.shared_groups.include?(shared_group) }.from(false).to(true)
+      end
+
+      it 'redirects to group links page' do
+        subject
+
+        expect(response).to(redirect_to(group_group_members_path(shared_group)))
+      end
+
+      it 'allows access for group member' do
+        expect { subject }.to(
+          change { group_member.can?(:read_group, shared_group) }.from(false).to(true))
+      end
     end
 
     context 'when user has correct access to both groups' do
@@ -31,18 +49,19 @@ describe Groups::GroupLinksController do
         shared_with_group.add_developer(group_member)
       end
 
-      it 'links group with selected group' do
-        expect { subject }.to change { shared_with_group.shared_groups.include?(shared_group) }.from(false).to(true)
+      context 'when default access level is requested' do
+        include_examples 'creates group group link'
       end
 
-      it 'redirects to group links page' do
-        subject
+      context 'when owner access is requested' do
+        let(:shared_group_access) { Gitlab::Access::OWNER }
 
-        expect(response).to(redirect_to(group_group_members_path(shared_group)))
-      end
+        include_examples 'creates group group link'
 
-      it 'allows access for group member' do
-        expect { subject }.to change { group_member.can?(:read_group, shared_group) }.from(false).to(true)
+        it 'allows admin access for group member' do
+          expect { subject }.to(
+            change { group_member.can?(:admin_group, shared_group) }.from(false).to(true))
+        end
       end
 
       context 'when shared with group id is not present' do