Add latest changes from gitlab-org/gitlab@master

16 files changed, 55 insertions, 37 deletions

diff --git a/app/assets/javascripts/boards/components/board_content_sidebar.vue b/app/assets/javascripts/boards/components/board_content_sidebar.vue
index 0320b4d925e..d25169b5b9d 100644
--- a/app/assets/javascripts/boards/components/board_content_sidebar.vue
+++ b/app/assets/javascripts/boards/components/board_content_sidebar.vue
@@ -138,9 +138,8 @@ export default {
 <template>
   <mounting-portal mount-to="#js-right-sidebar-portal" name="board-content-sidebar" append>
     <gl-drawer
-      v-if="showSidebar"
       v-bind="$attrs"
-      :open="isSidebarOpen"
+      :open="showSidebar"
       class="boards-sidebar gl-absolute"
       variant="sidebar"
       @close="handleClose"
diff --git a/app/assets/javascripts/boards/components/board_settings_sidebar.vue b/app/assets/javascripts/boards/components/board_settings_sidebar.vue
index c559e4cdbd3..e93edad675c 100644
--- a/app/assets/javascripts/boards/components/board_settings_sidebar.vue
+++ b/app/assets/javascripts/boards/components/board_settings_sidebar.vue
@@ -58,7 +58,7 @@ export default {
       return ListTypeTitles[ListType.label];
     },
     showSidebar() {
-      return this.sidebarType === LIST;
+      return this.sidebarType === LIST && this.isSidebarOpen;
     },
   },
   created() {
@@ -87,10 +87,9 @@ export default {
 <template>
   <mounting-portal mount-to="#js-right-sidebar-portal" name="board-settings-sidebar" append>
     <gl-drawer
-      v-if="showSidebar"
       v-bind="$attrs"
       class="js-board-settings-sidebar gl-absolute"
-      :open="isSidebarOpen"
+      :open="showSidebar"
       variant="sidebar"
       @close="unsetActiveId"
     >
diff --git a/config/feature_flags/development/group_level_protected_environment_settings_permission.yml b/config/feature_flags/development/group_level_protected_environment_settings_permission.yml
index 4fd71b82943..bbcfe24ba72 100644
--- a/config/feature_flags/development/group_level_protected_environment_settings_permission.yml
+++ b/config/feature_flags/development/group_level_protected_environment_settings_permission.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/369873
 milestone: '15.3'
 type: development
 group: group::release
-default_enabled: false
+default_enabled: true
diff --git a/db/migrate/20220802154757_add_deactivate_dormant_user_time_setting.rb b/db/migrate/20220802154757_add_deactivate_dormant_user_time_setting.rb
new file mode 100644
index 00000000000..ca887cc2255
--- /dev/null
+++ b/db/migrate/20220802154757_add_deactivate_dormant_user_time_setting.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+class AddDeactivateDormantUserTimeSetting < Gitlab::Database::Migration[2.0]
+  def change
+    add_column :application_settings, :deactivate_dormant_users_period, :integer, default: 90, null: false
+  end
+end
diff --git a/db/schema_migrations/20220802154757 b/db/schema_migrations/20220802154757
new file mode 100644
index 00000000000..a92f69e31da
--- /dev/null
+++ b/db/schema_migrations/20220802154757
@@ -0,0 +1 @@
+17d0f47b4663fdbcba617a456f713ebfe3782318abc7e46dc4a8e69bc76cf16f
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 19f635127b6..c2276aebc87 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -11457,6 +11457,7 @@ CREATE TABLE application_settings (
     git_rate_limit_users_allowlist text[] DEFAULT '{}'::text[] NOT NULL,
     error_tracking_access_token_encrypted text,
     package_registry_cleanup_policies_worker_capacity integer DEFAULT 2 NOT NULL,
+    deactivate_dormant_users_period integer DEFAULT 90 NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
     CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
diff --git a/doc/ci/environments/protected_environments.md b/doc/ci/environments/protected_environments.md
index ef762979900..17eccc38747 100644
--- a/doc/ci/environments/protected_environments.md
+++ b/doc/ci/environments/protected_environments.md
@@ -189,7 +189,7 @@ and are protected at the same time.
 
 ### Configure group-level memberships
 
-> - Operators are required to have Owner+ role from the original Maintainer+ role and this role change is introduced from GitLab 15.3 [with a flag](https://gitlab.com/gitlab-org/gitlab/-/issues/369873) named `group_level_protected_environment_settings_permission`. Disabled by default.
+> - Operators are required to have Owner+ role from the original Maintainer+ role and this role change is introduced from GitLab 15.3 [with a flag](https://gitlab.com/gitlab-org/gitlab/-/issues/369873) named `group_level_protected_environment_settings_permission`. Enabled by default.
 > - Original behavior where Operators are required to have Maintainer+ role can be achieved by enabling [flag](https://gitlab.com/gitlab-org/gitlab/-/issues/369875) named `override_group_level_protected_environment_settings_permission`. Disabled by default.
 
 To maximize the effectiveness of group-level protected environments,
diff --git a/doc/development/permissions.md b/doc/development/permissions.md
index ed95456c4f9..8e517b8577c 100644
--- a/doc/development/permissions.md
+++ b/doc/development/permissions.md
@@ -87,7 +87,7 @@ module):
 - Owner (`50`)
 
 If a user is the member of both a project and the project parent groups, the
-higher permission is taken into account for the project.
+highest permission is the applied access level for the project.
 
 If a user is the member of a project, but not the parent groups, they
 can still view the groups and their entities (like epics).
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index a49ec878c83..c89dd3f65f7 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -39,7 +39,7 @@ usernames. A GitLab administrator can configure the GitLab instance to
 A user's role determines what permissions they have on a project. The Owner role provides all permissions but is
 available only:
 
-- For group owners. The role is inherited for a group's projects.
+- For group and project Owners. In GitLab 14.8 and earlier, the role is inherited for a group's projects.
 - For Administrators.
 
 Personal [namespace](namespace/index.md) owners:
@@ -215,7 +215,7 @@ The following table lists project permissions available for each role:
    [GitLab.com visibility settings](gitlab_com/index.md#visibility-settings).
 2. Guest users can only view the [confidential issues](project/issues/confidential_issues.md) they created themselves or are assigned to.
 3. Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [protected branches](project/protected_branches.md).
-4. If the [branch is protected](project/protected_branches.md), this depends on the access Developers and Maintainers are given.
+4. If the [branch is protected](project/protected_branches.md), this depends on the access given to Developers and Maintainers.
 5. Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets).
 6. Actions are limited only to records owned (referenced) by user.
 7. When [Share Group Lock](group/access_and_permissions.md#prevent-a-project-from-being-shared-with-groups) is enabled the project can't be shared with other groups. It does not affect group with group sharing.
@@ -225,8 +225,8 @@ The following table lists project permissions available for each role:
 10. Users can only view events based on their individual actions.
 11. Project access tokens are supported for self-managed instances on Free and above. They are also
     supported on GitLab SaaS Premium and above (excluding [trial licenses](https://about.gitlab.com/free-trial/)).
-12. If the [tag is protected](#release-permissions-with-protected-tags), this depends on the access Developers and Maintainers are given.
-13. A Maintainer can't change project features visibility level if
+12. If the [tag is protected](#release-permissions-with-protected-tags), this depends on the access given to Developers and Maintainers.
+13. A Maintainer or Owner can't change project features visibility level if
     [project visibility](public_access.md) is set to private.
 14. Attached design files are moved together with the issue even if the user doesn't have the
     Developer role.
@@ -334,10 +334,9 @@ which visibility level you select on project settings.
 ### Protected branches
 
 Additional restrictions can be applied on a per-branch basis with [protected branches](project/protected_branches.md).
-Additionally, you can customize permissions to allow or prevent project
-Maintainers and Developers from pushing to a protected branch. Read through the documentation on
-[protected branches](project/protected_branches.md)
-to learn more.
+Additionally, you can customize permissions to allow or prevent project Developers or Maintainers
+from pushing to a protected branch. Read through the documentation on
+[protected branches](project/protected_branches.md) to learn more.
 
 ### Value stream analytics permissions
 
diff --git a/doc/user/project/members/index.md b/doc/user/project/members/index.md
index 395a57a0d55..4a6272a0ca3 100644
--- a/doc/user/project/members/index.md
+++ b/doc/user/project/members/index.md
@@ -49,11 +49,22 @@ flowchart RL
     [Feature flag `invite_members_group_modal`](https://gitlab.com/gitlab-org/gitlab/-/issues/352526) removed.
 
 Add users to a project so they become members and have permission
-to perform actions. The Owner [role](../../permissions.md#project-members-permissions) can only be added at the group level.
+to perform actions.
+
+The maximum role (access level) you set depends on if you have the Owner or Maintainer role for the group. For example, the maximum
+role that can be set is:
+
+- Owner (`50`), if you have the Owner role for the project.
+- Maintainer (`40`), if you have the Maintainer role on the project.
+
+In GitLab 14.8 and earlier, direct members of a project have a maximum role of Maintainer.
+The Owner [role](../../permissions.md#project-members-permissions) can only be added at the group level.
 
 Prerequisite:
 
-- You must have the Maintainer or Owner role.
+- You must have the Maintainer or Owner role:
+  - To remove direct members with the Maintainer role and below, you must have the Maintainer role.
+  - To remove members with the Owner role, you must have the Owner role.
 
 To add a user to a project:
 
diff --git a/lib/gitlab/i18n.rb b/lib/gitlab/i18n.rb
index 0c3c9060b46..30465ff5f74 100644
--- a/lib/gitlab/i18n.rb
+++ b/lib/gitlab/i18n.rb
@@ -44,29 +44,29 @@ module Gitlab
     TRANSLATION_LEVELS = {
       'bg' => 0,
       'cs_CZ' => 0,
-      'da_DK' => 40,
-      'de' => 15,
+      'da_DK' => 39,
+      'de' => 17,
       'en' => 100,
       'eo' => 0,
-      'es' => 37,
+      'es' => 38,
       'fil_PH' => 0,
       'fr' => 11,
       'gl_ES' => 0,
       'id_ID' => 0,
       'it' => 1,
-      'ja' => 33,
-      'ko' => 11,
+      'ja' => 32,
+      'ko' => 12,
       'nb_NO' => 26,
       'nl_NL' => 0,
       'pl_PL' => 4,
       'pt_BR' => 55,
       'ro_RO' => 100,
-      'ru' => 28,
-      'si_LK' => 11,
+      'ru' => 27,
+      'si_LK' => 10,
       'tr_TR' => 12,
-      'uk' => 49,
+      'uk' => 50,
       'zh_CN' => 99,
-      'zh_HK' => 2,
+      'zh_HK' => 1,
       'zh_TW' => 100
     }.freeze
     private_constant :TRANSLATION_LEVELS
diff --git a/spec/frontend/boards/components/board_content_sidebar_spec.js b/spec/frontend/boards/components/board_content_sidebar_spec.js
index 368c7d561f8..7e35c39cd48 100644
--- a/spec/frontend/boards/components/board_content_sidebar_spec.js
+++ b/spec/frontend/boards/components/board_content_sidebar_spec.js
@@ -108,7 +108,7 @@ describe('BoardContentSidebar', () => {
     createStore({ mockGetters: { isSidebarOpen: () => false } });
     createComponent();
 
-    expect(wrapper.findComponent(GlDrawer).exists()).toBe(false);
+    expect(wrapper.findComponent(GlDrawer).props('open')).toBe(false);
   });
 
   it('applies an open attribute', () => {
diff --git a/spec/frontend/boards/components/board_settings_sidebar_spec.js b/spec/frontend/boards/components/board_settings_sidebar_spec.js
index 57187f44a9f..4171a6236de 100644
--- a/spec/frontend/boards/components/board_settings_sidebar_spec.js
+++ b/spec/frontend/boards/components/board_settings_sidebar_spec.js
@@ -93,7 +93,7 @@ describe('BoardSettingsSidebar', () => {
 
         await nextTick();
 
-        expect(wrapper.findComponent(GlDrawer).exists()).toBe(false);
+        expect(wrapper.findComponent(GlDrawer).props('open')).toBe(false);
       });
 
       it('closes the sidebar when emitting the correct event', async () => {
@@ -103,7 +103,7 @@ describe('BoardSettingsSidebar', () => {
 
         await nextTick();
 
-        expect(wrapper.findComponent(GlDrawer).exists()).toBe(false);
+        expect(wrapper.findComponent(GlDrawer).props('open')).toBe(false);
       });
     });
 
@@ -150,7 +150,7 @@ describe('BoardSettingsSidebar', () => {
     it('does not render GlDrawer', () => {
       createComponent({ sidebarType: '' });
 
-      expect(findDrawer().exists()).toBe(false);
+      expect(findDrawer().props('open')).toBe(false);
     });
   });
 
diff --git a/spec/frontend/jira_connect/subscriptions/pages/sign_in/sign_in_page_spec.js b/spec/frontend/jira_connect/subscriptions/pages/sign_in/sign_in_page_spec.js
index 65b08fba592..c12a45b2f41 100644
--- a/spec/frontend/jira_connect/subscriptions/pages/sign_in/sign_in_page_spec.js
+++ b/spec/frontend/jira_connect/subscriptions/pages/sign_in/sign_in_page_spec.js
@@ -68,7 +68,7 @@ describe('SignInPage', () => {
     describe('when error event is emitted', () => {
       it('emits another error event', () => {
         findSignInGitlabCom().vm.$emit('error');
-        expect(wrapper.emitted('error')[0]).toBeTruthy();
+        expect(wrapper.emitted('error')).toHaveLength(1);
       });
     });
 
diff --git a/workhorse/go.mod b/workhorse/go.mod
index ec1caa68219..1ce25108da0 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -119,10 +119,17 @@ require (
 )
 
 exclude (
+	// CVE-2019-0205
+	github.com/apache/thrift v0.12.0
+	github.com/apache/thrift v0.13.0
+
 	// CVE-2020-28483
 	github.com/gin-gonic/gin v1.4.0
 	github.com/gin-gonic/gin v1.6.3
 
 	// CVE-2021-42576
 	github.com/microcosm-cc/bluemonday v1.0.2
+
+	// CVE-2020-26892
+	github.com/nats-io/nats-server/v2 v2.1.2
 )
diff --git a/workhorse/go.sum b/workhorse/go.sum
index e4bf2e5b478..d8ab3c9955b 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -197,8 +197,6 @@ github.com/alexbrainman/sspi v0.0.0-20180125232955-4729b3d4d858/go.mod h1:976q2E
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
-github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -874,13 +872,10 @@ github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOA
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
-github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
-github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k=
 github.com/nats-io/nats.go v1.8.1/go.mod h1:BrFz9vVn0fU3AcH9Vn4Kd7W0NpJ651tD5omQ3M8LwxM=
 github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w=
 github.com/nats-io/nkeys v0.0.2/go.mod h1:dab7URMsZm6Z/jp9Z5UGa87Uutgc2mVpXLC4B7TDb/4=
 github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
-github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/neurosnap/sentences v1.0.6/go.mod h1:pg1IapvYpWCJJm/Etxeh0+gtMf1rI1STY9S7eUCPbDc=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=