Add latest changes from gitlab-org/gitlab@16-1-stable-eev16.1.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-20 13:43:29 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-20 13:43:29 +0300
commit: 3b1af5cc7ed2666ff18b718ce5d30fa5a2756674 (patch)
tree: 3bc4a40e0ee51ec27eabf917c537033c0c5b14d4 /app/controllers/concerns
parent: 9bba14be3f2c211bf79e15769cd9b77bc73a13bc (diff)
18 files changed, 97 insertions, 83 deletions
diff --git a/app/controllers/concerns/creates_commit.rb b/app/controllers/concerns/creates_commit.rb
index 53bb11090c8..896004045f4 100644
--- a/app/controllers/concerns/creates_commit.rb
+++ b/app/controllers/concerns/creates_commit.rb
@@ -23,6 +23,8 @@ module CreatesCommit
     commit_params = @commit_params.merge(
       start_project: start_project,
       start_branch: @start_branch,
+      source_project: @project,
+      target_project: target_project,
       branch_name: @branch_name
     )
 
diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb
index e562cf5dbe4..aac55af0bac 100644
--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -6,7 +6,7 @@ module Impersonation
   SESSION_KEYS_TO_DELETE = %w[
     github_access_token gitea_access_token gitlab_access_token
     bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token
-    bulk_import_gitlab_access_token fogbugz_token
+    bulk_import_gitlab_access_token fogbugz_token cloud_platform_access_token
   ].freeze
 
   def current_user
diff --git a/app/controllers/concerns/integrations/actions.rb b/app/controllers/concerns/integrations/actions.rb
index c0816c2fe9c..10e86bcc98d 100644
--- a/app/controllers/concerns/integrations/actions.rb
+++ b/app/controllers/concerns/integrations/actions.rb
@@ -7,7 +7,12 @@ module Integrations::Actions
     include Integrations::Params
     include IntegrationsHelper
 
+    # :overrides is defined in Admin:IntegrationsController
+    # rubocop:disable Rails/LexicallyScopedActionFilter
+    before_action :ensure_integration_enabled, only: [:edit, :update, :overrides, :test]
     before_action :integration, only: [:edit, :update, :overrides, :test]
+    # rubocop:enable Rails/LexicallyScopedActionFilter
+
     before_action :render_404, only: :edit, if: -> do
       integration.to_param == 'prometheus' && Feature.enabled?(:remove_monitor_metrics)
     end
@@ -58,6 +63,10 @@ module Integrations::Actions
     @integration ||= find_or_initialize_non_project_specific_integration(params[:id])
   end
 
+  def ensure_integration_enabled
+    render_404 unless integration
+  end
+
   def success_message
     if integration.active?
       format(s_('Integrations|%{integration} settings saved and active.'), integration: integration.title)
diff --git a/app/controllers/concerns/integrations/params.rb b/app/controllers/concerns/integrations/params.rb
index af984776828..19e458307a1 100644
--- a/app/controllers/concerns/integrations/params.rb
+++ b/app/controllers/concerns/integrations/params.rb
@@ -9,6 +9,7 @@ module Integrations
       :app_store_key_id,
       :app_store_private_key,
       :app_store_private_key_file_name,
+      :app_store_protected_refs,
       :active,
       :alert_events,
       :api_key,
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 09b82e36b1a..31675a58163 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -156,7 +156,7 @@ module MembershipActions
       [:inherited]
     else
       if Feature.enabled?(:webui_members_inherited_users, current_user)
-        [:inherited, :direct, :shared_from_groups]
+        [:inherited, :direct, :shared_from_groups, (:invited_groups if params[:project_id])].compact
       else
         [:inherited, :direct]
       end
diff --git a/app/controllers/concerns/metrics/dashboard/prometheus_api_proxy.rb b/app/controllers/concerns/metrics/dashboard/prometheus_api_proxy.rb
deleted file mode 100644
index ea9fd2de961..00000000000
--- a/app/controllers/concerns/metrics/dashboard/prometheus_api_proxy.rb
+++ /dev/null
@@ -1,51 +0,0 @@
-# frozen_string_literal: true
-
-module Metrics::Dashboard::PrometheusApiProxy
-  extend ActiveSupport::Concern
-  include RenderServiceResults
-
-  included do
-    before_action :authorize_read_prometheus!, only: [:prometheus_proxy]
-  end
-
-  def prometheus_proxy
-    variable_substitution_result =
-      proxy_variable_substitution_service.new(proxyable, permit_params).execute
-
-    return error_response(variable_substitution_result) if variable_substitution_result[:status] == :error
-
-    prometheus_result = ::Prometheus::ProxyService.new(
-      proxyable,
-      proxy_method,
-      proxy_path,
-      variable_substitution_result[:params]
-    ).execute
-
-    return continue_polling_response if prometheus_result.nil?
-    return error_response(prometheus_result) if prometheus_result[:status] == :error
-
-    success_response(prometheus_result)
-  end
-
-  private
-
-  def proxyable
-    raise NotImplementedError, "#{self.class} must implement method: #{__callee__}"
-  end
-
-  def proxy_variable_substitution_service
-    raise NotImplementedError, "#{self.class} must implement method: #{__callee__}"
-  end
-
-  def permit_params
-    params.permit!
-  end
-
-  def proxy_method
-    request.method
-  end
-
-  def proxy_path
-    params[:proxy_path]
-  end
-end
diff --git a/app/controllers/concerns/metrics_dashboard.rb b/app/controllers/concerns/metrics_dashboard.rb
index 7e202235cfa..7a84c597424 100644
--- a/app/controllers/concerns/metrics_dashboard.rb
+++ b/app/controllers/concerns/metrics_dashboard.rb
@@ -10,6 +10,8 @@ module MetricsDashboard
   extend ActiveSupport::Concern
 
   def metrics_dashboard
+    return not_found if Feature.enabled?(:remove_monitor_metrics)
+
     result = dashboard_finder.find(
       project_for_dashboard,
       current_user,
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb
index 06b9c901e4a..7b2cf131fce 100644
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -62,7 +62,7 @@ module NotesActions
         end
 
         if @note.errors.present? && @note.errors.attribute_names != [:commands_only, :command_names]
-          render json: json, status: :unprocessable_entity
+          render json: { errors: errors_on_create(@note.errors) }, status: :unprocessable_entity
         else
           render json: json
         end
@@ -75,15 +75,21 @@ module NotesActions
   # rubocop:disable Gitlab/ModuleWithInstanceVariables
   def update
     @note = Notes::UpdateService.new(project, current_user, update_note_params).execute(note)
-    unless @note
+    if @note.destroyed?
       head :gone
       return
     end
 
-    prepare_notes_for_rendering([@note])
-
     respond_to do |format|
-      format.json { render json: note_json(@note) }
+      format.json do
+        if @note.errors.present?
+          render json: { errors: @note.errors.full_messages.to_sentence }, status: :unprocessable_entity
+        else
+          prepare_notes_for_rendering([@note])
+          render json: note_json(@note)
+        end
+      end
+
       format.html { redirect_back_or_default }
     end
   end
@@ -309,6 +315,12 @@ module NotesActions
 
     noteable.discussions_rendered_on_frontend?
   end
+
+  def errors_on_create(errors)
+    return { commands_only: errors.messages[:commands_only] } if errors.key?(:commands_only)
+
+    errors.full_messages.to_sentence
+  end
 end
 
 NotesActions.prepend_mod_with('NotesActions')
diff --git a/app/controllers/concerns/renders_notes.rb b/app/controllers/concerns/renders_notes.rb
index 889d3f0a9d2..d768dae03a2 100644
--- a/app/controllers/concerns/renders_notes.rb
+++ b/app/controllers/concerns/renders_notes.rb
@@ -2,7 +2,7 @@
 
 module RendersNotes
   # rubocop:disable Gitlab/ModuleWithInstanceVariables
-  def prepare_notes_for_rendering(notes, noteable = nil)
+  def prepare_notes_for_rendering(notes)
     preload_noteable_for_regular_notes(notes)
     preload_max_access_for_authors(notes, @project)
     preload_author_status(notes)
diff --git a/app/controllers/concerns/search_rate_limitable.rb b/app/controllers/concerns/search_rate_limitable.rb
index 7cce30dbb3c..1105e9bbbfd 100644
--- a/app/controllers/concerns/search_rate_limitable.rb
+++ b/app/controllers/concerns/search_rate_limitable.rb
@@ -20,9 +20,7 @@ module SearchRateLimitable
   def safe_search_scope
     # Sometimes search scope can have abusive length or invalid keyword. We don't want
     # to send those to redis for rate limit checks, so we guard against that here.
-    return if Feature.disabled?(:search_rate_limited_scopes) || abuse_detected?
-
-    params[:scope]
+    params[:scope] unless abuse_detected?
   end
 
   def abuse_detected?
diff --git a/app/controllers/concerns/skips_already_signed_in_message.rb b/app/controllers/concerns/skips_already_signed_in_message.rb
new file mode 100644
index 00000000000..7630cf4f4e1
--- /dev/null
+++ b/app/controllers/concerns/skips_already_signed_in_message.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# This concern can be included in devise controllers to skip showing an "already signed in"
+# warning on registrations and logins
+module SkipsAlreadySignedInMessage
+  extend ActiveSupport::Concern
+
+  included do
+    # replaced with :require_no_authentication_without_flash
+    # rubocop: disable Rails/LexicallyScopedActionFilter
+    # The actions are defined in Devise
+    skip_before_action :require_no_authentication, only: [:new, :create]
+    before_action :require_no_authentication_without_flash, only: [:new, :create]
+    # rubocop: enable Rails/LexicallyScopedActionFilter
+  end
+
+  def require_no_authentication_without_flash
+    require_no_authentication
+
+    return unless flash[:alert] == I18n.t('devise.failure.already_authenticated')
+
+    flash[:alert] = nil
+  end
+end
diff --git a/app/controllers/concerns/snippets_actions.rb b/app/controllers/concerns/snippets_actions.rb
index 62c5aee16e4..b14ef8dffa9 100644
--- a/app/controllers/concerns/snippets_actions.rb
+++ b/app/controllers/concerns/snippets_actions.rb
@@ -56,7 +56,7 @@ module SnippetsActions
         @noteable = @snippet
 
         @discussions = @snippet.discussions
-        @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes), @noteable)
+        @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes))
         render 'show'
       end
 
diff --git a/app/controllers/concerns/spammable_actions/captcha_check/html_format_actions_support.rb b/app/controllers/concerns/spammable_actions/captcha_check/html_format_actions_support.rb
index 23db6a4b368..9cad61ed362 100644
--- a/app/controllers/concerns/spammable_actions/captcha_check/html_format_actions_support.rb
+++ b/app/controllers/concerns/spammable_actions/captcha_check/html_format_actions_support.rb
@@ -28,8 +28,13 @@ module SpammableActions::CaptchaCheck::HtmlFormatActionsSupport
   # recaptcha gem. This is a field which is automatically included by calling the
   # `#recaptcha_tags` method within a HAML template's form.
   def convert_html_spam_params_to_headers
+    return unless params['g-recaptcha-response'] || params[:spam_log_id]
+
     request.headers['X-GitLab-Captcha-Response'] = params['g-recaptcha-response'] if params['g-recaptcha-response']
     request.headers['X-GitLab-Spam-Log-Id'] = params[:spam_log_id] if params[:spam_log_id]
+
+    # Reset the spam_params on the request context, since they have changed mid-request
+    Gitlab::RequestContext.instance.spam_params = ::Spam::SpamParams.new_from_request(request: request)
   end
 end
 
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 0d64a685065..222fcc17222 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -11,7 +11,7 @@ module UploadsActions
     prepend_before_action :set_request_format_from_path_extension
     rescue_from FileUploader::InvalidSecret, with: :render_404
 
-    rescue_from ::Gitlab::Utils::PathTraversalAttackError do
+    rescue_from ::Gitlab::PathTraversal::PathTraversalAttackError do
       head :bad_request
     end
   end
@@ -37,7 +37,7 @@ module UploadsActions
   #   - or redirect to its URL
   #
   def show
-    Gitlab::Utils.check_path_traversal!(params[:filename])
+    Gitlab::PathTraversal.check_path_traversal!(params[:filename])
 
     return render_404 unless uploader&.exists?
 
@@ -129,6 +129,14 @@ module UploadsActions
     return unless uploader = build_uploader
 
     uploader.retrieve_from_store!(params[:filename])
+
+    Gitlab::AppJsonLogger.info(
+      message: 'Deprecated usage of build_uploader_from_params',
+      uploader_class: uploader.class.name,
+      path: params[:filename],
+      exists: uploader.exists?
+    )
+
     uploader
   end
 
diff --git a/app/controllers/concerns/web_hooks/hook_actions.rb b/app/controllers/concerns/web_hooks/hook_actions.rb
index ae971b7bc95..076347922c8 100644
--- a/app/controllers/concerns/web_hooks/hook_actions.rb
+++ b/app/controllers/concerns/web_hooks/hook_actions.rb
@@ -9,6 +9,7 @@ module WebHooks
       attr_writer :hooks, :hook
 
       before_action :hook_logs, only: :edit
+      feature_category :webhooks
     end
 
     def index
diff --git a/app/controllers/concerns/web_hooks/hook_log_actions.rb b/app/controllers/concerns/web_hooks/hook_log_actions.rb
index f3378d7c857..321cee5a452 100644
--- a/app/controllers/concerns/web_hooks/hook_log_actions.rb
+++ b/app/controllers/concerns/web_hooks/hook_log_actions.rb
@@ -11,7 +11,7 @@ module WebHooks
 
       respond_to :html
 
-      feature_category :integrations
+      feature_category :webhooks
       urgency :low, [:retry]
     end
 
diff --git a/app/controllers/concerns/web_ide_csp.rb b/app/controllers/concerns/web_ide_csp.rb
index c2d66abb538..0327020a0c2 100644
--- a/app/controllers/concerns/web_ide_csp.rb
+++ b/app/controllers/concerns/web_ide_csp.rb
@@ -5,25 +5,27 @@ module WebIdeCSP
 
   included do
     before_action :include_web_ide_csp
+  end
 
-    # We want to include frames from `/assets/webpack` of the request's host to
-    # support URL flexibility with the Web IDE.
-    # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118875
-    def include_web_ide_csp
-      return if request.content_security_policy.directives.blank?
+  # We want to include frames from `/assets/webpack` of the request's host to
+  # support URL flexibility with the Web IDE.
+  # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118875
+  def include_web_ide_csp
+    return if request.content_security_policy.directives.blank?
 
-      base_uri = URI(request.url)
-      base_uri.path = ::Gitlab.config.gitlab.relative_url_root || '/'
-      # `.path +=` handles combining `x/` and `/foo`
-      base_uri.path += '/assets/webpack/'
-      webpack_url = base_uri.to_s
+    base_uri = URI(request.url)
+    base_uri.path = ::Gitlab.config.gitlab.relative_url_root || '/'
+    # `.path +=` handles combining `x/` and `/foo`
+    base_uri.path += '/assets/webpack/'
+    webpack_url = base_uri.to_s
 
-      default_src = Array(request.content_security_policy.directives['default-src'] || [])
-      request.content_security_policy.directives['frame-src'] ||= default_src
-      request.content_security_policy.directives['frame-src'].concat([webpack_url, 'https://*.vscode-cdn.net/'])
+    default_src = Array(request.content_security_policy.directives['default-src'] || [])
+    request.content_security_policy.directives['frame-src'] ||= default_src
+    request.content_security_policy.directives['frame-src'].concat([webpack_url, 'https://*.vscode-cdn.net/'])
 
-      request.content_security_policy.directives['worker-src'] ||= default_src
-      request.content_security_policy.directives['worker-src'].concat([webpack_url])
-    end
+    request.content_security_policy.directives['worker-src'] ||= default_src
+    request.content_security_policy.directives['worker-src'].concat([webpack_url])
   end
 end
+
+WebIdeCSP.prepend_mod_with('WebIdeCSP')
diff --git a/app/controllers/concerns/wiki_actions.rb b/app/controllers/concerns/wiki_actions.rb
index 265cf2a7698..c606ccf4a07 100644
--- a/app/controllers/concerns/wiki_actions.rb
+++ b/app/controllers/concerns/wiki_actions.rb
@@ -13,9 +13,10 @@ module WikiActions
   included do
     content_security_policy do |p|
       next if p.directives.blank?
+      next unless Gitlab::CurrentSettings.diagramsnet_enabled?
 
       default_frame_src = p.directives['frame-src'] || p.directives['default-src']
-      frame_src_values = Array.wrap(default_frame_src) | ['https://embed.diagrams.net'].compact
+      frame_src_values = Array.wrap(default_frame_src) | [Gitlab::CurrentSettings.diagramsnet_url].compact
 
       p.frame_src(*frame_src_values)
     end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-20 13:43:29 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-20 13:43:29 +0300
commit	3b1af5cc7ed2666ff18b718ce5d30fa5a2756674 (patch)
tree	3bc4a40e0ee51ec27eabf917c537033c0c5b14d4 /app/controllers/concerns
parent	9bba14be3f2c211bf79e15769cd9b77bc73a13bc (diff)