Add latest changes from gitlab-org/gitlab@16-4-stable-eev16.4.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-20 14:18:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-20 14:18:08 +0300
commit: 5afcbe03ead9ada87621888a31a62652b10a7e4f (patch)
tree: 9918b67a0d0f0bafa6542e839a8be37adf73102d /app/controllers
parent: c97c0201564848c1f53226fe19d71fdcc472f7d0 (diff)
64 files changed, 335 insertions, 341 deletions
diff --git a/app/controllers/activity_pub/application_controller.rb b/app/controllers/activity_pub/application_controller.rb
new file mode 100644
index 00000000000..f9c2b14fe77
--- /dev/null
+++ b/app/controllers/activity_pub/application_controller.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module ActivityPub
+  class ApplicationController < ::ApplicationController
+    include RoutableActions
+
+    before_action :ensure_feature_flag
+    skip_before_action :authenticate_user!
+    after_action :set_content_type
+
+    def can?(object, action, subject = :global)
+      Ability.allowed?(object, action, subject)
+    end
+
+    def route_not_found
+      head :not_found
+    end
+
+    def set_content_type
+      self.content_type = "application/activity+json"
+    end
+
+    def ensure_feature_flag
+      not_found unless ::Feature.enabled?(:activity_pub)
+    end
+  end
+end
diff --git a/app/controllers/activity_pub/projects/application_controller.rb b/app/controllers/activity_pub/projects/application_controller.rb
new file mode 100644
index 00000000000..e54a457743d
--- /dev/null
+++ b/app/controllers/activity_pub/projects/application_controller.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActivityPub
+  module Projects
+    class ApplicationController < ::ActivityPub::ApplicationController
+      before_action :project
+      before_action :ensure_project_feature_flag
+
+      private
+
+      def project
+        return unless params[:project_id] || params[:id]
+
+        path = File.join(params[:namespace_id], params[:project_id] || params[:id])
+
+        @project = find_routable!(Project, path, request.fullpath, extra_authorization_proc: auth_proc)
+      end
+
+      def auth_proc
+        ->(project) { project.public? && !project.pending_delete? }
+      end
+
+      def ensure_project_feature_flag
+        not_found unless ::Feature.enabled?(:activity_pub_project, project)
+      end
+    end
+  end
+end
diff --git a/app/controllers/activity_pub/projects/releases_controller.rb b/app/controllers/activity_pub/projects/releases_controller.rb
new file mode 100644
index 00000000000..7c4c2a0322b
--- /dev/null
+++ b/app/controllers/activity_pub/projects/releases_controller.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module ActivityPub
+  module Projects
+    class ReleasesController < ApplicationController
+      feature_category :release_orchestration
+
+      def index
+        opts = {
+          inbox: nil,
+          outbox: outbox_project_releases_url(@project)
+        }
+
+        render json: ActivityPub::ReleasesActorSerializer.new.represent(@project, opts)
+      end
+
+      def outbox
+        serializer = ActivityPub::ReleasesOutboxSerializer.new.with_pagination(request, response)
+        render json: serializer.represent(releases)
+      end
+
+      private
+
+      def releases(params = {})
+        ReleasesFinder.new(@project, current_user, params).execute
+      end
+    end
+  end
+end
diff --git a/app/controllers/admin/abuse_reports_controller.rb b/app/controllers/admin/abuse_reports_controller.rb
index 329c4e4921a..b48d6f4f7c2 100644
--- a/app/controllers/admin/abuse_reports_controller.rb
+++ b/app/controllers/admin/abuse_reports_controller.rb
@@ -3,8 +3,11 @@
 class Admin::AbuseReportsController < Admin::ApplicationController
   feature_category :insider_threat
 
-  before_action :set_status_param, only: :index, if: -> { Feature.enabled?(:abuse_reports_list) }
+  before_action :set_status_param, only: :index
   before_action :find_abuse_report, only: [:show, :moderate_user, :update, :destroy]
+  before_action only: :show do
+    push_frontend_feature_flag(:abuse_report_labels)
+  end
 
   def index
     @abuse_reports = AbuseReportsFinder.new(params).execute
@@ -12,14 +15,11 @@ class Admin::AbuseReportsController < Admin::ApplicationController
 
   def show; end
 
-  # Kept for backwards compatibility.
-  # TODO: See https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/167?work_item_iid=443
-  # In 16.4 remove or re-use this endpoint after frontend has migrated to using moderate_user endpoint
   def update
-    response = Admin::AbuseReports::ModerateUserService.new(@abuse_report, current_user, permitted_params).execute
+    response = Admin::AbuseReports::UpdateService.new(@abuse_report, current_user, permitted_params).execute
 
     if response.success?
-      render json: { message: response.message }
+      head :ok
     else
       render json: { message: response.message }, status: :unprocessable_entity
     end
@@ -53,6 +53,6 @@ class Admin::AbuseReportsController < Admin::ApplicationController
   end
 
   def permitted_params
-    params.permit(:user_action, :close, :reason, :comment)
+    params.permit(:user_action, :close, :reason, :comment, { label_ids: [] })
   end
 end
diff --git a/app/controllers/admin/jobs_controller.rb b/app/controllers/admin/jobs_controller.rb
index 5ea8c672993..d0ade3e6024 100644
--- a/app/controllers/admin/jobs_controller.rb
+++ b/app/controllers/admin/jobs_controller.rb
@@ -7,18 +7,10 @@ class Admin::JobsController < Admin::ApplicationController
   urgency :low
 
   before_action do
-    push_frontend_feature_flag(:admin_jobs_vue)
+    push_frontend_feature_flag(:admin_jobs_filter_runner_type, type: :ops)
   end
 
-  def index
-    # We need all builds for tabs counters
-    @all_builds = Ci::JobsFinder.new(current_user: current_user).execute
-
-    @scope = params[:scope]
-    @builds = Ci::JobsFinder.new(current_user: current_user, params: params).execute
-    @builds = @builds.eager_load_everything
-    @builds = @builds.page(params[:page]).per(BUILDS_PER_PAGE).without_count
-  end
+  def index; end
 
   def cancel_all
     Ci::Build.running_or_pending.each(&:cancel)
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index f05b03c2787..1f05e4e7b21 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -221,8 +221,7 @@ class Admin::UsersController < Admin::ApplicationController
 
     respond_to do |format|
       result = Users::UpdateService.new(current_user, user_params_with_pass.merge(user: user)).execute do |user|
-        user.skip_reconfirmation!
-        user.send_only_admin_changed_your_password_notification! if admin_making_changes_for_another_user?
+        prepare_user_for_update(user)
       end
 
       if result[:status] == :success
@@ -393,6 +392,12 @@ class Admin::UsersController < Admin::ApplicationController
     @can_impersonate = helpers.can_impersonate_user(user, impersonation_in_progress?)
     @impersonation_error_text = @can_impersonate ? nil : helpers.impersonation_error_text(user, impersonation_in_progress?)
   end
+
+  # method overriden in EE
+  def prepare_user_for_update(user)
+    user.skip_reconfirmation!
+    user.send_only_admin_changed_your_password_notification! if admin_making_changes_for_another_user?
+  end
 end
 
 Admin::UsersController.prepend_mod_with('Admin::UsersController')
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 08e4f4956df..7c69f43fa3d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -38,7 +38,6 @@ class ApplicationController < ActionController::Base
   before_action :active_user_check, unless: :devise_controller?
   before_action :set_usage_stats_consent_flag
   before_action :check_impersonation_availability
-  before_action :required_signup_info
 
   # Make sure the `auth_user` is memoized so it can be logged, we do this after
   # all other before filters that could have set the user.
@@ -115,6 +114,24 @@ class ApplicationController < ActionController::Base
 
   content_security_policy do |p|
     next if p.directives.blank?
+
+    if Rails.env.development? && Feature.enabled?(:vite)
+      vite_host = ViteRuby.instance.config.host
+      vite_port = ViteRuby.instance.config.port
+      vite_origin = "#{vite_host}:#{vite_port}"
+      http_origin = "http://#{vite_origin}"
+      ws_origin = "ws://#{vite_origin}"
+      wss_origin = "wss://#{vite_origin}"
+      gitlab_ws_origin = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'vite-dev/')
+      http_path = Gitlab::Utils.append_path(http_origin, 'vite-dev/')
+
+      connect_sources = p.directives['connect-src']
+      p.connect_src(*(Array.wrap(connect_sources) | [ws_origin, wss_origin, http_path]))
+
+      worker_sources = p.directives['worker-src']
+      p.worker_src(*(Array.wrap(worker_sources) | [gitlab_ws_origin, http_path]))
+    end
+
     next unless Gitlab::CurrentSettings.snowplow_enabled? && !Gitlab::CurrentSettings.snowplow_collector_hostname.blank?
 
     default_connect_src = p.directives['connect-src'] || p.directives['default-src']
@@ -326,9 +343,12 @@ class ApplicationController < ActionController::Base
   end
 
   def check_password_expiration
-    return if session[:impersonator_id] || !current_user&.allow_password_authentication?
+    return if session[:impersonator_id]
+    return if current_user.nil?
 
-    redirect_to new_profile_password_path if current_user&.password_expired?
+    if current_user.password_expired? && current_user.allow_password_authentication?
+      redirect_to new_profile_password_path
+    end
   end
 
   def active_user_check
@@ -555,15 +575,6 @@ class ApplicationController < ActionController::Base
   def context_user
     auth_user if strong_memoized?(:auth_user)
   end
-
-  def required_signup_info
-    return unless current_user
-    return unless current_user.role_required?
-
-    store_location_for :user, request.fullpath
-
-    redirect_to users_sign_up_welcome_path
-  end
 end
 
 ApplicationController.prepend_mod
diff --git a/app/controllers/clusters/agents/dashboard_controller.rb b/app/controllers/clusters/agents/dashboard_controller.rb
new file mode 100644
index 00000000000..1f72aaa4775
--- /dev/null
+++ b/app/controllers/clusters/agents/dashboard_controller.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class DashboardController < ApplicationController
+      include KasCookie
+
+      before_action :check_feature_flag!
+      before_action :find_agent
+      before_action :authorize_read_cluster_agent!
+      before_action :set_kas_cookie, only: [:show], if: -> { current_user }
+
+      feature_category :deployment_management
+
+      def show
+        head :ok
+      end
+
+      private
+
+      def find_agent
+        @agent = ::Clusters::Agent.find(params[:agent_id])
+      end
+
+      def check_feature_flag!
+        not_found unless ::Feature.enabled?(:k8s_dashboard, current_user)
+      end
+
+      def authorize_read_cluster_agent!
+        not_found unless can?(current_user, :read_cluster_agent, @agent)
+      end
+    end
+  end
+end
diff --git a/app/controllers/concerns/access_tokens_actions.rb b/app/controllers/concerns/access_tokens_actions.rb
index 84cbdda1581..de53fd4d835 100644
--- a/app/controllers/concerns/access_tokens_actions.rb
+++ b/app/controllers/concerns/access_tokens_actions.rb
@@ -69,6 +69,7 @@ module AccessTokensActions
     resource.members.load
 
     @scopes = Gitlab::Auth.available_scopes_for(resource)
+    @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user)
     @active_access_tokens = active_access_tokens
   end
   # rubocop:enable Gitlab/ModuleWithInstanceVariables
diff --git a/app/controllers/concerns/harbor/access.rb b/app/controllers/concerns/harbor/access.rb
index 211566aeda7..9466952e98e 100644
--- a/app/controllers/concerns/harbor/access.rb
+++ b/app/controllers/concerns/harbor/access.rb
@@ -5,21 +5,13 @@ module Harbor
     extend ActiveSupport::Concern
 
     included do
-      before_action :harbor_registry_enabled!
       before_action :authorize_read_harbor_registry!
-      before_action do
-        push_frontend_feature_flag(:harbor_registry_integration)
-      end
 
       feature_category :integrations
     end
 
     private
 
-    def harbor_registry_enabled!
-      render_404 unless Feature.enabled?(:harbor_registry_integration, defined?(group) ? group : project)
-    end
-
     def authorize_read_harbor_registry!
       raise NotImplementedError
     end
diff --git a/app/controllers/concerns/issuable_actions.rb b/app/controllers/concerns/issuable_actions.rb
index 1b49cffd408..28e1056092d 100644
--- a/app/controllers/concerns/issuable_actions.rb
+++ b/app/controllers/concerns/issuable_actions.rb
@@ -174,22 +174,11 @@ module IssuableActions
       if Gitlab::Database.read_only? || params[:persist_filter] == 'false'
         notes_filter_param || current_user&.notes_filter_for(issuable)
       else
-        notes_filter = current_user&.set_notes_filter(notes_filter_param, issuable) || notes_filter_param
-
-        # We need to invalidate the cache for polling notes otherwise it will
-        # ignore the filter.
-        # The ideal would be to invalidate the cache for each user.
-        issuable.expire_note_etag_cache if notes_filter_updated?
-
-        notes_filter
+        current_user&.set_notes_filter(notes_filter_param, issuable) || notes_filter_param
       end
     end
   end
 
-  def notes_filter_updated?
-    current_user&.user_preference&.previous_changes&.any?
-  end
-
   def discussion_cache_context
     [current_user&.cache_key, project.team.human_max_access(current_user&.id), 'v2'].join(':')
   end
diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb
index b02a636ff74..5479154f667 100644
--- a/app/controllers/concerns/issuable_collections.rb
+++ b/app/controllers/concerns/issuable_collections.rb
@@ -20,26 +20,10 @@ module IssuableCollections
     set_pagination
 
     return if redirect_out_of_range(@issuables, @total_pages)
-
-    if params[:label_name].present? && @project
-      labels_params = { project_id: @project.id, title: params[:label_name] }
-      @labels = LabelsFinder.new(current_user, labels_params).execute
-    end
-
-    @users = []
-    if params[:assignee_id].present?
-      assignee = User.find_by_id(params[:assignee_id])
-      @users.push(assignee) if assignee
-    end
-
-    if params[:author_id].present?
-      author = User.find_by_id(params[:author_id])
-      @users.push(author) if author
-    end
   end
 
   def set_pagination
-    row_count = finder.row_count
+    row_count = request.format.atom? ? -1 : finder.row_count
 
     @issuables          = @issuables.page(params[:page])
     @issuables          = per_page_for_relative_position if params[:sort] == 'relative_position'
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb
index 93cf1d15086..31b3d311865 100644
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -33,9 +33,6 @@ module NotesActions
         notes.map { |note| note_json(note) }
       end
 
-    # Only present an ETag for the empty response
-    ::Gitlab::EtagCaching::Middleware.skip!(response) if notes.present?
-
     render json: meta.merge(notes: notes)
   end
 
diff --git a/app/controllers/concerns/onboarding/status.rb b/app/controllers/concerns/onboarding/status.rb
index 5112ebb3b5d..8a99f5a6c12 100644
--- a/app/controllers/concerns/onboarding/status.rb
+++ b/app/controllers/concerns/onboarding/status.rb
@@ -31,12 +31,6 @@ module Onboarding
       last_invited_member&.source
     end
 
-    def invite_with_tasks_to_be_done?
-      return false if members.empty?
-
-      MemberTask.for_members(members).exists?
-    end
-
     private
 
     attr_reader :user
diff --git a/app/controllers/concerns/preferred_language_switcher.rb b/app/controllers/concerns/preferred_language_switcher.rb
index 872652100c9..529d1fb78bd 100644
--- a/app/controllers/concerns/preferred_language_switcher.rb
+++ b/app/controllers/concerns/preferred_language_switcher.rb
@@ -2,6 +2,8 @@
 
 module PreferredLanguageSwitcher
   extend ActiveSupport::Concern
+  include Gitlab::Utils::StrongMemoize
+  include PreferredLanguageSwitcherHelper
 
   private
 
@@ -11,8 +13,37 @@ module PreferredLanguageSwitcher
 
   def preferred_language
     cookies[:preferred_language].presence_in(Gitlab::I18n.available_locales) ||
+      selectable_language(marketing_site_language) ||
+      selectable_language(browser_languages) ||
       Gitlab::CurrentSettings.default_preferred_language
   end
+
+  def selectable_language(language_options)
+    language_options.find { |lan| ordered_selectable_locales_codes.include?(lan) }
+  end
+
+  def ordered_selectable_locales_codes
+    ordered_selectable_locales.pluck(:value) # rubocop:disable CodeReuse/ActiveRecord
+  end
+
+  def browser_languages
+    formatted_http_language_header = request.env['HTTP_ACCEPT_LANGUAGE']&.tr('-', '_')
+
+    return [] unless formatted_http_language_header
+
+    formatted_http_language_header.split(%r{[;,]}).reject { |str| str.start_with?('q') }
+  end
+  strong_memoize_attr :browser_languages
+
+  def marketing_site_language
+    return [] unless params[:glm_source]
+
+    locale = params[:glm_source].scan(%r{(\w{2})-(\w{2})}).flatten
+
+    return [] if locale.empty?
+
+    [locale[0], "#{locale[0]}_#{locale[1]}"]
+  end
 end
 
 PreferredLanguageSwitcher.prepend_mod
diff --git a/app/controllers/concerns/search_rate_limitable.rb b/app/controllers/concerns/search_rate_limitable.rb
index 1105e9bbbfd..e32fc2f4dd6 100644
--- a/app/controllers/concerns/search_rate_limitable.rb
+++ b/app/controllers/concerns/search_rate_limitable.rb
@@ -11,7 +11,8 @@ module SearchRateLimitable
       # scopes to get counts, we apply rate limits on the search scope if it is present.
       #
       # If abusive search is detected, we have stricter limits and ignore the search scope.
-      check_rate_limit!(:search_rate_limit, scope: [current_user, safe_search_scope].compact)
+      check_rate_limit!(:search_rate_limit, scope: [current_user, safe_search_scope].compact,
+        users_allowlist: Gitlab::CurrentSettings.current_application_settings.search_rate_limit_allowlist)
     else
       check_rate_limit!(:search_rate_limit_unauthenticated, scope: [request.ip])
     end
diff --git a/app/controllers/concerns/verifies_with_email.rb b/app/controllers/concerns/verifies_with_email.rb
index 6affd7bb4cc..cb8aef11e8d 100644
--- a/app/controllers/concerns/verifies_with_email.rb
+++ b/app/controllers/concerns/verifies_with_email.rb
@@ -9,7 +9,6 @@ module VerifiesWithEmail
 
   included do
     prepend_before_action :verify_with_email, only: :create, unless: -> { skip_verify_with_email? }
-    skip_before_action :required_signup_info, only: :successful_verification
   end
 
   # rubocop:disable Metrics/PerceivedComplexity
diff --git a/app/controllers/concerns/web_hooks/hook_log_actions.rb b/app/controllers/concerns/web_hooks/hook_log_actions.rb
index 321cee5a452..dcea7596790 100644
--- a/app/controllers/concerns/web_hooks/hook_log_actions.rb
+++ b/app/controllers/concerns/web_hooks/hook_log_actions.rb
@@ -20,8 +20,13 @@ module WebHooks
     end
 
     def retry
-      execute_hook
-      redirect_to after_retry_redirect_path
+      if hook_log.url_current?
+        execute_hook
+        redirect_to after_retry_redirect_path
+      else
+        flash[:warning] = _('The hook URL has changed, and this log entry cannot be retried')
+        redirect_back(fallback_location: after_retry_redirect_path)
+      end
     end
 
     private
diff --git a/app/controllers/confirmations_controller.rb b/app/controllers/confirmations_controller.rb
index f7c7ee62c1a..5ceabaa734a 100644
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@@ -7,7 +7,6 @@ class ConfirmationsController < Devise::ConfirmationsController
   include GoogleAnalyticsCSP
   include GoogleSyndicationCSP
 
-  skip_before_action :required_signup_info
   prepend_before_action :check_recaptcha, only: :create
   before_action :load_recaptcha, only: :new
 
diff --git a/app/controllers/groups/email_campaigns_controller.rb b/app/controllers/groups/email_campaigns_controller.rb
deleted file mode 100644
index 8ae429de490..00000000000
--- a/app/controllers/groups/email_campaigns_controller.rb
+++ /dev/null
@@ -1,69 +0,0 @@
-# frozen_string_literal: true
-
-class Groups::EmailCampaignsController < Groups::ApplicationController
-  EMAIL_CAMPAIGNS_SCHEMA_URL = 'iglu:com.gitlab/email_campaigns/jsonschema/1-0-0'
-
-  feature_category :experimentation_activation
-  urgency :low
-
-  before_action :check_params
-
-  def index
-    track_click
-    redirect_to redirect_link
-  end
-
-  private
-
-  def track_click
-    if Gitlab.com?
-      message = Gitlab::Email::Message::InProductMarketing.for(@track).new(group: group, user: current_user, series: @series)
-
-      data = {
-        namespace_id: group.id,
-        track: @track.to_s,
-        series: @series,
-        subject_line: message.subject_line
-      }
-      context = SnowplowTracker::SelfDescribingJson.new(EMAIL_CAMPAIGNS_SCHEMA_URL, data)
-
-      ::Gitlab::Tracking.event(self.class.name, 'click', context: [context], user: current_user, namespace: group)
-    else
-      ::Users::InProductMarketingEmail.save_cta_click(current_user, @track, @series)
-    end
-  end
-
-  def redirect_link
-    case @track
-    when :create
-      create_track_url
-    when :verify
-      project_pipelines_url(group.projects.first)
-    when :trial, :trial_short
-      'https://about.gitlab.com/free-trial/'
-    when :team, :team_short
-      group_group_members_url(group)
-    when :admin_verify
-      project_settings_ci_cd_path(group.projects.first, anchor: 'js-runners-settings')
-    end
-  end
-
-  def create_track_url
-    [
-      new_project_url,
-      new_project_url(anchor: 'import_project'),
-      help_page_url('user/project/repository/repository_mirroring')
-    ][@series]
-  end
-
-  def check_params
-    @track = params[:track]&.to_sym
-    @series = params[:series]&.to_i
-
-    track_valid = @track.in?(Namespaces::InProductMarketingEmailsService::TRACKS.keys)
-    return render_404 unless track_valid
-
-    series_valid = @series.in?(0..Namespaces::InProductMarketingEmailsService::TRACKS[@track][:interval_days].size - 1)
-    render_404 unless series_valid
-  end
-end
diff --git a/app/controllers/groups/labels_controller.rb b/app/controllers/groups/labels_controller.rb
index f927cae90b1..9535b83e769 100644
--- a/app/controllers/groups/labels_controller.rb
+++ b/app/controllers/groups/labels_controller.rb
@@ -98,7 +98,10 @@ class Groups::LabelsController < Groups::ApplicationController
   end
 
   def label_params
-    params.require(:label).permit(:title, :description, :color)
+    allowed = [:title, :description, :color]
+    allowed << :lock_on_merge if @group.supports_lock_on_merge?
+
+    params.require(:label).permit(allowed)
   end
 
   def redirect_back_or_group_labels_path(options = {})
diff --git a/app/controllers/groups/runners_controller.rb b/app/controllers/groups/runners_controller.rb
index b3539da8429..3600a0fbed5 100644
--- a/app/controllers/groups/runners_controller.rb
+++ b/app/controllers/groups/runners_controller.rb
@@ -42,6 +42,8 @@ class Groups::RunnersController < Groups::ApplicationController
     @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: group_params).execute
       .except(:limit, :offset)
       .find(params[:id])
+  rescue Gitlab::Access::AccessDeniedError
+    nil
   end
 
   def runner_params
diff --git a/app/controllers/groups/work_items_controller.rb b/app/controllers/groups/work_items_controller.rb
index d1e15c81471..bd85f12119b 100644
--- a/app/controllers/groups/work_items_controller.rb
+++ b/app/controllers/groups/work_items_controller.rb
@@ -7,5 +7,9 @@ module Groups
     def index
       not_found unless Feature.enabled?(:namespace_level_work_items, group)
     end
+
+    def show
+      not_found unless Feature.enabled?(:namespace_level_work_items, group)
+    end
   end
 end
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 344de886a93..edc590e1370 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -37,7 +37,6 @@ class GroupsController < Groups::ApplicationController
     push_frontend_feature_flag(:frontend_caching, group)
     push_force_frontend_feature_flag(:work_items, group.work_items_feature_flag_enabled?)
     push_frontend_feature_flag(:issues_grid_view)
-    push_frontend_feature_flag(:new_graphql_users_autocomplete, group)
   end
 
   before_action only: :merge_requests do
diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb
index 9635e476510..df8128f24fe 100644
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -9,7 +9,7 @@ class HelpController < ApplicationController
 
   # Taken from Jekyll
   # https://github.com/jekyll/jekyll/blob/3.5-stable/lib/jekyll/document.rb#L13
-  YAML_FRONT_MATTER_REGEXP = /\A(---\s*\n.*?\n?)^((---|\.\.\.)\s*$\n?)/m.freeze
+  YAML_FRONT_MATTER_REGEXP = /\A(---\s*\n.*?\n?)^((---|\.\.\.)\s*$\n?)/m
 
   def index
     @help_index = get_markdown_without_frontmatter(path_to_doc('index.md'))
diff --git a/app/controllers/import/bitbucket_server_controller.rb b/app/controllers/import/bitbucket_server_controller.rb
index e17cd00d053..ba2743e1002 100644
--- a/app/controllers/import/bitbucket_server_controller.rb
+++ b/app/controllers/import/bitbucket_server_controller.rb
@@ -22,8 +22,8 @@ class Import::BitbucketServerController < Import::BaseController
   # (https://community.atlassian.com/t5/Answers-Developer-Questions/stash-repository-names/qaq-p/499054)
   #
   # Bitbucket Server starts personal project names with a tilde.
-  VALID_BITBUCKET_PROJECT_CHARS = /\A~?[\w\-\.\s]+\z/.freeze
-  VALID_BITBUCKET_CHARS = /\A[\w\-\.\s]+\z/.freeze
+  VALID_BITBUCKET_PROJECT_CHARS = /\A~?[\w\-\.\s]+\z/
+  VALID_BITBUCKET_CHARS = /\A[\w\-\.\s]+\z/
 
   def new
   end
diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 8a8ae38c6f3..c058329680a 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -83,8 +83,6 @@ class InvitesController < ApplicationController
   def authenticate_user!
     return if current_user
 
-    store_location_for(:user, invite_details[:path]) if member
-
     if user_sign_up?
       set_session_invite_params
 
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index a1d4df6ff48..a541e7e703f 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -14,7 +14,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   # include the call to session.delete
   def new
     if pre_auth.authorizable?
-      if skip_authorization? || matching_token?
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
         auth = authorization.authorize
         parsed_redirect_uri = URI.parse(auth.redirect_uri)
         session.delete(:user_return_to)
diff --git a/app/controllers/organizations/application_controller.rb b/app/controllers/organizations/application_controller.rb
index 568cfe6399d..d3c3e878bdf 100644
--- a/app/controllers/organizations/application_controller.rb
+++ b/app/controllers/organizations/application_controller.rb
@@ -2,7 +2,7 @@
 
 module Organizations
   class ApplicationController < ::ApplicationController
-    skip_before_action :authenticate_user!
+    before_action :check_feature_flag!
     before_action :organization
 
     layout 'organization'
@@ -16,11 +16,16 @@ module Organizations
     end
     strong_memoize_attr :organization
 
-    def authorize_action!(action)
-      return if Feature.enabled?(:ui_for_organizations, current_user) &&
-        can?(current_user, action, organization)
+    def check_feature_flag!
+      access_denied! unless Feature.enabled?(:ui_for_organizations, current_user)
+    end
+
+    def authorize_create_organization!
+      access_denied! unless can?(current_user, :create_organization)
+    end
 
-      access_denied!
+    def authorize_read_organization!
+      access_denied! unless can?(current_user, :read_organization, organization)
     end
   end
 end
diff --git a/app/controllers/organizations/organizations_controller.rb b/app/controllers/organizations/organizations_controller.rb
index 650ec97c264..88c6c9b3cef 100644
--- a/app/controllers/organizations/organizations_controller.rb
+++ b/app/controllers/organizations/organizations_controller.rb
@@ -4,10 +4,20 @@ module Organizations
   class OrganizationsController < ApplicationController
     feature_category :cell
 
-    before_action { authorize_action!(:read_organization) }
+    skip_before_action :authenticate_user!, except: [:index, :new]
 
-    def show; end
+    def index; end
 
-    def groups_and_projects; end
+    def new
+      authorize_create_organization!
+    end
+
+    def show
+      authorize_read_organization!
+    end
+
+    def groups_and_projects
+      authorize_read_organization!
+    end
   end
 end
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 38839497fb6..d1ca16bd8fb 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -43,6 +43,7 @@ class PasswordsController < Devise::PasswordsController
         resource.password_expires_at = nil
         resource.save(validate: false) if resource.changed?
       else
+        log_audit_reset_failure(@user)
         track_weak_password_error(@user, self.class.name, 'create')
       end
     end
@@ -50,6 +51,9 @@ class PasswordsController < Devise::PasswordsController
 
   protected
 
+  # overriden in EE
+  def log_audit_reset_failure(_user); end
+
   def resource_from_email
     email = resource_params[:email]
     self.resource = resource_class.find_by_email(email)
diff --git a/app/controllers/profiles/notifications_controller.rb b/app/controllers/profiles/notifications_controller.rb
index 02f7dbf8e6f..57e5ca4d55a 100644
--- a/app/controllers/profiles/notifications_controller.rb
+++ b/app/controllers/profiles/notifications_controller.rb
@@ -25,7 +25,7 @@ class Profiles::NotificationsController < Profiles::ApplicationController
   end
 
   def user_params
-    params.require(:user).permit(:notification_email, :email_opted_in, :notified_of_own_activity)
+    params.require(:user).permit(:notification_email, :notified_of_own_activity)
   end
 
   private
diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb
index 4b6e2f768fa..0e4d9f3c154 100644
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -61,6 +61,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
 
   def set_index_vars
     @scopes = Gitlab::Auth.available_scopes_for(current_user)
+    @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user)
     @active_access_tokens = active_access_tokens
   end
 
diff --git a/app/controllers/profiles/preferences_controller.rb b/app/controllers/profiles/preferences_controller.rb
index 3e8555a4ed1..931070ecdd4 100644
--- a/app/controllers/profiles/preferences_controller.rb
+++ b/app/controllers/profiles/preferences_controller.rb
@@ -55,6 +55,7 @@ class Profiles::PreferencesController < Profiles::ApplicationController
       :gitpod_enabled,
       :render_whitespace_in_code,
       :project_shortcut_buttons,
+      :keyboard_shortcuts_enabled,
       :markdown_surround_selection,
       :markdown_automatic_lists,
       :use_new_navigation,
diff --git a/app/controllers/projects/alerting/notifications_controller.rb b/app/controllers/projects/alerting/notifications_controller.rb
index 281ac14d3ce..b596cd74b03 100644
--- a/app/controllers/projects/alerting/notifications_controller.rb
+++ b/app/controllers/projects/alerting/notifications_controller.rb
@@ -66,15 +66,11 @@ module Projects
       def integration
         AlertManagement::HttpIntegrationsFinder.new(
           project,
-          endpoint_identifier: endpoint_identifier,
+          endpoint_identifier: params[:endpoint_identifier],
           active: true
         ).execute.first
       end
 
-      def endpoint_identifier
-        params[:endpoint_identifier] || AlertManagement::HttpIntegration::LEGACY_IDENTIFIERS
-      end
-
       def notification_payload
         @notification_payload ||= params.permit![:notification]
       end
diff --git a/app/controllers/projects/commits_controller.rb b/app/controllers/projects/commits_controller.rb
index 94cd324f312..2d2712ebe4d 100644
--- a/app/controllers/projects/commits_controller.rb
+++ b/app/controllers/projects/commits_controller.rb
@@ -45,6 +45,8 @@ class Projects::CommitsController < Projects::ApplicationController
   # rubocop: enable CodeReuse/ActiveRecord
 
   def signatures
+    Gitlab::QueryLimiting.disable!('https://gitlab.com/gitlab-org/gitlab/-/issues/424527')
+
     respond_to do |format|
       format.json do
         render json: {
diff --git a/app/controllers/projects/environments/sample_metrics_controller.rb b/app/controllers/projects/environments/sample_metrics_controller.rb
deleted file mode 100644
index 80344c83ab7..00000000000
--- a/app/controllers/projects/environments/sample_metrics_controller.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-class Projects::Environments::SampleMetricsController < Projects::ApplicationController
-  feature_category :metrics
-  urgency :low
-
-  def query
-    result = Metrics::SampleMetricsService.new(params[:identifier], range_start: params[:start], range_end: params[:end]).query
-
-    if result
-      render json: { "status": "success", "data": { "resultType": "matrix", "result": result } }
-    else
-      render_404
-    end
-  end
-end
diff --git a/app/controllers/projects/environments_controller.rb b/app/controllers/projects/environments_controller.rb
index 127fe40b0e3..aabea122fb6 100644
--- a/app/controllers/projects/environments_controller.rb
+++ b/app/controllers/projects/environments_controller.rb
@@ -8,14 +8,6 @@ class Projects::EnvironmentsController < Projects::ApplicationController
 
   layout 'project'
 
-  before_action only: [:show] do
-    push_frontend_feature_flag(:environment_details_vue, @project)
-  end
-
-  before_action only: [:index, :edit, :new] do
-    push_frontend_feature_flag(:flux_resource_for_environment)
-  end
-
   before_action :authorize_read_environment!
   before_action :authorize_create_environment!, only: [:new, :create]
   before_action :authorize_stop_environment!, only: [:stop]
@@ -113,10 +105,8 @@ class Projects::EnvironmentsController < Projects::ApplicationController
     job = stop_actions.first if stop_actions&.count == 1
 
     action_or_env_url =
-      if job.instance_of?(::Ci::Build)
-        polymorphic_url([project, job])
-      elsif job.instance_of?(::Ci::Bridge)
-        project_pipeline_url(project, job.pipeline_id)
+      if job
+        project_job_url(project, job)
       else
         project_environment_url(project, @environment)
       end
diff --git a/app/controllers/projects/graphs_controller.rb b/app/controllers/projects/graphs_controller.rb
index e73e2a38149..fce7de4c0de 100644
--- a/app/controllers/projects/graphs_controller.rb
+++ b/app/controllers/projects/graphs_controller.rb
@@ -34,7 +34,7 @@ class Projects::GraphsController < Projects::ApplicationController
           {
             author_name: commit.author_name,
             author_email: commit.author_email,
-            date: commit.committed_date.strftime("%Y-%m-%d")
+            date: commit.committed_date.to_date.iso8601
           }
         end
 
diff --git a/app/controllers/projects/incidents_controller.rb b/app/controllers/projects/incidents_controller.rb
index 6109e29b169..69d349b1f1d 100644
--- a/app/controllers/projects/incidents_controller.rb
+++ b/app/controllers/projects/incidents_controller.rb
@@ -12,6 +12,7 @@ class Projects::IncidentsController < Projects::ApplicationController
     push_force_frontend_feature_flag(:work_items_mvc_2, @project&.work_items_mvc_2_feature_flag_enabled?)
     push_frontend_feature_flag(:moved_mr_sidebar, project)
     push_frontend_feature_flag(:move_close_into_dropdown, project)
+    push_force_frontend_feature_flag(:linked_work_items, @project&.linked_work_items_feature_flag_enabled?)
   end
 
   feature_category :incident_management
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 83947c443f4..9abcc108ace 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -62,7 +62,6 @@ class Projects::IssuesController < Projects::ApplicationController
   before_action only: [:index, :service_desk] do
     push_frontend_feature_flag(:or_issuable_queries, project)
     push_frontend_feature_flag(:frontend_caching, project&.group)
-    push_frontend_feature_flag(:new_graphql_users_autocomplete, project)
   end
 
   before_action only: :show do
@@ -73,7 +72,7 @@ class Projects::IssuesController < Projects::ApplicationController
     push_frontend_feature_flag(:epic_widget_edit_confirmation, project)
     push_frontend_feature_flag(:moved_mr_sidebar, project)
     push_frontend_feature_flag(:move_close_into_dropdown, project)
-    push_frontend_feature_flag(:action_cable_notes, project)
+    push_force_frontend_feature_flag(:linked_work_items, project.linked_work_items_feature_flag_enabled?)
   end
 
   around_action :allow_gitaly_ref_name_caching, only: [:discussions]
@@ -114,12 +113,6 @@ class Projects::IssuesController < Projects::ApplicationController
     respond_to do |format|
       format.html
       format.atom { render layout: 'xml' }
-      format.json do
-        render json: {
-          html: view_to_html_string("projects/issues/_issues"),
-          labels: @labels.as_json(methods: :text_color)
-        }
-      end
     end
   end
 
@@ -282,7 +275,6 @@ class Projects::IssuesController < Projects::ApplicationController
 
   def service_desk
     @issues = @issuables
-    @users.push(User.support_bot)
   end
 
   protected
@@ -433,7 +425,7 @@ class Projects::IssuesController < Projects::ApplicationController
 
     if service_desk?
       options.reject! { |key| key == 'author_username' || key == 'author_id' }
-      options[:author_id] = User.support_bot
+      options[:author_id] = Users::Internal.support_bot
     end
 
     options
diff --git a/app/controllers/projects/jobs_controller.rb b/app/controllers/projects/jobs_controller.rb
index 4e0b304a2ee..802ffd99e41 100644
--- a/app/controllers/projects/jobs_controller.rb
+++ b/app/controllers/projects/jobs_controller.rb
@@ -8,8 +8,8 @@ class Projects::JobsController < Projects::ApplicationController
 
   urgency :low, [:index, :show, :trace, :retry, :play, :cancel, :unschedule, :erase, :raw]
 
-  before_action :find_job_as_build, except: [:index, :play, :retry]
-  before_action :find_job_as_processable, only: [:play, :retry]
+  before_action :find_job_as_build, except: [:index, :play, :retry, :show]
+  before_action :find_job_as_processable, only: [:play, :retry, :show]
   before_action :authorize_read_build_trace!, only: [:trace, :raw]
   before_action :authorize_read_build!
   before_action :authorize_update_build!,
@@ -27,17 +27,13 @@ class Projects::JobsController < Projects::ApplicationController
   feature_category :continuous_integration
   urgency :low
 
-  def index
-    # We need all builds for tabs counters
-    @all_builds = Ci::JobsFinder.new(current_user: current_user, project: @project).execute
-
-    @scope = params[:scope]
-    @builds = Ci::JobsFinder.new(current_user: current_user, project: @project, params: params).execute
-    @builds = @builds.eager_load_everything
-    @builds = @builds.page(params[:page]).per(30).without_count
-  end
+  def index; end
 
   def show
+    if @build.instance_of?(::Ci::Bridge)
+      redirect_to project_pipeline_path(@build.downstream_pipeline.project, @build.downstream_pipeline.id)
+    end
+
     respond_to do |format|
       format.html
       format.json do
@@ -74,6 +70,8 @@ class Projects::JobsController < Projects::ApplicationController
   end
 
   def retry
+    Gitlab::QueryLimiting.disable!('https://gitlab.com/gitlab-org/gitlab/-/issues/424184')
+
     response = Ci::RetryJobService.new(project, current_user).execute(@build)
 
     if response.success?
diff --git a/app/controllers/projects/labels_controller.rb b/app/controllers/projects/labels_controller.rb
index 67cff16a76b..e62f912e0f7 100644
--- a/app/controllers/projects/labels_controller.rb
+++ b/app/controllers/projects/labels_controller.rb
@@ -155,7 +155,10 @@ class Projects::LabelsController < Projects::ApplicationController
   protected
 
   def label_params
-    params.require(:label).permit(:title, :description, :color)
+    allowed = [:title, :description, :color]
+    allowed << :lock_on_merge if @project.supports_lock_on_merge?
+
+    params.require(:label).permit(allowed)
   end
 
   def label
diff --git a/app/controllers/projects/merge_requests/application_controller.rb b/app/controllers/projects/merge_requests/application_controller.rb
index 6d1b1ced4eb..81ff6c215f9 100644
--- a/app/controllers/projects/merge_requests/application_controller.rb
+++ b/app/controllers/projects/merge_requests/application_controller.rb
@@ -14,6 +14,18 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont
 
   private
 
+  # Normally the methods with `check_(\w+)_available!` pattern are
+  # handled by the `method_missing` defined in `ProjectsController::ApplicationController`
+  # but that logic does not take the member roles into account, therefore, we handle this
+  # case here manually.
+  def check_merge_requests_available!
+    render_404 if project_policy.merge_requests_disabled?
+  end
+
+  def project_policy
+    ProjectPolicy.new(current_user, project)
+  end
+
   def merge_request
     @issuable =
       @merge_request ||=
diff --git a/app/controllers/projects/merge_requests/conflicts_controller.rb b/app/controllers/projects/merge_requests/conflicts_controller.rb
index 66a358963e2..26f4286233a 100644
--- a/app/controllers/projects/merge_requests/conflicts_controller.rb
+++ b/app/controllers/projects/merge_requests/conflicts_controller.rb
@@ -67,7 +67,7 @@ class Projects::MergeRequests::ConflictsController < Projects::MergeRequests::Ap
 
       flash[:notice] = _('All merge conflicts were resolved. The merge request can now be merged.')
 
-      render json: { redirect_to: project_merge_request_url(@project, @merge_request, resolved_conflicts: true) }
+      render json: { redirect_to: project_merge_request_path(@project, @merge_request, resolved_conflicts: true) }
     rescue Gitlab::Git::Conflict::Resolver::ResolutionError => e
       render status: :bad_request, json: { message: e.message }
     end
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 30168558eff..53fd7256b19 100644
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -45,12 +45,10 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
     push_frontend_feature_flag(:sast_reports_in_inline_diff, project)
     push_frontend_feature_flag(:mr_experience_survey, project)
     push_frontend_feature_flag(:saved_replies, current_user)
-    push_frontend_feature_flag(:code_quality_inline_drawer, project)
     push_force_frontend_feature_flag(:summarize_my_code_review, summarize_my_code_review_enabled?)
     push_frontend_feature_flag(:mr_activity_filters, current_user)
-    push_frontend_feature_flag(:review_apps_redeploy_mr_widget, project)
     push_frontend_feature_flag(:ci_job_failures_in_mr, project)
-    push_frontend_feature_flag(:action_cable_notes, project)
+    push_frontend_feature_flag(:mr_pipelines_graphql, project)
   end
 
   before_action only: [:edit] do
@@ -106,11 +104,6 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
     respond_to do |format|
       format.html
       format.atom { render layout: 'xml' }
-      format.json do
-        render json: {
-          html: view_to_html_string("projects/merge_requests/_merge_requests")
-        }
-      end
     end
   end
 
@@ -389,20 +382,10 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
 
   private
 
-  # NOTE: Remove this disable with add_prepared_state_to_mr FF removal
-  # rubocop: disable Metrics/AbcSize
   def show_merge_request
     close_merge_request_if_no_source_project
     @merge_request.check_mergeability(async: true)
 
-    # NOTE: Remove the created_at check when removing the FF check
-    if ::Feature.enabled?(:add_prepared_state_to_mr, @merge_request.project) &&
-        @merge_request.created_at < 5.minutes.ago &&
-        !@merge_request.prepared?
-
-      @merge_request.prepare
-    end
-
     respond_to do |format|
       format.html do
         # use next to appease Rubocop
@@ -446,7 +429,6 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
       end
     end
   end
-  # rubocop: enable Metrics/AbcSize
 
   def render_html_page
     preload_assignees_for_render(@merge_request)
diff --git a/app/controllers/projects/mirrors_controller.rb b/app/controllers/projects/mirrors_controller.rb
index acbd26cbdf6..a24273488fb 100644
--- a/app/controllers/projects/mirrors_controller.rb
+++ b/app/controllers/projects/mirrors_controller.rb
@@ -81,6 +81,7 @@ class Projects::MirrorsController < Projects::ApplicationController
         only_protected_branches
         keep_divergent_refs
         auth_method
+        user
         password
         ssh_known_hosts
         regenerate_ssh_private_key
diff --git a/app/controllers/projects/notes_controller.rb b/app/controllers/projects/notes_controller.rb
index 7fcdf220bd2..3d8a787afcb 100644
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@@ -14,8 +14,7 @@ class Projects::NotesController < Projects::ApplicationController
 
   feature_category :team_planning, [:index, :create, :update, :destroy, :delete_attachment, :toggle_award_emoji]
   feature_category :code_review_workflow, [:resolve, :unresolve, :outdated_line_change]
-  urgency :medium, [:index]
-  urgency :low, [:create, :update, :destroy, :resolve, :unresolve, :toggle_award_emoji, :outdated_line_change]
+  urgency :low
 
   override :feature_category
   def feature_category
diff --git a/app/controllers/projects/pages_controller.rb b/app/controllers/projects/pages_controller.rb
index 02579cd4283..5b32eb8e58e 100644
--- a/app/controllers/projects/pages_controller.rb
+++ b/app/controllers/projects/pages_controller.rb
@@ -65,7 +65,15 @@ class Projects::PagesController < Projects::ApplicationController
   end
 
   def project_params_attributes
-    [:pages_https_only, { project_setting_attributes: [:pages_unique_domain_enabled] }]
+    [
+      :pages_https_only,
+      { project_setting_attributes: project_setting_attributes }
+    ]
+  end
+
+  # overridden in EE
+  def project_setting_attributes
+    [:pages_unique_domain_enabled]
   end
 end
 
diff --git a/app/controllers/projects/pipeline_schedules_controller.rb b/app/controllers/projects/pipeline_schedules_controller.rb
index 42b6d83ee85..83a64579446 100644
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -9,7 +9,6 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
   before_action :authorize_create_pipeline_schedule!, only: [:new, :create]
   before_action :authorize_update_pipeline_schedule!, only: [:edit, :update]
   before_action :authorize_admin_pipeline_schedule!, only: [:take_ownership, :destroy]
-  before_action :push_schedule_feature_flag, only: [:index, :new, :edit]
 
   feature_category :continuous_integration
   urgency :low
@@ -120,8 +119,4 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
   def authorize_admin_pipeline_schedule!
     return access_denied! unless can?(current_user, :admin_pipeline_schedule, schedule)
   end
-
-  def push_schedule_feature_flag
-    push_frontend_feature_flag(:pipeline_schedules_vue, @project)
-  end
 end
diff --git a/app/controllers/projects/pipelines/tests_controller.rb b/app/controllers/projects/pipelines/tests_controller.rb
index d77cf095a4f..4b522c88023 100644
--- a/app/controllers/projects/pipelines/tests_controller.rb
+++ b/app/controllers/projects/pipelines/tests_controller.rb
@@ -50,7 +50,7 @@ module Projects
       end
 
       def test_suite
-        suite = builds.sum do |build|
+        suite = builds.sum(Gitlab::Ci::Reports::TestSuite.new) do |build|
           test_report = build.collect_test_reports!(Gitlab::Ci::Reports::TestReport.new)
           test_report.get_suite(build.test_suite_name)
         end
diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb
index a96ee2215c2..036ea45cc78 100644
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -3,7 +3,6 @@
 class Projects::PipelinesController < Projects::ApplicationController
   include ::Gitlab::Utils::StrongMemoize
   include ProductAnalyticsTracking
-  include ProductAnalyticsTracking
   include ProjectStatsRefreshConflictsGuard
 
   urgency :low, [
@@ -34,9 +33,9 @@ class Projects::PipelinesController < Projects::ApplicationController
     label: 'redis_hll_counters.analytics.analytics_total_unique_counts_monthly',
     destinations: %i[redis_hll snowplow]
 
-  track_event :charts, name: 'p_analytics_ci_cd_pipelines', conditions: -> { should_track_ci_cd_pipelines? }
-  track_event :charts, name: 'p_analytics_ci_cd_deployment_frequency', conditions: -> { should_track_ci_cd_deployment_frequency? }
-  track_event :charts, name: 'p_analytics_ci_cd_lead_time', conditions: -> { should_track_ci_cd_lead_time? }
+  track_internal_event :charts, name: 'p_analytics_ci_cd_pipelines', conditions: -> { should_track_ci_cd_pipelines? }
+  track_internal_event :charts, name: 'p_analytics_ci_cd_deployment_frequency', conditions: -> { should_track_ci_cd_deployment_frequency? }
+  track_internal_event :charts, name: 'p_analytics_ci_cd_lead_time', conditions: -> { should_track_ci_cd_lead_time? }
   track_event :charts, name: 'p_analytics_ci_cd_time_to_restore_service', conditions: -> { should_track_ci_cd_time_to_restore_service? }
   track_event :charts, name: 'p_analytics_ci_cd_change_failure_rate', conditions: -> { should_track_ci_cd_change_failure_rate? }
 
diff --git a/app/controllers/projects/prometheus/alerts_controller.rb b/app/controllers/projects/prometheus/alerts_controller.rb
deleted file mode 100644
index 80a8dbf4729..00000000000
--- a/app/controllers/projects/prometheus/alerts_controller.rb
+++ /dev/null
@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-module Projects
-  module Prometheus
-    class AlertsController < Projects::ApplicationController
-      respond_to :json
-
-      protect_from_forgery except: [:notify]
-
-      skip_before_action :project, only: [:notify]
-
-      prepend_before_action :repository, :project_without_auth, only: [:notify]
-
-      before_action :authorize_read_prometheus_alerts!, except: [:notify]
-
-      feature_category :incident_management
-      urgency :low
-
-      def notify
-        token = extract_alert_manager_token(request)
-        result = notify_service.execute(token)
-
-        head result.http_status
-      end
-
-      private
-
-      def notify_service
-        Projects::Prometheus::Alerts::NotifyService
-          .new(project, params.permit!)
-      end
-
-      def extract_alert_manager_token(request)
-        Doorkeeper::OAuth::Token.from_bearer_authorization(request)
-      end
-
-      def project_without_auth
-        @project ||= Project
-          .find_by_full_path("#{params[:namespace_id]}/#{params[:project_id]}")
-      end
-    end
-  end
-end
diff --git a/app/controllers/projects/service_desk_controller.rb b/app/controllers/projects/service_desk_controller.rb
index b1e30e7a45b..ca3cecf5949 100644
--- a/app/controllers/projects/service_desk_controller.rb
+++ b/app/controllers/projects/service_desk_controller.rb
@@ -36,7 +36,7 @@ class Projects::ServiceDeskController < Projects::ApplicationController
     service_desk_settings = project.service_desk_setting
 
     {
-      service_desk_address: project.service_desk_address,
+      service_desk_address: project.service_desk_system_address,
       service_desk_enabled: project.service_desk_enabled,
       issue_template_key: service_desk_settings&.issue_template_key,
       template_file_missing: service_desk_settings&.issue_template_missing?,
diff --git a/app/controllers/projects/tracing_controller.rb b/app/controllers/projects/tracing_controller.rb
deleted file mode 100644
index 45e773bf62b..00000000000
--- a/app/controllers/projects/tracing_controller.rb
+++ /dev/null
@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-module Projects
-  class TracingController < Projects::ApplicationController
-    include ::Observability::ContentSecurityPolicy
-
-    feature_category :tracing
-
-    before_action :check_tracing_enabled
-
-    def index; end
-
-    def show
-      @trace_id = params[:id]
-    end
-
-    private
-
-    def check_tracing_enabled
-      render_404 unless Gitlab::Observability.tracing_enabled?(project)
-    end
-  end
-end
diff --git a/app/controllers/projects/work_items_controller.rb b/app/controllers/projects/work_items_controller.rb
index 7da31c199a1..c3986be31b0 100644
--- a/app/controllers/projects/work_items_controller.rb
+++ b/app/controllers/projects/work_items_controller.rb
@@ -12,6 +12,7 @@ class Projects::WorkItemsController < Projects::ApplicationController
     push_force_frontend_feature_flag(:work_items_mvc, project&.work_items_mvc_feature_flag_enabled?)
     push_force_frontend_feature_flag(:work_items_mvc_2, project&.work_items_mvc_2_feature_flag_enabled?)
     push_force_frontend_feature_flag(:saved_replies, current_user)
+    push_force_frontend_feature_flag(:linked_work_items, project&.linked_work_items_feature_flag_enabled?)
   end
 
   feature_category :team_planning
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 2ad0f11dc91..6a246219f7d 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -46,6 +46,7 @@ class ProjectsController < Projects::ApplicationController
     push_force_frontend_feature_flag(:work_items, @project&.work_items_feature_flag_enabled?)
     push_force_frontend_feature_flag(:work_items_mvc, @project&.work_items_mvc_feature_flag_enabled?)
     push_force_frontend_feature_flag(:work_items_mvc_2, @project&.work_items_mvc_2_feature_flag_enabled?)
+    push_force_frontend_feature_flag(:linked_work_items, @project&.linked_work_items_feature_flag_enabled?)
   end
 
   layout :determine_layout
diff --git a/app/controllers/pwa_controller.rb b/app/controllers/pwa_controller.rb
index bb47bdc8050..8de1b10e1f1 100644
--- a/app/controllers/pwa_controller.rb
+++ b/app/controllers/pwa_controller.rb
@@ -6,7 +6,7 @@ class PwaController < ApplicationController # rubocop:disable Gitlab/NamespacedC
   feature_category :navigation
   urgency :low
 
-  skip_before_action :authenticate_user!, :required_signup_info
+  skip_before_action :authenticate_user!
 
   def manifest
   end
diff --git a/app/controllers/registrations/welcome_controller.rb b/app/controllers/registrations/welcome_controller.rb
index 68f8248d114..f7a601ec0bd 100644
--- a/app/controllers/registrations/welcome_controller.rb
+++ b/app/controllers/registrations/welcome_controller.rb
@@ -8,7 +8,9 @@ module Registrations
     include ::Gitlab::Utils::StrongMemoize
 
     layout 'minimal'
-    skip_before_action :required_signup_info, :check_two_factor_requirement
+    # TODO: Once this is an ee + SaaS only feature, we can remove this.
+    # To be completed in https://gitlab.com/gitlab-org/gitlab/-/issues/411858
+    skip_before_action :check_two_factor_requirement
 
     helper_method :welcome_update_params
     helper_method :onboarding_status
@@ -43,7 +45,7 @@ module Registrations
     end
 
     def completed_welcome_step?
-      current_user.role.present? && !current_user.setup_for_company.nil?
+      !current_user.setup_for_company.nil?
     end
 
     def update_params
@@ -61,9 +63,7 @@ module Registrations
     end
 
     def update_success_path
-      if onboarding_status.invite_with_tasks_to_be_done?
-        issues_dashboard_path(assignee_username: current_user.username)
-      elsif onboarding_status.continue_full_onboarding? # trials/regular registration on .com
+      if onboarding_status.continue_full_onboarding? # trials/regular registration on .com
         signup_onboarding_path
       elsif onboarding_status.single_invite? # invites w/o tasks due to order
         flash[:notice] = helpers.invite_accepted_notice(onboarding_status.last_invited_member)
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index d8064bbbe82..a8b5ca81f49 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -12,6 +12,8 @@ class RegistrationsController < Devise::RegistrationsController
   include PreferredLanguageSwitcher
   include Gitlab::Tracking::Helpers::WeakPasswordErrorEvent
   include SkipsAlreadySignedInMessage
+  include Gitlab::RackLoadBalancingHelpers
+  include ::Gitlab::Utils::StrongMemoize
 
   layout 'devise'
 
@@ -46,7 +48,6 @@ class RegistrationsController < Devise::RegistrationsController
       accept_pending_invitations if new_user.persisted?
 
       persist_accepted_terms_if_required(new_user)
-      set_role_required(new_user)
       send_custom_confirmation_instructions
       track_weak_password_error(new_user, self.class.name, 'create')
 
@@ -89,10 +90,6 @@ class RegistrationsController < Devise::RegistrationsController
     Users::RespondToTermsService.new(new_user, terms).execute(accepted: true)
   end
 
-  def set_role_required(new_user)
-    new_user.set_role_required! if new_user.persisted?
-  end
-
   def destroy_confirmation_valid?
     if current_user.confirm_deletion_with_password?
       current_user.valid_password?(params[:password])
@@ -138,7 +135,7 @@ class RegistrationsController < Devise::RegistrationsController
 
     if identity_verification_enabled?
       session[:verification_user_id] = resource.id # This is needed to find the user on the identity verification page
-      User.sticking.stick_or_unstick_request(request.env, :user, resource.id)
+      load_balancer_stick_request(::User, :user, resource.id)
 
       return identity_verification_redirect_path
     end
@@ -251,6 +248,7 @@ class RegistrationsController < Devise::RegistrationsController
 
     sign_up_params[:email] == invite_email
   end
+  strong_memoize_attr :registered_with_invite_email?
 
   def load_recaptcha
     Gitlab::Recaptcha.load_configurations!
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 6c1d9a20570..d247490402f 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -35,10 +35,6 @@ class SearchController < ApplicationController
     update_scope_for_code_search
   end
 
-  before_action only: :show do
-    push_frontend_feature_flag(:search_projects_hide_archived, current_user)
-  end
-
   rescue_from ActiveRecord::QueryCanceled, with: :render_timeout
 
   layout 'search'
diff --git a/app/controllers/sent_notifications_controller.rb b/app/controllers/sent_notifications_controller.rb
index 6c5e709a98a..4f61088ab17 100644
--- a/app/controllers/sent_notifications_controller.rb
+++ b/app/controllers/sent_notifications_controller.rb
@@ -29,7 +29,7 @@ class SentNotificationsController < ApplicationController
   def unsubscribe_and_redirect
     noteable.unsubscribe(@sent_notification.recipient, @sent_notification.project)
 
-    if noteable.is_a?(Issue) && @sent_notification.recipient_id == User.support_bot.id
+    if noteable.is_a?(Issue) && @sent_notification.recipient_id == Users::Internal.support_bot.id
       noteable.unsubscribe_email_participant(noteable.external_author)
     end
 
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 66ace16400a..afbadc7f4ac 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -16,6 +16,8 @@ class SessionsController < Devise::SessionsController
   include GoogleSyndicationCSP
   include PreferredLanguageSwitcher
   include SkipsAlreadySignedInMessage
+  include AcceptsPendingInvitations
+  extend ::Gitlab::Utils::Override
 
   skip_before_action :check_two_factor_requirement, only: [:destroy]
   skip_before_action :check_password_expiration, only: [:destroy]
@@ -78,6 +80,8 @@ class SessionsController < Devise::SessionsController
         flash[:notice] = nil
       end
 
+      accept_pending_invitations
+
       log_audit_event(current_user, resource, with: authentication_method)
       log_user_activity(current_user)
     end
@@ -94,6 +98,13 @@ class SessionsController < Devise::SessionsController
 
   private
 
+  override :after_pending_invitations_hook
+  def after_pending_invitations_hook
+    member = resource.members.last
+
+    store_location_for(:user, member.source.activity_path) if member
+  end
+
   def captcha_enabled?
     request.headers[CAPTCHA_HEADER] && helpers.recaptcha_enabled?
   end
diff --git a/app/controllers/users/namespace_visits_controller.rb b/app/controllers/users/namespace_visits_controller.rb
new file mode 100644
index 00000000000..7c96d78e26e
--- /dev/null
+++ b/app/controllers/users/namespace_visits_controller.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Users
+  class NamespaceVisitsController < ApplicationController
+    feature_category :navigation
+
+    def create
+      return head :not_found unless Feature.enabled?(:server_side_frecent_namespaces, current_user)
+      return head :bad_request unless params[:type].present? && params[:id].present?
+
+      Users::TrackNamespaceVisitsWorker.perform_async(params[:type], params[:id], current_user.id, DateTime.now) # rubocop:disable CodeReuse/Worker
+      head :ok
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-20 14:18:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-20 14:18:08 +0300
commit	5afcbe03ead9ada87621888a31a62652b10a7e4f (patch)
tree	9918b67a0d0f0bafa6542e839a8be37adf73102d /app/controllers
parent	c97c0201564848c1f53226fe19d71fdcc472f7d0 (diff)