Merge remote-tracking branch 'dev/13-11-stable' into 13-11-stable

9 files changed, 37 insertions, 9 deletions

diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index 882fef7a342..3c8a683439a 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -7,11 +7,15 @@
 module SessionlessAuthentication
   # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
   def authenticate_sessionless_user!(request_format)
-    user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)
+    user = request_authenticator.find_sessionless_user(request_format)
 
     sessionless_sign_in(user) if user
   end
 
+  def request_authenticator
+    @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(request)
+  end
+
   def sessionless_user?
     current_user && !session.key?('warden.user.user.key')
   end
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index a13ec1daddb..38bfb5ef2f8 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -110,7 +110,13 @@ class GraphqlController < ApplicationController
   end
 
   def context
-    @context ||= { current_user: current_user, is_sessionless_user: !!sessionless_user?, request: request }
+    api_user = !!sessionless_user?
+    @context ||= {
+      current_user: current_user,
+      is_sessionless_user: api_user,
+      request: request,
+      scope_validator: ::Gitlab::Auth::ScopeValidator.new(api_user, request_authenticator)
+    }
   end
 
   def build_variables(variable_info)
diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb
index f522dffdf3e..5006aa75ce5 100644
--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
@@ -185,7 +185,7 @@ class Projects::BranchesController < Projects::ApplicationController
     # Here we get one more branch to indicate if there are more data we're not showing
     limit = @overview_max_branches + 1
 
-    if Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true)
+    if Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml)
       @active_branches =
         BranchesFinder.new(@repository, { per_page: limit, sort: sort_value_recently_updated })
           .execute(gitaly_pagination: true).select(&:active?)
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
index 1f18a37fcb9..da658e1f108 100644
--- a/app/graphql/mutations/base_mutation.rb
+++ b/app/graphql/mutations/base_mutation.rb
@@ -44,9 +44,18 @@ module Mutations
       end
     end
 
+    def self.authorizes_object?
+      true
+    end
+
     def self.authorized?(object, context)
-      # we never provide an object to mutations, but we do need to have a user.
-      context[:current_user].present? && !context[:current_user].blocked?
+      auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api)
+
+      return true if auth.ok?(:global, context[:current_user],
+                              scope_validator: context[:scope_validator])
+
+      # in our mutations we raise, rather than returning a null value.
+      raise_resource_not_available_error!
     end
 
     # See: AuthorizeResource#authorized_resource?
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 5ee34ebbb2f..d16c4734b2c 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -23,6 +23,7 @@ class GlobalPolicy < BasePolicy
     prevent :receive_notifications
     prevent :use_quick_actions
     prevent :create_group
+    prevent :execute_graphql_mutation
   end
 
   rule { default }.policy do
@@ -32,6 +33,7 @@ class GlobalPolicy < BasePolicy
     enable :receive_notifications
     enable :use_quick_actions
     enable :use_slash_commands
+    enable :execute_graphql_mutation
   end
 
   rule { inactive }.policy do
@@ -48,6 +50,8 @@ class GlobalPolicy < BasePolicy
     prevent :use_slash_commands
   end
 
+  rule { ~can?(:access_api) }.prevent :execute_graphql_mutation
+
   rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do
     prevent :access_git
   end
diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb
index 1b8c16b7c79..fab42e0ebb6 100644
--- a/app/services/auth/dependency_proxy_authentication_service.rb
+++ b/app/services/auth/dependency_proxy_authentication_service.rb
@@ -8,7 +8,10 @@ module Auth
 
     def execute(authentication_abilities:)
       return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
-      return error('access forbidden', 403) unless current_user
+
+      # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this
+      # JWT only as `User.find`, we currently only allow User (not DeployToken, etc)
+      return error('access forbidden', 403) unless current_user.is_a?(User)
 
       { token: authorized_token.encoded }
     end
diff --git a/app/services/issues/base_service.rb b/app/services/issues/base_service.rb
index 87615d1b4f2..07e4a10708e 100644
--- a/app/services/issues/base_service.rb
+++ b/app/services/issues/base_service.rb
@@ -34,7 +34,7 @@ module Issues
 
     private
 
-    def filter_params(merge_request)
+    def filter_params(issue)
       super
 
       moved_issue = params.delete(:moved_issue)
@@ -44,6 +44,8 @@ module Issues
       params.delete(:iid) unless current_user.can?(:set_issue_iid, project)
       params.delete(:created_at) unless moved_issue || current_user.can?(:set_issue_created_at, project)
       params.delete(:updated_at) unless moved_issue || current_user.can?(:set_issue_updated_at, project)
+
+      issue.system_note_timestamp = params[:created_at] || params[:updated_at]
     end
 
     def create_assignee_note(issue, old_assignees)
diff --git a/app/services/projects/branches_by_mode_service.rb b/app/services/projects/branches_by_mode_service.rb
index dbdcef066f4..090671cc79a 100644
--- a/app/services/projects/branches_by_mode_service.rb
+++ b/app/services/projects/branches_by_mode_service.rb
@@ -37,7 +37,7 @@ class Projects::BranchesByModeService
   def use_gitaly_pagination?
     return false if params[:page].present? || params[:search].present?
 
-    Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true)
+    Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml)
   end
 
   def fetch_branches_via_offset_pagination
diff --git a/app/views/projects/mirrors/_authentication_method.html.haml b/app/views/projects/mirrors/_authentication_method.html.haml
index 94f8703657b..5f31ec4087e 100644
--- a/app/views/projects/mirrors/_authentication_method.html.haml
+++ b/app/views/projects/mirrors/_authentication_method.html.haml
@@ -13,4 +13,4 @@
 .form-group
   .well-password-auth.collapse.js-well-password-auth
     = f.label :password, _("Password"), class: "label-bold"
-    = f.password_field :password, value: mirror.password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password'
+    = f.password_field :password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password'