Add latest changes from gitlab-org/gitlab@master

4 files changed, 21 insertions, 6 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 224ce75c83f..ad242a078ad 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -288,9 +288,7 @@ class ApplicationController < ActionController::Base
   def check_password_expiration
     return if session[:impersonator_id] || !current_user&.allow_password_authentication?
 
-    password_expires_at = current_user&.password_expires_at
-
-    if password_expires_at && password_expires_at < Time.now
+    if current_user&.password_expired?
       return redirect_to new_profile_password_path
     end
   end
diff --git a/app/controllers/projects/lfs_api_controller.rb b/app/controllers/projects/lfs_api_controller.rb
index 739f7a2437e..a1983bc5462 100644
--- a/app/controllers/projects/lfs_api_controller.rb
+++ b/app/controllers/projects/lfs_api_controller.rb
@@ -2,6 +2,7 @@
 
 class Projects::LfsApiController < Projects::GitHttpClientController
   include LfsRequest
+  include Gitlab::Utils::StrongMemoize
 
   LFS_TRANSFER_CONTENT_TYPE = 'application/octet-stream'
 
@@ -81,7 +82,7 @@ class Projects::LfsApiController < Projects::GitHttpClientController
       download: {
         href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}",
         header: {
-          Authorization: request.headers['Authorization']
+          Authorization: authorization_header
         }.compact
       }
     }
@@ -92,7 +93,7 @@ class Projects::LfsApiController < Projects::GitHttpClientController
       upload: {
         href: "#{project.http_url_to_repo}/gitlab-lfs/objects/#{object[:oid]}/#{object[:size]}",
         header: {
-          Authorization: request.headers['Authorization'],
+          Authorization: authorization_header,
           # git-lfs v2.5.0 sets the Content-Type based on the uploaded file. This
           # ensures that Workhorse can intercept the request.
           'Content-Type': LFS_TRANSFER_CONTENT_TYPE
@@ -122,6 +123,18 @@ class Projects::LfsApiController < Projects::GitHttpClientController
   def lfs_read_only_message
     _('You cannot write to this read-only GitLab instance.')
   end
+
+  def authorization_header
+    strong_memoize(:authorization_header) do
+      lfs_auth_header || request.headers['Authorization']
+    end
+  end
+
+  def lfs_auth_header
+    return unless user.is_a?(User)
+
+    Gitlab::LfsToken.new(user).basic_encoding
+  end
 end
 
 Projects::LfsApiController.prepend_if_ee('EE::Projects::LfsApiController')
diff --git a/app/models/ci/artifact_blob.rb b/app/models/ci/artifact_blob.rb
index ef00ad75683..76d4b9d6206 100644
--- a/app/models/ci/artifact_blob.rb
+++ b/app/models/ci/artifact_blob.rb
@@ -53,7 +53,7 @@ module Ci
       pages_config.enabled &&
         pages_config.artifacts_server &&
         EXTENSIONS_SERVED_BY_PAGES.include?(File.extname(name)) &&
-        job.project.public?
+        (pages_config.access_control || job.project.public?)
     end
 
     private
diff --git a/app/models/user.rb b/app/models/user.rb
index 66defb4c707..5711162aa1a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1519,6 +1519,10 @@ class User < ApplicationRecord
     todos.find_by(target: target, state: :pending)
   end
 
+  def password_expired?
+    !!(password_expires_at && password_expires_at < Time.now)
+  end
+
   # @deprecated
   alias_method :owned_or_masters_groups, :owned_or_maintainers_groups