Add latest changes from gitlab-org/gitlab@master

9 files changed, 37 insertions, 61 deletions

diff --git a/app/controllers/projects/issue_links_controller.rb b/app/controllers/projects/issue_links_controller.rb
index 4a5f9309aed..956557457fa 100644
--- a/app/controllers/projects/issue_links_controller.rb
+++ b/app/controllers/projects/issue_links_controller.rb
@@ -13,7 +13,7 @@ module Projects
     private
 
     def authorize_admin_issue_link!
-      render_403 unless can?(current_user, :admin_issue_link, issue)
+      render_403 unless can?(current_user, :admin_issue_link, @project)
     end
 
     def authorize_issue_link_association!
diff --git a/app/models/pages_deployment.rb b/app/models/pages_deployment.rb
index 2aa36a94171..0d87a8f6cf6 100644
--- a/app/models/pages_deployment.rb
+++ b/app/models/pages_deployment.rb
@@ -5,6 +5,9 @@ class PagesDeployment < ApplicationRecord
   include EachBatch
   include FileStoreMounter
   include Gitlab::Utils::StrongMemoize
+  include SafelyChangeColumnDefault
+
+  columns_changing_default :upload_ready
 
   attribute :file_store, :integer, default: -> { ::Pages::DeploymentUploader.default_store }
 
@@ -18,7 +21,12 @@ class PagesDeployment < ApplicationRecord
   scope :with_files_stored_remotely, -> { where(file_store: ::ObjectStorage::Store::REMOTE) }
   scope :project_id_in, ->(ids) { where(project_id: ids) }
   scope :with_path_prefix, ->(prefix) { where("COALESCE(path_prefix, '') = ?", prefix.to_s) }
-  scope :active, -> { where(deleted_at: nil).order(created_at: :desc) }
+
+  # We have to mark the PagesDeployment upload as ready to ensure we only
+  # serve PagesDeployment which files are already uploaded.
+  scope :upload_ready, -> { where(upload_ready: true) }
+
+  scope :active, -> { upload_ready.where(deleted_at: nil).order(created_at: :desc) }
   scope :deactivated, -> { where('deleted_at < ?', Time.now.utc) }
 
   validates :file, presence: true
@@ -64,6 +72,18 @@ class PagesDeployment < ApplicationRecord
     return unless previous_changes.key?(:file)
 
     store_file_now!
+    mark_upload_as_finished!
+  end
+
+  # We have to mark the PagesDeployment upload as ready to ensure we only
+  # serve PagesDeployment which files are already uploaded.
+  #
+  # This is required because we're uploading the file outside of the db transaction
+  # (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114774)
+  def mark_upload_as_finished!
+    return unless file && file.exists?
+
+    update_column(:upload_ready, true)
   end
 end
 
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index dfb33fb386a..683c53d8d78 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -80,7 +80,6 @@ class IssuePolicy < IssuablePolicy
   rule { ~anonymous & can?(:read_issue) }.policy do
     enable :create_todo
     enable :update_subscription
-    enable :create_issue_link
   end
 
   rule { can?(:admin_issue) }.policy do
@@ -104,10 +103,6 @@ class IssuePolicy < IssuablePolicy
     enable :admin_issue_relation
   end
 
-  rule { can?(:guest_access) & can?(:read_issue) & is_project_member }.policy do
-    enable :admin_issue_link
-  end
-
   rule { can_read_crm_contacts }.policy do
     enable :read_crm_contacts
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index e0e04174110..bbb0e3df500 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -379,6 +379,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_label
     enable :admin_milestone
     enable :admin_issue_board_list
+    enable :admin_issue_link
     enable :read_commit_status
     enable :read_build
     enable :read_container_image
diff --git a/app/serializers/linked_project_issue_entity.rb b/app/serializers/linked_project_issue_entity.rb
index 28dca69a8d4..c95f68f58a3 100644
--- a/app/serializers/linked_project_issue_entity.rb
+++ b/app/serializers/linked_project_issue_entity.rb
@@ -4,11 +4,10 @@ class LinkedProjectIssueEntity < LinkedIssueEntity
   include Gitlab::Utils::StrongMemoize
 
   expose :relation_path, override: true do |issue|
-    # Make sure the user can admin the links of one issue and
-    # create links in the other issue in order to return the removal link.
-    if can_create_or_destroy_issue_link?(issue)
-      project_issue_link_path(issuable.project, issuable.iid,
-        issue.issue_link_id)
+    # Make sure the user can admin both the current issue AND the
+    # referenced issue projects in order to return the removal link.
+    if can_admin_issue_link_on_current_project? && can_admin_issue_link?(issue.project)
+      project_issue_link_path(issuable.project, issuable.iid, issue.issue_link_id)
     end
   end
 
@@ -18,24 +17,13 @@ class LinkedProjectIssueEntity < LinkedIssueEntity
 
   private
 
-  # A user can create/destroy an issue link if they can
-  # admin the links for one issue AND create links for the other
-  def can_create_or_destroy_issue_link?(issue)
-    (can_admin_issue_link?(issuable) && can_create_issue_link?(issue)) ||
-      (can_admin_issue_link?(issue) && can_create_issue_link?(issuable))
-  end
-
-  def can_admin_issue_link_on_current_issue?
-    strong_memoize(:can_admin_on_current_issue) do
-      can_admin_issue_link?(issuable)
+  def can_admin_issue_link_on_current_project?
+    strong_memoize(:can_admin_on_current_project) do
+      can_admin_issue_link?(issuable.project)
     end
   end
 
-  def can_admin_issue_link?(issue)
-    Ability.allowed?(current_user, :admin_issue_link, issue)
-  end
-
-  def can_create_issue_link?(issue)
-    Ability.allowed?(current_user, :create_issue_link, issue)
+  def can_admin_issue_link?(project)
+    Ability.allowed?(current_user, :admin_issue_link, project)
   end
 end
diff --git a/app/services/admin/set_feature_flag_service.rb b/app/services/admin/set_feature_flag_service.rb
index 3378be7eddd..e7969d02e0b 100644
--- a/app/services/admin/set_feature_flag_service.rb
+++ b/app/services/admin/set_feature_flag_service.rb
@@ -62,6 +62,7 @@ module Admin
         Feature.disable(name)
       elsif percentage_of_actors?
         Feature.enable_percentage_of_actors(name, percentage)
+      # Deprecated in favor of Feature.enabled?(name, :instance) + Feature.enable_percentage_of_actors(name, percentage)
       elsif percentage_of_time?
         Feature.enable_percentage_of_time(name, percentage)
       else
diff --git a/app/services/issue_links/create_service.rb b/app/services/issue_links/create_service.rb
index d4ef35d3c60..3523e945d37 100644
--- a/app/services/issue_links/create_service.rb
+++ b/app/services/issue_links/create_service.rb
@@ -4,17 +4,8 @@ module IssueLinks
   class CreateService < IssuableLinks::CreateService
     include IncidentManagement::UsageData
 
-    def execute
-      return error(issue_no_permission_error_message, 403) unless can?(current_user, :admin_issue_link, issuable) ||
-        can?(current_user, :create_issue_link, issuable)
-
-      super
-    end
-
     def linkable_issuables(issues)
-      @linkable_issuables ||= issues.select do |issue|
-        can_create_destroy_issue_link?(issue)
-      end
+      @linkable_issuables ||= issues.select { |issue| can?(current_user, :admin_issue_link, issue) }
     end
 
     def previous_related_issuables
@@ -23,21 +14,6 @@ module IssueLinks
 
     private
 
-    # A user can create/destroy an issue link if they can
-    # admin the links for one issue AND create links for the other
-    def can_create_destroy_issue_link?(issue)
-      (can_admin_issue_link?(issuable) && can_create_issue_link?(issue)) ||
-        (can_admin_issue_link?(issue) && can_create_issue_link?(issuable))
-    end
-
-    def can_admin_issue_link?(issue)
-      Ability.allowed?(current_user, :admin_issue_link, issue)
-    end
-
-    def can_create_issue_link?(issue)
-      Ability.allowed?(current_user, :create_issue_link, issue)
-    end
-
     def readonly_issuables(issuables)
       @readonly_issuables ||= issuables.select { |issuable| issuable.readable_by?(current_user) }
     end
@@ -49,10 +25,6 @@ module IssueLinks
     def link_class
       IssueLink
     end
-
-    def issue_no_permission_error_message
-      _("Couldn't link issues. You must have at least the Guest role in the source issue's project.")
-    end
   end
 end
 
diff --git a/app/services/issue_links/destroy_service.rb b/app/services/issue_links/destroy_service.rb
index 2281bebcb86..9116e9fb703 100644
--- a/app/services/issue_links/destroy_service.rb
+++ b/app/services/issue_links/destroy_service.rb
@@ -3,13 +3,11 @@
 module IssueLinks
   class DestroyService < IssuableLinks::DestroyService
     include IncidentManagement::UsageData
-    include Gitlab::Utils::StrongMemoize
 
     private
 
     def permission_to_remove_relation?
-      (can?(current_user, :admin_issue_link, link.source) && can?(current_user, :create_issue_link, link.target)) ||
-        (can?(current_user, :admin_issue_link, link.target) && can?(current_user, :create_issue_link, link.source))
+      can?(current_user, :admin_issue_link, source) && can?(current_user, :admin_issue_link, target)
     end
 
     def track_event
diff --git a/app/services/projects/update_pages_service.rb b/app/services/projects/update_pages_service.rb
index 83b28840d39..fd6c9a86540 100644
--- a/app/services/projects/update_pages_service.rb
+++ b/app/services/projects/update_pages_service.rb
@@ -98,7 +98,8 @@ module Projects
         file_count: deployment_update.entries_count,
         file_sha256: build.job_artifacts_archive.file_sha256,
         ci_build_id: build.id,
-        root_directory: build.options[:publish]
+        root_directory: build.options[:publish],
+        upload_ready: false
       }
     end