merge with upstream master

21 files changed, 195 insertions, 108 deletions

diff --git a/config/application.rb b/config/application.rb
index d85bcab7885..88759ce7cf3 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,13 +1,9 @@
 require File.expand_path('../boot', __FILE__)
 
 require 'rails/all'
+require 'devise'
 
-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  # Bundler.require(*Rails.groups(assets: %w(development test)))
-  # If you want your assets lazily compiled in production, use this line
-  Bundler.require(:default, :assets, Rails.env)
-end
+Bundler.require(:default, Rails.env)
 
 module Gitlab
   class Application < Rails::Application
@@ -16,7 +12,7 @@ module Gitlab
     # -- all .rb files in that directory are automatically loaded.
 
     # Custom directories with classes and modules you want to be autoloadable.
-    config.autoload_paths += %W(#{config.root}/lib #{config.root}/app/models/concerns)
+    config.autoload_paths += %W(#{config.root}/lib #{config.root}/app/models/concerns #{config.root}/app/models/project_services)
 
     # Only load the plugins named here, in the order given (default is alphabetical).
     # :all can be used as a placeholder for all plugins not explicitly named.
@@ -42,6 +38,7 @@ module Gitlab
     # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
     # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
     # config.i18n.default_locale = :de
+    config.i18n.enforce_available_locales = false
 
     # Configure the default encoding used in templates for Ruby 1.9.
     config.encoding = "utf-8"
@@ -70,15 +67,24 @@ module Gitlab
     config.assets.version = '1.0'
 
     # Uncomment and customize the last line to run in a non-root path
-    # WARNING: This feature is known to work, but unsupported
-    # Note that three settings need to be changed for this to work.
+    # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this.
+    # Note that four settings need to be changed for this to work.
     # 1) In your application.rb file: config.relative_url_root = "/gitlab"
     # 2) In your gitlab.yml file: relative_url_root: /gitlab
     # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
+    # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab"
+    # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
     #
     # config.relative_url_root = "/gitlab"
 
-    # Uncomment to enable rack attack middleware
-    # config.middleware.use Rack::Attack
+    config.middleware.use Rack::Attack
+
+    # Allow access to GitLab API from other domains
+    config.middleware.use Rack::Cors do
+      allow do
+        origins '*'
+        resource '/api/*', headers: :any, methods: [:get, :post, :options, :put, :delete]
+      end
+    end
   end
 end
diff --git a/config/database.yml.mysql b/config/database.yml.mysql
index a3eff1a74f8..55ac088bc1d 100644
--- a/config/database.yml.mysql
+++ b/config/database.yml.mysql
@@ -7,7 +7,7 @@ production:
   reconnect: false
   database: gitlabhq_production
   pool: 10
-  username: root
+  username: git
   password: "secure password"
   # host: localhost
   # socket: /tmp/mysql.sock
diff --git a/config/database.yml.postgresql b/config/database.yml.postgresql
index 4b74f3348f8..66960551cfd 100644
--- a/config/database.yml.postgresql
+++ b/config/database.yml.postgresql
@@ -6,8 +6,8 @@ production:
   encoding: unicode
   database: gitlabhq_production
   pool: 10
-  username: git
-  password:
+  # username: git
+  # password:
   # host: localhost
   # port: 5432 
   # socket: /tmp/postgresql.sock
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 6cba17f6ea2..e4c7649fda0 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -6,9 +6,6 @@ Gitlab::Application.configure do
   # since you don't have to restart the web server when you make code changes.
   config.cache_classes = false
 
-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
-
   # Show full error reports and disable caching
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
@@ -25,10 +22,6 @@ Gitlab::Application.configure do
   # Raise exception on mass assignment protection for Active Record models
   config.active_record.mass_assignment_sanitizer = :strict
 
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  config.active_record.auto_explain_threshold_in_seconds = 0.5
-
   # Do not compress assets
   config.assets.compress = false
 
@@ -39,4 +32,6 @@ Gitlab::Application.configure do
   config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
   # Open sent mails in browser
   config.action_mailer.delivery_method = :letter_opener
+
+  config.eager_load = false
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index e3476be8fba..9ac4622abc2 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -80,4 +80,9 @@ Gitlab::Application.configure do
   # # }
   config.action_mailer.perform_deliveries = true
   config.action_mailer.raise_delivery_errors = true
+
+  config.eager_load = true
+  config.assets.js_compressor = :uglifier
+
+  config.allow_concurrency = false
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index b626986299b..3860dc5c74c 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -11,9 +11,6 @@ Gitlab::Application.configure do
   config.serve_static_assets = true
   config.static_cache_control = "public, max-age=3600"
 
-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-
   # Show full error reports and disable caching
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
@@ -34,4 +31,6 @@ Gitlab::Application.configure do
 
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
+
+  config.eager_load = false
 end
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 0b1560ac587..ce57465d687 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -14,17 +14,19 @@ production: &base
 
   ## GitLab settings
   gitlab:
-    ## Web server settings
+    ## Web server settings (note: host is the FQDN, do not include http://)
     host: localhost
     port: 80
     https: false
 
     # Uncomment and customize the last line to run in a non-root path
-    # WARNING: This feature is known to work, but unsupported
-    # Note that three settings need to be changed for this to work.
+    # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. 
+    # Note that four settings need to be changed for this to work.
     # 1) In your application.rb file: config.relative_url_root = "/gitlab"
     # 2) In your gitlab.yml file: relative_url_root: /gitlab
     # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
+    # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab"
+    # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
     #
     # relative_url_root: /gitlab
 
@@ -55,10 +57,15 @@ production: &base
     # default: false - Account passwords are not sent via the email if signup is enabled. 
     # signup_enabled: true
 
+    # Restrict setting visibility levels for non-admin users.
+    # The default is to allow all levels.
+    #restricted_visibility_levels: [ "public" ]
+
     ## Automatic issue closing
-    # If a commit message matches this regular express, all issues referenced from the matched text will be closed
-    # if it's pushed to a project's default branch.
-    # issue_closing_pattern: ^([Cc]loses|[Ff]ixes) +#\d+
+    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
+    # This happens when the commit is pushed or merged into the default branch of a project.
+    # When not specified the default issue_closing_pattern as specified below will be used.
+    # issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) +#\d+'
 
     ## Default project features settings
     default_projects_features:
@@ -67,11 +74,12 @@ production: &base
       wiki: true
       wall: false
       snippets: false
-      public: false
+      visibility_level: "private"  # can be "private" | "internal" | "public"
 
   ## External issues trackers
   issues_tracker:
     # redmine:
+    #   title: "Redmine"
     #   ## If not nil, link 'Issues' on project page will be replaced with this
     #   ## Use placeholders:
     #   ##  :project_id        - GitLab project identifier
@@ -92,6 +100,7 @@ production: &base
     #   new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new"
     # 
     # jira:
+    #   title: "Atlassian Jira"
     #   project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id"
     #   issues_url: "http://jira.sample/browse/:id"
     #   new_issue_url: "http://jira.sample/secure/CreateIssue.jspa"
@@ -107,15 +116,26 @@ production: &base
   # ==========================
 
   ## LDAP settings
+  # You can inspect a sample of the LDAP users with login access by running:
+  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
     enabled: false
     host: '_your_ldap_server'
     base: '_the_base_where_you_search_for_users'
     port: 636
     uid: 'sAMAccountName'
-    method: 'ssl' # "ssl" or "plain"
+    method: 'ssl' # "tls" or "ssl" or "plain"
     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
     password: '_the_password_of_the_bind_user'
+    # If allow_username_or_email_login is enabled, GitLab will ignore everything
+    # after the first '@' in the LDAP username submitted by the user on login.
+    #
+    # Example:
+    # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
+    # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
+    #
+    # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
+    # disable this setting, because the userPrincipalName contains an '@'.
     allow_username_or_email_login: true
 
   ## OmniAuth settings
@@ -133,7 +153,7 @@ production: &base
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
     # If your favorite auth provider is not listed you can use others:
-    # see https://github.com/gitlabhq/gitlabhq/wiki/Using-Custom-Omniauth-Providers
+    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-custom-omniauth-provider-configurations
     # The 'app_id' and 'app_secret' parameters are always passed as the first two
     # arguments, followed by optional 'args' which can be either a hash or an array.
     providers:
@@ -143,7 +163,8 @@ production: &base
       # - { name: 'twitter', app_id: 'YOUR APP ID',
       #     app_secret: 'YOUR APP SECRET'}
       # - { name: 'github', app_id: 'YOUR APP ID',
-      #     app_secret: 'YOUR APP SECRET' }
+      #     app_secret: 'YOUR APP SECRET',
+      #     args: { scope: 'user:email' } }
 
 
 
@@ -163,6 +184,8 @@ production: &base
 
   ## GitLab Shell settings
   gitlab_shell:
+    path: /home/git/gitlab-shell/
+
     # REPOS_PATH MUST NOT BE A SYMLINK!!!
     repos_path: /home/git/repositories/
     hooks_path: /home/git/gitlab-shell/hooks/
@@ -179,7 +202,8 @@ production: &base
   # Use the default values unless you really know what you are doing
   git:
     bin_path: /usr/bin/git
-    # Max size of a git object (e.g. a commit), in bytes
+    # The next value is the maximum memory size grit can use
+    # Given in number of bytes per git object (e.g. a commit)
     # This value can be increased if you have very large commits
     max_size: 5242880 # 5.megabytes
     # Git timeout to read a commit, in seconds
@@ -205,6 +229,7 @@ test:
   <<: *base
   issues_tracker:
     redmine:
+      title: "Redmine"
       project_url: "http://redmine/projects/:issues_tracker_id"
       issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
       new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 1c8758d9420..cf6c79bb50e 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -3,8 +3,8 @@ class Settings < Settingslogic
   namespace Rails.env
 
   class << self
-    def gitlab_on_non_standard_port?
-      ![443, 80].include?(gitlab.port.to_i)
+    def gitlab_on_standard_port?
+      gitlab.port.to_i == (gitlab.https ? 443 : 80)
     end
 
     private
@@ -18,11 +18,7 @@ class Settings < Settingslogic
     end
 
     def build_gitlab_url
-      if gitlab_on_non_standard_port?
-        custom_port = ":#{gitlab.port}"
-      else
-        custom_port = nil
-      end
+      custom_port = gitlab_on_standard_port? ? nil : ":#{gitlab.port}"
       [ gitlab.protocol,
         "://",
         gitlab.host,
@@ -30,6 +26,29 @@ class Settings < Settingslogic
         gitlab.relative_url_root
       ].join('')
     end
+
+    # check that values in `current` (string or integer) is a contant in `modul`.
+    def verify_constant_array(modul, current, default)
+      values = default || []
+      if !current.nil?
+        values = []
+        current.each do |constant|
+          values.push(verify_constant(modul, constant, nil))
+        end
+        values.delete_if { |value| value.nil? }
+      end
+      values
+    end
+
+    # check that `current` (string or integer) is a contant in `modul`.
+    def verify_constant(modul, current, default)
+      constant = modul.constants.find{ |name| modul.const_get(name) == current }
+      value = constant.nil? ? default : modul.const_get(constant)
+      if current.is_a? String
+        value = modul.const_get(current.upcase) rescue default
+      end
+      value
+    end
   end
 end
 
@@ -68,15 +87,16 @@ rescue ArgumentError # no user configured
   '/home/' + Settings.gitlab['user']
 end
 Settings.gitlab['signup_enabled'] ||= false
+Settings.gitlab['restricted_visibility_levels'] = Settings.send(:verify_constant_array, Gitlab::VisibilityLevel, Settings.gitlab['restricted_visibility_levels'], [])
 Settings.gitlab['username_changing_enabled'] = true if Settings.gitlab['username_changing_enabled'].nil?
-Settings.gitlab['issue_closing_pattern'] = '^([Cc]loses|[Ff]ixes) #(\d+)' if Settings.gitlab['issue_closing_pattern'].nil?
+Settings.gitlab['issue_closing_pattern'] = '([Cc]loses|[Ff]ixes) #(\d+)' if Settings.gitlab['issue_closing_pattern'].nil?
 Settings.gitlab['default_projects_features'] ||= {}
 Settings.gitlab.default_projects_features['issues']         = true if Settings.gitlab.default_projects_features['issues'].nil?
 Settings.gitlab.default_projects_features['merge_requests'] = true if Settings.gitlab.default_projects_features['merge_requests'].nil?
 Settings.gitlab.default_projects_features['wiki']           = true if Settings.gitlab.default_projects_features['wiki'].nil?
 Settings.gitlab.default_projects_features['wall']           = false if Settings.gitlab.default_projects_features['wall'].nil?
 Settings.gitlab.default_projects_features['snippets']       = false if Settings.gitlab.default_projects_features['snippets'].nil?
-Settings.gitlab.default_projects_features['public']         = false if Settings.gitlab.default_projects_features['public'].nil?
+Settings.gitlab.default_projects_features['visibility_level']    = Settings.send(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
 
 #
 # Gravatar
@@ -90,6 +110,7 @@ Settings.gravatar['ssl_url']    ||= 'https://secure.gravatar.com/avatar/%{hash}?
 # GitLab Shell
 #
 Settings['gitlab_shell'] ||= Settingslogic.new({})
+Settings.gitlab_shell['path']         ||= Settings.gitlab['user_home'] + '/gitlab-shell/'
 Settings.gitlab_shell['hooks_path']   ||= Settings.gitlab['user_home'] + '/gitlab-shell/hooks/'
 Settings.gitlab_shell['receive_pack']   = true if Settings.gitlab_shell['receive_pack'].nil?
 Settings.gitlab_shell['upload_pack']    = true if Settings.gitlab_shell['upload_pack'].nil?
diff --git a/config/initializers/3_grit_ext.rb b/config/initializers/3_grit_ext.rb
index 8b298e821e7..6540ac839cb 100644
--- a/config/initializers/3_grit_ext.rb
+++ b/config/initializers/3_grit_ext.rb
@@ -1,5 +1,4 @@
 require 'grit'
-require 'pygments'
 
 Grit::Git.git_binary = Gitlab.config.git.bin_path
 Grit::Git.git_timeout = Gitlab.config.git.timeout
diff --git a/config/initializers/5_backend.rb b/config/initializers/5_backend.rb
index e60d9559c94..7c2e7f39000 100644
--- a/config/initializers/5_backend.rb
+++ b/config/initializers/5_backend.rb
@@ -6,6 +6,3 @@ require Rails.root.join("lib", "gitlab", "backend", "shell")
 
 # GitLab shell adapter
 require Rails.root.join("lib", "gitlab", "backend", "shell_adapter")
-
-# Gitlab Git repos path
-Gitlab::Git::Repository.repos_path = Gitlab.config.gitlab_shell.repos_path
diff --git a/config/initializers/carrierwave.rb b/config/initializers/carrierwave.rb
index 45bc68f3220..6875fa74edd 100644
--- a/config/initializers/carrierwave.rb
+++ b/config/initializers/carrierwave.rb
@@ -15,5 +15,7 @@ if File.exists?(aws_file)
     config.fog_directory  = AWS_CONFIG['bucket']                    # required
     config.fog_public     = false                                   # optional, defaults to true
     config.fog_attributes = {'Cache-Control'=>'max-age=315576000'}  # optional, defaults to {}
+    config.fog_authenticated_url_expiration = 1 << 29               # optional time (in seconds) that authenticated urls will be valid.
+                                                                    # when fog_public is false and provider is AWS or Google, defaults to 600
   end
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 39c1b7c235b..a02bf9d4aec 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -6,6 +6,7 @@ Devise.setup do |config|
   # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = Gitlab.config.gitlab.email_from
 
+
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
 
@@ -54,6 +55,8 @@ Devise.setup do |config|
   # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
 
+  config.reconfirmable = true
+
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
@@ -72,13 +75,13 @@ Devise.setup do |config|
   # config.pepper = "2ef62d549c4ff98a5d3e0ba211e72cff592060247e3bbbb9f499af1222f876f53d39b39b823132affb32858168c79c1d7741d26499901b63c6030a42129924ef"
 
   # ==> Configuration for :confirmable
-  # The time you want to give your user to confirm his account. During this time
-  # he will be able to access your application without confirming. Default is 0.days
-  # When confirm_within is zero, the user won't be able to sign in without confirming.
+  # The time you want to give a user to confirm their account. During this time
+  # they will be able to access your application without confirming. Default is 0.days
+  # When allow_unconfirmed_access_for is zero, the user won't be able to sign in without confirming.
   # You can use this to let your user access some features of your application
   # without confirming the account, but blocking it after a certain period
   # (ie 2 days).
-  # config.confirm_within = 2.days
+  # config.allow_unconfirmed_access_for = 2.days
 
   # Defines which key will be used when confirming an account
   # config.confirmation_keys = [ :email ]
@@ -99,7 +102,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length. Default is 6..128.
-  config.password_length = 6..128
+  config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
@@ -224,15 +227,21 @@ Devise.setup do |config|
   end
 
   Gitlab.config.omniauth.providers.each do |provider|
+    provider_arguments = []
+
+    %w[app_id app_secret].each do |argument|
+      provider_arguments << provider[argument] if provider[argument]
+    end
+
     case provider['args']
     when Array
       # An Array from the configuration will be expanded.
-      config.omniauth provider['name'].to_sym, provider['app_id'], provider['app_secret'], *provider['args']
+      provider_arguments.concat provider['args']
     when Hash
       # A Hash from the configuration will be passed as is.
-      config.omniauth provider['name'].to_sym, provider['app_id'], provider['app_secret'], provider['args']
-    else
-      config.omniauth provider['name'].to_sym, provider['app_id'], provider['app_secret']
+      provider_arguments << provider['args']
     end
+
+    config.omniauth provider['name'].to_sym, *provider_arguments
   end
 end
diff --git a/config/initializers/devise_async.rb b/config/initializers/devise_async.rb
new file mode 100644
index 00000000000..05a1852cdbd
--- /dev/null
+++ b/config/initializers/devise_async.rb
@@ -0,0 +1 @@
+Devise::Async.backend = :sidekiq
diff --git a/config/initializers/devise_password_length.rb.example b/config/initializers/devise_password_length.rb.example
new file mode 100644
index 00000000000..97305825e07
--- /dev/null
+++ b/config/initializers/devise_password_length.rb.example
@@ -0,0 +1,6 @@
+Devise.setup do |config|
+  # The following line changes the password length limits for new users. In the
+  # example below the minimum length is 12 characters, and the maximum length
+  # is 128 characters.
+  config.password_length = 12..128
+end
diff --git a/config/initializers/gemoji.rb b/config/initializers/gemoji.rb
index 8c85aad5d3b..6cc33aced77 100644
--- a/config/initializers/gemoji.rb
+++ b/config/initializers/gemoji.rb
@@ -1,2 +1,3 @@
 # Workaround for https://github.com/github/gemoji/pull/18
+require 'gemoji'
 Gitlab::Application.config.assets.paths << Emoji.images_path
diff --git a/config/initializers/rack_attack.rb.example b/config/initializers/rack_attack.rb.example
index 76fa7ad282e..bc3234bf0b6 100644
--- a/config/initializers/rack_attack.rb.example
+++ b/config/initializers/rack_attack.rb.example
@@ -1,16 +1,18 @@
-# To enable rack-attack for your GitLab instance do the following:
-# 1. In config/application.rb find and uncomment the following line:
-# config.middleware.use Rack::Attack
-# 2. Rename this file to rack_attack.rb
-# 3. Review the paths_to_be_protected and add any other path you need protecting
-# 4. Restart GitLab instance
+# 1. Rename this file to rack_attack.rb
+# 2. Review the paths_to_be_protected and add any other path you need protecting
 #
 
 paths_to_be_protected = [
   "#{Rails.application.config.relative_url_root}/users/password",
   "#{Rails.application.config.relative_url_root}/users/sign_in",
-  "#{Rails.application.config.relative_url_root}/users"
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
+  "#{Rails.application.config.relative_url_root}/users",
+  "#{Rails.application.config.relative_url_root}/users/confirmation"
 ]
-Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req|
-  req.ip if paths_to_be_protected.include?(req.path) && req.post?
+
+unless Rails.env.test?
+  Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
+    req.ip if paths_to_be_protected.include?(req.path) && req.post?
+  end
 end
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 16d1d4a9fdd..98400290113 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -21,3 +21,4 @@ def find_secure_token
 end
 
 Gitlab::Application.config.secret_token = find_secure_token
+Gitlab::Application.config.secret_key_base = find_secure_token
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 52a099c3e16..f80b67a554b 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,11 +1,10 @@
 # Be sure to restart your server when you modify this file.
 
-Gitlab::Application.config.session_store :cookie_store, key: '_gitlab_session',
-                                                      secure: Gitlab::Application.config.force_ssl,
-                                                      httponly: true,
-                                                      path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Gitlab::Application.config.session_store :active_record_store
+Gitlab::Application.config.session_store(
+  :redis_store, # Using the cookie_store would enable session replay attacks.
+  servers: Gitlab::Application.config.cache_store.last, # re-use the Redis config from the Rails cache store
+  key: '_gitlab_session',
+  secure: Gitlab.config.gitlab.https,
+  httponly: true,
+  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
+)
diff --git a/config/initializers/smtp_settings.rb.sample b/config/initializers/smtp_settings.rb.sample
index e62ad0f4b71..3711b03796e 100644
--- a/config/initializers/smtp_settings.rb.sample
+++ b/config/initializers/smtp_settings.rb.sample
@@ -1,11 +1,11 @@
 # To enable smtp email delivery for your GitLab instance do next: 
-# 1. Change config/environments/production.rb to use smtp
-#    config.action_mailer.delivery_method = :smtp
-# 2. Rename this file to smtp_settings.rb
-# 3. Edit settings inside this file
-# 4. Restart GitLab instance
+# 1. Rename this file to smtp_settings.rb
+# 2. Edit settings inside this file
+# 3. Restart GitLab instance
 #
-if Gitlab::Application.config.action_mailer.delivery_method == :smtp
+if Rails.env.production?
+  Gitlab::Application.config.action_mailer.delivery_method = :smtp
+
   ActionMailer::Base.smtp_settings = {
     address: "email.server.com",
     port: 456,
diff --git a/config/routes.rb b/config/routes.rb
index 1d2b4d73736..1cc6242c623 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,6 +6,7 @@ Gitlab::Application.routes.draw do
   # Search
   #
   get 'search' => "search#show"
+  get 'search/autocomplete' => "search#autocomplete", as: :search_autocomplete
 
   # API
   API::API.logger Rails.logger
@@ -25,7 +26,7 @@ Gitlab::Application.routes.draw do
     project_root: Gitlab.config.gitlab_shell.repos_path,
     upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
     receive_pack: Gitlab.config.gitlab_shell.receive_pack
-  }), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }
+  }), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]
 
   #
   # Help
@@ -89,42 +90,50 @@ Gitlab::Application.routes.draw do
       get :test
     end
 
+    resources :broadcast_messages, only: [:index, :create, :destroy]
     resource :logs, only: [:show]
     resource :background_jobs, controller: 'background_jobs', only: [:show]
-    resources :projects, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ }, only: [:index, :show]
+
+    resources :projects, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ }, only: [:index, :show] do
+      member do
+        put :transfer
+      end
+    end
+
     root to: "dashboard#index"
   end
 
-  get "errors/githost"
-
   #
   # Profile Area
   #
   resource :profile, only: [:show, :update] do
     member do
-      get :account
       get :history
-      get :token
       get :design
 
-      put :update_password
       put :reset_private_token
       put :update_username
     end
 
     scope module: :profiles do
+      resource :account, only: [:show, :update]
       resource :notifications, only: [:show, :update]
-      resource :password, only: [:new, :create]
+      resource :password, only: [:new, :create, :edit, :update] do
+        member do
+          put :reset
+        end
+      end
       resources :keys
       resources :groups, only: [:index] do
         member do
           delete :leave
         end
       end
+      resource :avatar, only: [:destroy]
     end
   end
 
-  match "/u/:username" => "users#show", as: :user, constraints: { username: /.*/ }
+  match "/u/:username" => "users#show", as: :user, constraints: { username: /.*/ }, via: :get
 
 
 
@@ -150,6 +159,9 @@ Gitlab::Application.routes.draw do
     end
 
     resources :users_groups, only: [:create, :update, :destroy]
+    scope module: :groups do
+      resource :avatar, only: [:destroy]
+    end
   end
 
   resources :projects, constraints: { id: /[^\/]+/ }, only: [:new, :create]
@@ -163,20 +175,24 @@ Gitlab::Application.routes.draw do
     member do
       put :transfer
       post :fork
+      post :archive
+      post :unarchive
       get :autocomplete_sources
     end
 
     scope module: :projects do
-      resources :blob,    only: [:show], constraints: {id: /.+/}
-      resources :raw,    only: [:show], constraints: {id: /.+/}
-      resources :tree,    only: [:show], constraints: {id: /.+/, format: /(html|js)/ }
-      resources :edit_tree,    only: [:show, :update], constraints: {id: /.+/}, path: 'edit'
-      resources :commit,  only: [:show], constraints: {id: /[[:alnum:]]{6,40}/}
-      resources :commits, only: [:show], constraints: {id: /(?:[^.]|\.(?!atom$))+/, format: /atom/}
-      resources :compare, only: [:index, :create]
-      resources :blame,   only: [:show], constraints: {id: /.+/}
+      resources :blob,      only: [:show, :destroy], constraints: {id: /.+/}
+      resources :raw,       only: [:show], constraints: {id: /.+/}
+      resources :tree,      only: [:show], constraints: {id: /.+/, format: /(html|js)/ }
+      resources :edit_tree, only: [:show, :update], constraints: {id: /.+/}, path: 'edit'
+      resources :new_tree,  only: [:show, :update], constraints: {id: /.+/}, path: 'new'
+      resources :commit,    only: [:show], constraints: {id: /[[:alnum:]]{6,40}/}
+      resources :commits,   only: [:show], constraints: {id: /(?:[^.]|\.(?!atom$))+/, format: /atom/}
+      resources :compare,   only: [:index, :create]
+      resources :blame,     only: [:show], constraints: {id: /.+/}
       resources :network,   only: [:show], constraints: {id: /(?:[^.]|\.(?!json$))+/, format: /json/}
-      resources :graphs, only: [:show], constraints: {id: /(?:[^.]|\.(?!json$))+/, format: /json/}
+      resources :graphs,    only: [:show], constraints: {id: /(?:[^.]|\.(?!json$))+/, format: /json/}
+
       match "/compare/:from...:to" => "compare#show", as: "compare", via: [:get, :post], constraints: {from: /.+/, to: /.+/}
 
         resources :snippets, constraints: {id: /\d+/} do
@@ -206,7 +222,7 @@ Gitlab::Application.routes.draw do
       resource :repository, only: [:show] do
         member do
           get "stats"
-          get "archive"
+          get "archive", constraints: { format: Gitlab::Regex.archive_formats_regex }
         end
       end
 
@@ -223,14 +239,14 @@ Gitlab::Application.routes.draw do
         end
       end
 
-      resources :branches, only: [:index, :new, :create, :destroy], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ } do
+      resources :branches, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex } do
         collection do
-          get :recent
+          get :recent, constraints: { id: Gitlab::Regex.git_reference_regex }
         end
       end
 
-      resources :tags, only: [:index, :new, :create, :destroy], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }
-      resources :protected_branches, only: [:index, :create, :destroy], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }
+      resources :tags, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
+      resources :protected_branches, only: [:index, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
 
       resources :refs, only: [] do
         collection do
@@ -239,11 +255,11 @@ Gitlab::Application.routes.draw do
 
         member do
           # tree viewer logs
-          get "logs_tree", constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }
+          get "logs_tree", constraints: { id: Gitlab::Regex.git_reference_regex }
           get "logs_tree/:path" => "refs#logs_tree",
             as: :logs_file,
             constraints: {
-              id:   /[a-zA-Z.0-9\/_\-#%+]+/,
+              id:   Gitlab::Regex.git_reference_regex,
               path: /.*/
             }
         end
@@ -287,6 +303,7 @@ Gitlab::Application.routes.draw do
 
       resources :team_members, except: [:index, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ } do
         collection do
+          delete :leave
 
           # Used for import team
           # from another project
diff --git a/config/unicorn.rb.example b/config/unicorn.rb.example
index e4e13426831..ba5e5cdde0b 100644
--- a/config/unicorn.rb.example
+++ b/config/unicorn.rb.example
@@ -9,11 +9,13 @@
 # documentation.
 
 # Uncomment and customize the last line to run in a non-root path
-# WARNING: This feature is known to work, but unsupported
-# Note that three settings need to be changed for this to work.
+# WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this.
+# Note that four settings need to be changed for this to work.
 # 1) In your application.rb file: config.relative_url_root = "/gitlab"
 # 2) In your gitlab.yml file: relative_url_root: /gitlab
 # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
+# 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab"
+# To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
 #
 # ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"