Add latest changes from gitlab-org/gitlab@master

15 files changed, 232 insertions, 50 deletions

diff --git a/spec/features/merge_request/batch_comments_spec.rb b/spec/features/merge_request/batch_comments_spec.rb
index 19680a827bf..5b11d9cb919 100644
--- a/spec/features/merge_request/batch_comments_spec.rb
+++ b/spec/features/merge_request/batch_comments_spec.rb
@@ -34,7 +34,7 @@ RSpec.describe 'Merge request > Batch comments', :js do
 
       expect(page).to have_css('.review-bar-component')
 
-      expect(find('.review-bar-content .btn-success')).to have_content('1')
+      expect(find('.review-bar-content .btn-confirm')).to have_content('1')
     end
 
     it 'publishes review' do
@@ -157,7 +157,7 @@ RSpec.describe 'Merge request > Batch comments', :js do
         expect(find('.new .draft-note-component')).to have_content('Line is wrong')
         expect(find('.old .draft-note-component')).to have_content('Another wrong line')
 
-        expect(find('.review-bar-content .btn-success')).to have_content('2')
+        expect(find('.review-bar-content .btn-confirm')).to have_content('2')
       end
     end
 
diff --git a/spec/features/profiles/user_edit_preferences_spec.rb b/spec/features/profiles/user_edit_preferences_spec.rb
index 3129e4bd952..232402f802e 100644
--- a/spec/features/profiles/user_edit_preferences_spec.rb
+++ b/spec/features/profiles/user_edit_preferences_spec.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe 'User edit preferences profile', :js do
@@ -63,17 +64,4 @@ RSpec.describe 'User edit preferences profile', :js do
       expect(page).to have_content('Failed to save preferences.')
     end
   end
-
-  describe 'User language' do
-    let(:user) { create(:user, preferred_language: :es) }
-
-    it 'shows the user preferred language by default' do
-      expect(page).to have_select(
-        'user[preferred_language]',
-        selected: 'Spanish - español',
-        options: Gitlab::I18n.selectable_locales.values,
-        visible: :all
-      )
-    end
-  end
 end
diff --git a/spec/frontend/design_management/components/design_notes/__snapshots__/design_reply_form_spec.js.snap b/spec/frontend/design_management/components/design_notes/__snapshots__/design_reply_form_spec.js.snap
index f8c68ca4c83..d9f5ba0bade 100644
--- a/spec/frontend/design_management/components/design_notes/__snapshots__/design_reply_form_spec.js.snap
+++ b/spec/frontend/design_management/components/design_notes/__snapshots__/design_reply_form_spec.js.snap
@@ -1,7 +1,7 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`Design reply form component renders button text as "Comment" when creating a comment 1`] = `
-"<button data-track-event=\\"click_button\\" data-qa-selector=\\"save_comment_button\\" type=\\"submit\\" disabled=\\"disabled\\" class=\\"btn btn-success btn-md disabled gl-button\\">
+"<button data-track-event=\\"click_button\\" data-qa-selector=\\"save_comment_button\\" type=\\"submit\\" disabled=\\"disabled\\" class=\\"btn gl-mr-3 gl-w-auto! btn-confirm btn-md disabled gl-button\\">
   <!---->
   <!----> <span class=\\"gl-button-text\\">
       Comment
@@ -9,7 +9,7 @@ exports[`Design reply form component renders button text as "Comment" when creat
 `;
 
 exports[`Design reply form component renders button text as "Save comment" when creating a comment 1`] = `
-"<button data-track-event=\\"click_button\\" data-qa-selector=\\"save_comment_button\\" type=\\"submit\\" disabled=\\"disabled\\" class=\\"btn btn-success btn-md disabled gl-button\\">
+"<button data-track-event=\\"click_button\\" data-qa-selector=\\"save_comment_button\\" type=\\"submit\\" disabled=\\"disabled\\" class=\\"btn gl-mr-3 gl-w-auto! btn-confirm btn-md disabled gl-button\\">
   <!---->
   <!----> <span class=\\"gl-button-text\\">
       Save comment
diff --git a/spec/helpers/preferences_helper_spec.rb b/spec/helpers/preferences_helper_spec.rb
index 4d7083c4ca7..adb29f6634d 100644
--- a/spec/helpers/preferences_helper_spec.rb
+++ b/spec/helpers/preferences_helper_spec.rb
@@ -121,6 +121,23 @@ RSpec.describe PreferencesHelper do
     end
   end
 
+  describe '#language_choices' do
+    it 'lists all the selectable language options with their translation percent' do
+      stub_const(
+        'Gitlab::I18n::TRANSLATION_LEVELS',
+        'en' => 100,
+        'es' => 65
+      )
+
+      stub_user(preferred_language: :en)
+
+      expect(helper.language_choices).to eq([
+        '<option selected="selected" value="en">English (100% translated)</option>',
+        '<option value="es">Spanish - español (65% translated)</option>'
+      ].join("\n"))
+    end
+  end
+
   def stub_user(messages = {})
     if messages.empty?
       allow(helper).to receive(:current_user).and_return(nil)
diff --git a/spec/lib/gitlab/i18n_spec.rb b/spec/lib/gitlab/i18n_spec.rb
index ee10739195a..f34de298fc0 100644
--- a/spec/lib/gitlab/i18n_spec.rb
+++ b/spec/lib/gitlab/i18n_spec.rb
@@ -3,13 +3,21 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::I18n do
-  let(:user) { create(:user, preferred_language: 'es') }
+  let(:user) { create(:user, preferred_language: :es) }
 
   describe '.selectable_locales' do
-    it 'does not return languages that should not be available in the UI' do
-      Gitlab::I18n::NOT_AVAILABLE_IN_UI.each do |language|
-        expect(described_class.selectable_locales).not_to include(language)
-      end
+    it 'does not return languages with low translation levels' do
+      stub_const(
+        'Gitlab::I18n::TRANSLATION_LEVELS',
+        'pt_BR' => 0,
+        'en' => 100,
+        'es' => 65
+      )
+
+      expect(described_class.selectable_locales).to eq({
+        'en' => 'English',
+        'es' => 'Spanish - español'
+      })
     end
   end
 
diff --git a/spec/lib/sidebars/projects/menus/merge_requests_menu_spec.rb b/spec/lib/sidebars/projects/menus/merge_requests_menu_spec.rb
new file mode 100644
index 00000000000..cef303fb068
--- /dev/null
+++ b/spec/lib/sidebars/projects/menus/merge_requests_menu_spec.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Sidebars::Projects::Menus::MergeRequestsMenu do
+  let_it_be(:project) { create(:project, :repository) }
+
+  let(:user) { project.owner }
+  let(:context) { Sidebars::Projects::Context.new(current_user: user, container: project) }
+
+  subject { described_class.new(context) }
+
+  describe '#render?' do
+    context 'when repository is not present' do
+      let(:project) { build(:project) }
+
+      it 'returns false' do
+        expect(subject.render?).to eq false
+      end
+    end
+
+    context 'when repository is present' do
+      context 'when user can read merge requests' do
+        it 'returns true' do
+          expect(subject.render?).to eq true
+        end
+      end
+
+      context 'when user cannot read merge requests' do
+        let(:user) { nil }
+
+        it 'returns false' do
+          expect(subject.render?).to eq false
+        end
+      end
+    end
+  end
+
+  describe '#pill_count' do
+    it 'returns zero when there are no open merge requests' do
+      expect(subject.pill_count).to eq 0
+    end
+
+    it 'memoizes the query' do
+      subject.pill_count
+
+      control = ActiveRecord::QueryRecorder.new do
+        subject.pill_count
+      end
+
+      expect(control.count).to eq 0
+    end
+
+    context 'when there are open merge requests' do
+      it 'returns the number of open merge requests' do
+        create_list(:merge_request, 2, :unique_branches, source_project: project, author: user, state: :opened)
+        create(:merge_request, source_project: project, state: :merged)
+
+        expect(subject.pill_count).to eq 2
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/graphql/mutations/notes/create/note_spec.rb b/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
index 1eed1c8e2ae..8dd8ed361ba 100644
--- a/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
+++ b/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
@@ -31,6 +31,8 @@ RSpec.describe 'Adding a Note' do
       project.add_developer(current_user)
     end
 
+    it_behaves_like 'a working GraphQL mutation'
+
     it_behaves_like 'a Note mutation that creates a Note'
 
     it_behaves_like 'a Note mutation when there are active record validation errors'
diff --git a/spec/requests/api/issues/issues_spec.rb b/spec/requests/api/issues/issues_spec.rb
index 0fe68be027c..8f10de59526 100644
--- a/spec/requests/api/issues/issues_spec.rb
+++ b/spec/requests/api/issues/issues_spec.rb
@@ -943,6 +943,34 @@ RSpec.describe API::Issues do
     it_behaves_like 'issuable update endpoint' do
       let(:entity) { issue }
     end
+
+    describe 'updated_at param' do
+      let(:fixed_time) { Time.new(2001, 1, 1) }
+      let(:updated_at) { Time.new(2000, 1, 1) }
+
+      before do
+        travel_to fixed_time
+      end
+
+      it 'allows admins to set the timestamp' do
+        put api("/projects/#{project.id}/issues/#{issue.iid}", admin), params: { labels: 'label1', updated_at: updated_at }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(Time.parse(json_response['updated_at'])).to be_like_time(updated_at)
+        expect(ResourceLabelEvent.last.created_at).to be_like_time(updated_at)
+      end
+
+      it 'does not allow other users to set the timestamp' do
+        reporter = create(:user)
+        project.add_developer(reporter)
+
+        put api("/projects/#{project.id}/issues/#{issue.iid}", reporter), params: { labels: 'label1', updated_at: updated_at }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(Time.parse(json_response['updated_at'])).to be_like_time(fixed_time)
+        expect(ResourceLabelEvent.last.created_at).to be_like_time(fixed_time)
+      end
+    end
   end
 
   describe 'DELETE /projects/:id/issues/:issue_iid' do
diff --git a/spec/requests/api/issues/post_projects_issues_spec.rb b/spec/requests/api/issues/post_projects_issues_spec.rb
index 7f1db620d4f..9d3bd26a200 100644
--- a/spec/requests/api/issues/post_projects_issues_spec.rb
+++ b/spec/requests/api/issues/post_projects_issues_spec.rb
@@ -330,15 +330,21 @@ RSpec.describe API::Issues do
     end
 
     context 'setting created_at' do
+      let(:fixed_time) { Time.new(2001, 1, 1) }
       let(:creation_time) { 2.weeks.ago }
       let(:params) { { title: 'new issue', labels: 'label, label2', created_at: creation_time } }
 
+      before do
+        travel_to fixed_time
+      end
+
       context 'by an admin' do
         it 'sets the creation time on the new issue' do
           post api("/projects/#{project.id}/issues", admin), params: params
 
           expect(response).to have_gitlab_http_status(:created)
           expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
+          expect(ResourceLabelEvent.last.created_at).to be_like_time(creation_time)
         end
       end
 
@@ -348,6 +354,7 @@ RSpec.describe API::Issues do
 
           expect(response).to have_gitlab_http_status(:created)
           expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
+          expect(ResourceLabelEvent.last.created_at).to be_like_time(creation_time)
         end
       end
 
@@ -356,19 +363,24 @@ RSpec.describe API::Issues do
           group = create(:group)
           group_project = create(:project, :public, namespace: group)
           group.add_owner(user2)
+
           post api("/projects/#{group_project.id}/issues", user2), params: params
 
           expect(response).to have_gitlab_http_status(:created)
           expect(Time.parse(json_response['created_at'])).to be_like_time(creation_time)
+          expect(ResourceLabelEvent.last.created_at).to be_like_time(creation_time)
         end
       end
 
       context 'by another user' do
         it 'ignores the given creation time' do
+          project.add_developer(user2)
+
           post api("/projects/#{project.id}/issues", user2), params: params
 
           expect(response).to have_gitlab_http_status(:created)
-          expect(Time.parse(json_response['created_at'])).not_to be_like_time(creation_time)
+          expect(Time.parse(json_response['created_at'])).to be_like_time(fixed_time)
+          expect(ResourceLabelEvent.last.created_at).to be_like_time(fixed_time)
         end
       end
     end
diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index 8be26784a3d..5b5658da97e 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -263,25 +263,21 @@ RSpec.describe JwtController do
       let(:credential_user) { group_deploy_token.username }
       let(:credential_password) { group_deploy_token.token }
 
-      it_behaves_like 'with valid credentials'
+      it_behaves_like 'returning response status', :forbidden
     end
 
     context 'with project deploy token' do
       let(:credential_user) { project_deploy_token.username }
       let(:credential_password) { project_deploy_token.token }
 
-      it_behaves_like 'with valid credentials'
+      it_behaves_like 'returning response status', :forbidden
     end
 
     context 'with invalid credentials' do
       let(:credential_user) { 'foo' }
       let(:credential_password) { 'bar' }
 
-      it 'returns unauthorized' do
-        subject
-
-        expect(response).to have_gitlab_http_status(:unauthorized)
-      end
+      it_behaves_like 'returning response status', :unauthorized
     end
   end
 
diff --git a/spec/services/auth/dependency_proxy_authentication_service_spec.rb b/spec/services/auth/dependency_proxy_authentication_service_spec.rb
index ba50149f53a..1fd1677c7da 100644
--- a/spec/services/auth/dependency_proxy_authentication_service_spec.rb
+++ b/spec/services/auth/dependency_proxy_authentication_service_spec.rb
@@ -13,28 +13,31 @@ RSpec.describe Auth::DependencyProxyAuthenticationService do
   describe '#execute' do
     subject { service.execute(authentication_abilities: nil) }
 
+    shared_examples 'returning' do |status:, message:|
+      it "returns #{message}", :aggregate_failures do
+        expect(subject[:http_status]).to eq(status)
+        expect(subject[:message]).to eq(message)
+      end
+    end
+
     context 'dependency proxy is not enabled' do
       before do
         stub_config(dependency_proxy: { enabled: false })
       end
 
-      it 'returns not found' do
-        result = subject
-
-        expect(result[:http_status]).to eq(404)
-        expect(result[:message]).to eq('dependency proxy not enabled')
-      end
+      it_behaves_like 'returning', status: 404, message: 'dependency proxy not enabled'
     end
 
     context 'without a user' do
       let(:user) { nil }
 
-      it 'returns forbidden' do
-        result = subject
+      it_behaves_like 'returning', status: 403, message: 'access forbidden'
+    end
+
+    context 'with a deploy token as user' do
+      let_it_be(:user) { create(:deploy_token) }
 
-        expect(result[:http_status]).to eq(403)
-        expect(result[:message]).to eq('access forbidden')
-      end
+      it_behaves_like 'returning', status: 403, message: 'access forbidden'
     end
 
     context 'with a user' do
diff --git a/spec/services/projects/download_service_spec.rb b/spec/services/projects/download_service_spec.rb
index 0f743eaa7f5..7d4fce814f5 100644
--- a/spec/services/projects/download_service_spec.rb
+++ b/spec/services/projects/download_service_spec.rb
@@ -20,8 +20,9 @@ RSpec.describe Projects::DownloadService do
 
     context 'for URLs that are on the whitelist' do
       before do
-        stub_request(:get, 'http://mycompany.fogbugz.com/rails_sample.jpg').to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
-        stub_request(:get, 'http://mycompany.fogbugz.com/doc_sample.txt').to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
+        # `ssrf_filter` resolves the hostname. See https://github.com/carrierwaveuploader/carrierwave/commit/91714adda998bc9e8decf5b1f5d260d808761304
+        stub_request(:get, %r{http://[\d\.]+/rails_sample.jpg}).to_return(body: File.read(Rails.root + 'spec/fixtures/rails_sample.jpg'))
+        stub_request(:get, %r{http://[\d\.]+/doc_sample.txt}).to_return(body: File.read(Rails.root + 'spec/fixtures/doc_sample.txt'))
       end
 
       context 'an image file' do
diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb
index ebf22987d50..5dc6945ec5e 100644
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -396,17 +396,21 @@ module GraphqlHelpers
     post api('/', current_user, version: 'graphql'), params: { _json: queries }, headers: headers
   end
 
-  def post_graphql(query, current_user: nil, variables: nil, headers: {})
+  def post_graphql(query, current_user: nil, variables: nil, headers: {}, token: {})
     params = { query: query, variables: serialize_variables(variables) }
-    post api('/', current_user, version: 'graphql'), params: params, headers: headers
+    post api('/', current_user, version: 'graphql', **token), params: params, headers: headers
 
-    if graphql_errors # Errors are acceptable, but not this one:
-      expect(graphql_errors).not_to include(a_hash_including('message' => 'Internal server error'))
-    end
+    return unless graphql_errors
+
+    # Errors are acceptable, but not this one:
+    expect(graphql_errors).not_to include(a_hash_including('message' => 'Internal server error'))
   end
 
-  def post_graphql_mutation(mutation, current_user: nil)
-    post_graphql(mutation.query, current_user: current_user, variables: mutation.variables)
+  def post_graphql_mutation(mutation, current_user: nil, token: {})
+    post_graphql(mutation.query,
+                 current_user: current_user,
+                 variables: mutation.variables,
+                 token: token)
   end
 
   def post_graphql_mutation_with_uploads(mutation, current_user: nil)
diff --git a/spec/support/shared_examples/requests/graphql_shared_examples.rb b/spec/support/shared_examples/requests/graphql_shared_examples.rb
index a66bc7112fe..d133c5ea641 100644
--- a/spec/support/shared_examples/requests/graphql_shared_examples.rb
+++ b/spec/support/shared_examples/requests/graphql_shared_examples.rb
@@ -10,6 +10,52 @@ RSpec.shared_examples 'a working graphql query' do
   end
 end
 
+RSpec.shared_examples 'a working GraphQL mutation' do
+  include GraphqlHelpers
+
+  before do
+    post_graphql_mutation(mutation, current_user: current_user, token: token)
+  end
+
+  shared_examples 'allows access to the mutation' do
+    let(:scopes) { ['api'] }
+
+    it_behaves_like 'a working graphql query' do
+      it 'returns data' do
+        expect(graphql_data.compact).not_to be_empty
+      end
+    end
+  end
+
+  shared_examples 'prevents access to the mutation' do
+    let(:scopes) { ['read_api'] }
+
+    it 'does not resolve the mutation' do
+      expect(graphql_data.compact).to be_empty
+      expect(graphql_errors).to be_present
+    end
+  end
+
+  context 'with a personal access token' do
+    let(:token) do
+      pat = create(:personal_access_token, user: current_user, scopes: scopes)
+      { personal_access_token: pat }
+    end
+
+    it_behaves_like 'prevents access to the mutation'
+    it_behaves_like 'allows access to the mutation'
+  end
+
+  context 'with an OAuth token' do
+    let(:token) do
+      { oauth_access_token: create(:oauth_access_token, resource_owner: current_user, scopes: scopes.join(' ')) }
+    end
+
+    it_behaves_like 'prevents access to the mutation'
+    it_behaves_like 'allows access to the mutation'
+  end
+end
+
 RSpec.shared_examples 'a mutation on an unauthorized resource' do
   it_behaves_like 'a mutation that returns top-level errors',
                       errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
diff --git a/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb b/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb
index 39cc4a3fdf1..c501c418466 100644
--- a/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb
+++ b/spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb
@@ -243,6 +243,20 @@ RSpec.describe 'layouts/nav/sidebar/_project' do
     end
   end
 
+  describe 'Merge Requests' do
+    it 'has a link to the merge request list path' do
+      render
+
+      expect(rendered).to have_link('Merge requests', href: project_merge_requests_path(project), class: 'shortcuts-merge_requests')
+    end
+
+    it 'shows pill with the number of merge requests' do
+      render
+
+      expect(rendered).to have_css('span.badge.badge-pill.merge_counter.js-merge-counter')
+    end
+  end
+
   describe 'packages tab' do
     before do
       stub_container_registry_config(enabled: true)