From 48c36378567b3dbadd780b03ecda571652cff400 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 28 Jun 2023 12:11:16 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee

---
 .../concerns/analytics/cycle_analytics/value_stream_actions.rb     | 7 +++++++
 app/helpers/users_helper.rb                                        | 2 +-
 app/policies/project_policy.rb                                     | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/controllers/concerns/analytics/cycle_analytics/value_stream_actions.rb b/app/controllers/concerns/analytics/cycle_analytics/value_stream_actions.rb
index f10b23d1664..cf0430307a3 100644
--- a/app/controllers/concerns/analytics/cycle_analytics/value_stream_actions.rb
+++ b/app/controllers/concerns/analytics/cycle_analytics/value_stream_actions.rb
@@ -7,6 +7,9 @@ module Analytics
 
       included do
         before_action :authorize
+        # Defining the before action here, because in the EE module we cannot define a before_action.
+        # Reason: this is a module which is being included into a controller. This module is extended in EE.
+        before_action :authorize_modification, only: %i[create destroy update] # rubocop:disable Rails/LexicallyScopedActionFilter
       end
 
       def index
@@ -25,6 +28,10 @@ module Analytics
       def authorize
         authorize_read_cycle_analytics!
       end
+
+      def authorize_modification
+        # no-op, overridden in EE
+      end
     end
   end
 end
diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb
index c8002c437a9..acc7d8a5a10 100644
--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -136,7 +136,7 @@ module UsersHelper
 
   def confirm_user_data(user)
     message = if user.unconfirmed_email.present?
-                _('This user has an unconfirmed email address (%{email}). You may force a confirmation.') % { email: user.unconfirmed_email }
+                safe_format(_('This user has an unconfirmed email address (%{email}). You may force a confirmation.'), email: user.unconfirmed_email)
               else
                 _('This user has an unconfirmed email address. You may force a confirmation.')
               end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index c70dc288710..cdb7c3eca46 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -670,7 +670,7 @@ class ProjectPolicy < BasePolicy
     enable :read_project_for_iids
   end
 
-  rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all
+  rule { ~project_allowed_for_job_token }.prevent_all
 
   rule { can?(:public_access) }.policy do
     enable :read_package
-- 
cgit v1.2.3