Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce into button-focus-state

.rubocop.yml

@@ -194,7 +194,7 @@ Style/EmptyLines:
 
 # Keep blank lines around access modifiers.
 Style/EmptyLinesAroundAccessModifier:
-  Enabled: false
+  Enabled: true
 
 # Keeps track of empty lines around block bodies.
 Style/EmptyLinesAroundBlockBody:
@@ -247,7 +247,7 @@ Style/FlipFlop:
 
 # Checks use of for or each in multiline loops.
 Style/For:
-  Enabled: false
+  Enabled: true
 
 # Enforce the use of Kernel#sprintf, Kernel#format or String#%.
 Style/FormatString:
@@ -514,7 +514,7 @@ Style/SelfAssignment:
 
 # Don't use semicolons to terminate expressions.
 Style/Semicolon:
-  Enabled: false
+  Enabled: true
 
 # Checks for proper usage of fail and raise.
 Style/SignalException:
@@ -771,7 +771,7 @@ Metrics/PerceivedComplexity:
 # Checks for ambiguous operators in the first argument of a method invocation
 # without parentheses.
 Lint/AmbiguousOperator:
-  Enabled: false
+  Enabled: true
 
 # Checks for ambiguous regexp literals in the first argument of a method
 # invocation without parentheses.

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.9.0 (unreleased)
+  - Bulk assign/unassign labels to issues.
   - Allow enabling wiki page events from Webhook management UI
   - Make EmailsOnPushWorker use Sidekiq mailers queue
   - Fix wiki page events' webhook to point to the wiki repository
   - Fix issue todo not remove when leave project !4150 (Long Nguyen)
   - Allow forking projects with restricted visibility level
   - Improve note validation to prevent errors when creating invalid note via API
+  - Reduce number of fog gem dependencies
   - Remove project notification settings associated with deleted projects
   - Fix 404 page when viewing TODOs that contain milestones or labels in different projects
   - Redesign navigation for project pages
   - Fix groups API to list only user's accessible projects
   - Redesign account and email confirmation emails
   - Use gitlab-shell v3.0.0
+  - Add `sha` parameter to MR merge API, to ensure only reviewed changes are merged
+  - Don't allow MRs to be merged when commits were added since the last review / page load
   - Add DB index on users.state
   - Add rake task 'gitlab:db:configure' for conditionally seeding or migrating the database
   - Changed the Slack build message to use the singular duration if necessary (Aran Koning)
   - Fix issues filter when ordering by milestone
   - Todos will display target state if issuable target is 'Closed' or 'Merged'
   - Fix bug when sorting issues by milestone due date and filtering by two or more labels
+  - Add support for using Yubikeys (U2F) for two-factor authentication
+  - Link to blank group icon doesn't throw a 404 anymore
   - Remove 'main language' feature
   - Pipelines can be canceled only when there are running builds
+  - Use downcased path to container repository as this is expected path by Docker
   - Projects pending deletion will render a 404 page
   - Measure queue duration between gitlab-workhorse and Rails
   - Make authentication service for Container Registry to be compatible with < Docker 1.11
   - Add Application Setting to configure Container Registry token expire delay (default 5min)
+  - Cache assigned issue and merge request counts in sidebar nav
+  - Cache project build count in sidebar nav
+  - Reduce number of queries needed to render issue labels in the sidebar
+  - Improve error handling importing projects
+  - Put project Files and Commits tabs under Code tab
+  - Replace Colorize with Rainbow for coloring console output in Rake tasks.
+
+v 8.8.4 (unreleased)
+  - Ensure branch cleanup regardless of whether the GitHub import process succeeds
+  - Fix issue with arrow keys not working in search autocomplete dropdown
+  - Fix todos page throwing errors when you have a project pending deletion
+  - Reduce number of SQL queries when rendering user references
+  - Upgrade to jQuery 2
 
 v 8.8.3
-  - Fix incorrect links on pipeline page when merge request created from fork
-  - Fix gitlab importer failing to import new projects due to missing credentials
-  - Fix import URL migration not rescuing with the correct Error
-  - In search results, only show notes on confidential issues that the user has access to
-  - Fix health check access token changing due to old application settings being used
+  - Fix 404 page when viewing TODOs that contain milestones or labels in different projects. !4312
+  - Fixed JS error when trying to remove discussion form. !4303
+  - Fixed issue with button color when no CI enabled. !4287
+  - Fixed potential issue with 2 CI status polling events happening. !3869
+  - Improve design of Pipeline view. !4230
+  - Fix gitlab importer failing to import new projects due to missing credentials. !4301
+  - Fix import URL migration not rescuing with the correct Error. !4321
+  - Fix health check access token changing due to old application settings being used. !4332
+  - Make authentication service for Container Registry to be compatible with Docker versions before 1.11. !4363
+  - Add Application Setting to configure Container Registry token expire delay (default 5 min). !4364
+  - Pass the "Remember me" value to the 2FA token form. !4369
+  - Fix incorrect links on pipeline page when merge request created from fork.  !4376
+  - Use downcased path to container repository as this is expected path by Docker. !4420
+  - Fix wiki project clone address error (chujinjin). !4429
+  - Fix serious performance bug with rendering Markdown with InlineDiffFilter.  !4392
+  - Fix missing number on generated ordered list element. !4437
+  - Prevent disclosure of notes on confidential issues in search results.
 
 v 8.8.2
   - Added remove due date button. !4209

CONTRIBUTING.md

@@ -96,7 +96,7 @@ The designs are made using Antetype (`.atype` files). You can use the
 [free Antetype viewer (Mac OSX only)] or grab an exported PNG from the design
 (the PNG is 1:1).
 
-The current designs can be found in the [`gitlab1.atype` file].
+The current designs can be found in the [`gitlab8.atype` file].
 
 ### UI development kit
 
@@ -308,16 +308,14 @@ tests are least likely to receive timely feedback. The workflow to make a merge
 request is as follows:
 
 1. Fork the project into your personal space on GitLab.com
-1. Create a feature branch
+1. Create a feature branch, branch away from `master`.
 1. Write [tests](https://gitlab.com/gitlab-org/gitlab-development-kit#running-the-tests) and code
 1. Add your changes to the [CHANGELOG](CHANGELOG)
-1. If you are changing the README, some documentation or other things which
-   have no effect on the tests, add `[ci skip]` somewhere in the commit message
-   and make sure to read the [documentation styleguide][doc-styleguide]
+1. If you are writing documentation, make sure to read the [documentation styleguide][doc-styleguide]
 1. If you have multiple commits please combine them into one commit by
    [squashing them][git-squash]
 1. Push the commit(s) to your fork
-1. Submit a merge request (MR) to the master branch
+1. Submit a merge request (MR) to the `master` branch
 1. The MR title should describe the change you want to make
 1. The MR description should give a motive for your change and the method you
    used to achieve it, see the [merge request description format]
@@ -532,4 +530,4 @@ available at [http://contributor-covenant.org/version/1/1/0/](http://contributor
 [scss-styleguide]: doc/development/scss_styleguide.md "SCSS styleguide"
 [gitlab-design]: https://gitlab.com/gitlab-org/gitlab-design
 [free Antetype viewer (Mac OSX only)]: https://itunes.apple.com/us/app/antetype-viewer/id824152298?mt=12
-[`gitlab1.atype` file]: https://gitlab.com/gitlab-org/gitlab-design/tree/master/gitlab1.atype/
+[`gitlab8.atype` file]: https://gitlab.com/gitlab-org/gitlab-design/tree/master/current/

Gemfile

@@ -18,9 +18,8 @@ gem "mysql2", '~> 0.3.16', group: :mysql
 gem "pg", '~> 0.18.2', group: :postgres
 
 # Authentication libraries
-gem 'devise',                 '~> 3.5.4'
+gem 'devise',                 '~> 4.0'
 gem 'doorkeeper',             '~> 3.1'
-gem 'devise-async',           '~> 0.9.0'
 gem 'omniauth',               '~> 1.3.1'
 gem 'omniauth-auth0',         '~> 1.4.1'
 gem 'omniauth-azure-oauth2',  '~> 0.0.6'
@@ -43,12 +42,13 @@ gem 'recaptcha', require: 'recaptcha/rails'
 gem 'akismet', '~> 2.0'
 
 # Two-factor authentication
-gem 'devise-two-factor', '~> 2.0.0'
+gem 'devise-two-factor', '~> 3.0.0'
 gem 'rqrcode-rails3', '~> 0.1.7'
-gem 'attr_encrypted', '~> 1.3.4'
+gem 'attr_encrypted', '~> 3.0.0'
+gem 'u2f', '~> 0.2.1'
 
 # Browser detection
-gem "browser", '~> 1.0.0'
+gem "browser", '~> 2.0.3'
 
 # Extracting information from a git repository
 # Provide access to Gitlab::Git library
@@ -84,8 +84,14 @@ gem "carrierwave", '~> 0.10.0'
 # Drag and Drop UI
 gem 'dropzonejs-rails', '~> 0.7.1'
 
+# for backups
+gem 'fog-aws', '~> 0.9'
+gem 'fog-core', '~> 1.40'
+gem 'fog-local', '~> 0.3'
+gem 'fog-google', '~> 0.3'
+gem 'fog-openstack', '~> 0.1'
+
 # for aws storage
-gem "fog", "~> 1.36.0"
 gem "unf", '~> 0.1.4'
 
 # Authorization
@@ -138,7 +144,7 @@ gem 'redis-namespace'
 gem "httparty", '~> 0.13.3'
 
 # Colored output to console
-gem "colorize", '~> 0.7.0'
+gem "rainbow", '~> 2.1.0'
 
 # GitLab settings
 gem 'settingslogic', '~> 2.0.9'

Gemfile.lock

 GEM
   remote: https://rubygems.org/
   specs:
-    CFPropertyList (2.3.2)
     RedCloth (4.2.9)
     ace-rails-ap (4.0.2)
     actionmailer (4.2.6)
@@ -60,8 +59,8 @@ GEM
       oauth2 (~> 1.0)
     asciidoctor (1.5.3)
     ast (2.2.0)
-    attr_encrypted (1.3.4)
-      encryptor (>= 1.3.0)
+    attr_encrypted (3.0.1)
+      encryptor (~> 3.0.0)
     attr_required (1.0.0)
     autoprefixer-rails (6.2.3)
       execjs
@@ -73,7 +72,7 @@ GEM
       thread_safe (~> 0.3, >= 0.3.1)
     babosa (1.0.2)
     base32 (0.3.2)
-    bcrypt (3.1.10)
+    bcrypt (3.1.11)
     benchmark-ips (2.3.0)
     better_errors (1.0.1)
       coderay (>= 1.0.0)
@@ -93,7 +92,7 @@ GEM
       sass (~> 3.0)
       slim (>= 1.3.6, < 4.0)
       terminal-table (~> 1.4)
-    browser (1.0.1)
+    browser (2.0.3)
     builder (3.2.2)
     bullet (5.0.0)
       activesupport (>= 3.0.0)
@@ -155,21 +154,18 @@ GEM
       activerecord (>= 3.2.0, < 5.0)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    devise (3.5.4)
+    devise (4.1.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 3.2.6, < 5)
+      railties (>= 4.1.0, < 5.1)
       responders
-      thread_safe (~> 0.1)
       warden (~> 1.2.3)
-    devise-async (0.9.0)
-      devise (~> 3.2)
-    devise-two-factor (2.0.1)
+    devise-two-factor (3.0.0)
       activesupport
-      attr_encrypted (~> 1.3.2)
-      devise (~> 3.5.0)
+      attr_encrypted (>= 1.3, < 4, != 2)
+      devise (~> 4.0)
       railties
-      rotp (~> 2)
+      rotp (~> 2.0)
     diff-lcs (1.2.5)
     diffy (3.0.7)
     docile (1.1.5)
@@ -181,12 +177,12 @@ GEM
     email_spec (1.6.0)
       launchy (~> 2.1)
       mail (~> 2.2)
-    encryptor (1.3.0)
+    encryptor (3.0.0)
     equalizer (0.0.11)
     erubis (2.7.0)
     escape_utils (1.1.1)
     eventmachine (1.0.8)
-    excon (0.45.4)
+    excon (0.49.0)
     execjs (2.6.0)
     expression_parser (0.9.0)
     factory_girl (4.5.0)
@@ -203,8 +199,6 @@ GEM
       multi_json
     ffaker (2.0.0)
     ffi (1.9.10)
-    fission (0.5.0)
-      CFPropertyList (~> 2.2)
     flay (2.6.1)
       ruby_parser (~> 3.0)
       sexp_processor (~> 4.0)
@@ -214,109 +208,28 @@ GEM
     flowdock (0.7.1)
       httparty (~> 0.7)
       multi_json
-    fog (1.36.0)
-      fog-aliyun (>= 0.1.0)
-      fog-atmos
-      fog-aws (>= 0.6.0)
-      fog-brightbox (~> 0.4)
-      fog-core (~> 1.32)
-      fog-dynect (~> 0.0.2)
-      fog-ecloud (~> 0.1)
-      fog-google (<= 0.1.0)
-      fog-json
-      fog-local
-      fog-powerdns (>= 0.1.1)
-      fog-profitbricks
-      fog-radosgw (>= 0.0.2)
-      fog-riakcs
-      fog-sakuracloud (>= 0.0.4)
-      fog-serverlove
-      fog-softlayer
-      fog-storm_on_demand
-      fog-terremark
-      fog-vmfusion
-      fog-voxel
-      fog-xenserver
-      fog-xml (~> 0.1.1)
-      ipaddress (~> 0.5)
-      nokogiri (~> 1.5, >= 1.5.11)
-    fog-aliyun (0.1.0)
-      fog-core (~> 1.27)
-      fog-json (~> 1.0)
-      ipaddress (~> 0.8)
-      xml-simple (~> 1.1)
-    fog-atmos (0.1.0)
-      fog-core
-      fog-xml
-    fog-aws (0.8.1)
+    fog-aws (0.9.2)
       fog-core (~> 1.27)
       fog-json (~> 1.0)
       fog-xml (~> 0.1)
       ipaddress (~> 0.8)
-    fog-brightbox (0.10.1)
-      fog-core (~> 1.22)
-      fog-json
-      inflecto (~> 0.0.2)
-    fog-core (1.35.0)
+    fog-core (1.40.0)
       builder
-      excon (~> 0.45)
+      excon (~> 0.49)
       formatador (~> 0.2)
-    fog-dynect (0.0.2)
-      fog-core
-      fog-json
-      fog-xml
-    fog-ecloud (0.3.0)
-      fog-core
-      fog-xml
-    fog-google (0.1.0)
+    fog-google (0.3.2)
       fog-core
       fog-json
       fog-xml
     fog-json (1.0.2)
       fog-core (~> 1.0)
       multi_json (~> 1.10)
-    fog-local (0.2.1)
-      fog-core (~> 1.27)
-    fog-powerdns (0.1.1)
+    fog-local (0.3.0)
       fog-core (~> 1.27)
-      fog-json (~> 1.0)
-      fog-xml (~> 0.1)
-    fog-profitbricks (0.0.5)
-      fog-core
-      fog-xml
-      nokogiri
-    fog-radosgw (0.0.5)
-      fog-core (>= 1.21.0)
-      fog-json
-      fog-xml (>= 0.0.1)
-    fog-riakcs (0.1.0)
-      fog-core
-      fog-json
-      fog-xml
-    fog-sakuracloud (1.7.5)
-      fog-core
-      fog-json
-    fog-serverlove (0.1.2)
-      fog-core
-      fog-json
-    fog-softlayer (1.0.3)
-      fog-core
-      fog-json
-    fog-storm_on_demand (0.1.1)
-      fog-core
-      fog-json
-    fog-terremark (0.1.0)
-      fog-core
-      fog-xml
-    fog-vmfusion (0.1.0)
-      fission
-      fog-core
-    fog-voxel (0.1.0)
-      fog-core
-      fog-xml
-    fog-xenserver (0.2.2)
-      fog-core
-      fog-xml
+    fog-openstack (0.1.6)
+      fog-core (>= 1.39)
+      fog-json (>= 1.0)
+      ipaddress (>= 0.8)
     fog-xml (0.1.2)
       fog-core
       nokogiri (~> 1.5, >= 1.5.11)
@@ -425,11 +338,10 @@ GEM
     httpclient (2.7.0.1)
     i18n (0.7.0)
     ice_nine (0.11.1)
-    inflecto (0.0.2)
     influxdb (0.2.3)
       cause
       json
-    ipaddress (0.8.2)
+    ipaddress (0.8.3)
     jquery-atwho-rails (1.3.2)
     jquery-rails (4.1.1)
       rails-dom-testing (>= 1, < 3)
@@ -656,7 +568,7 @@ GEM
     responders (2.1.1)
       railties (>= 4.2.0, < 5.1)
     rinku (1.7.3)
-    rotp (2.1.1)
+    rotp (2.1.2)
     rouge (1.10.1)
     rqrcode (0.7.0)
       chunky_png
@@ -835,6 +747,7 @@ GEM
       simple_oauth (~> 0.1.4)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
+    u2f (0.2.1)
     uglifier (2.7.2)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
@@ -859,7 +772,7 @@ GEM
       coercible (~> 1.0)
       descendants_tracker (~> 0.0, >= 0.0.3)
       equalizer (~> 0.0, >= 0.0.9)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     web-console (2.3.0)
       activemodel (>= 4.0)
@@ -876,7 +789,6 @@ GEM
       builder
       expression_parser
       rinku
-    xml-simple (1.1.5)
     xpath (2.0.0)
       nokogiri (~> 1.3)
 
@@ -894,7 +806,7 @@ DEPENDENCIES
   allocations (~> 1.0)
   asana (~> 0.4.0)
   asciidoctor (~> 1.5.2)
-  attr_encrypted (~> 1.3.4)
+  attr_encrypted (~> 3.0.0)
   awesome_print (~> 1.2.0)
   babosa (~> 1.0.2)
   base32 (~> 0.3.0)
@@ -903,7 +815,7 @@ DEPENDENCIES
   binding_of_caller (~> 0.7.2)
   bootstrap-sass (~> 3.3.0)
   brakeman (~> 3.2.0)
-  browser (~> 1.0.0)
+  browser (~> 2.0.3)
   bullet
   bundler-audit
   byebug
@@ -912,16 +824,14 @@ DEPENDENCIES
   carrierwave (~> 0.10.0)
   charlock_holmes (~> 0.7.3)
   coffee-rails (~> 4.1.0)
-  colorize (~> 0.7.0)
   connection_pool (~> 2.0)
   coveralls (~> 0.8.2)
   creole (~> 0.5.0)
   d3_rails (~> 3.5.0)
   database_cleaner (~> 1.4.0)
   default_value_for (~> 3.0.0)
-  devise (~> 3.5.4)
-  devise-async (~> 0.9.0)
-  devise-two-factor (~> 2.0.0)
+  devise (~> 4.0)
+  devise-two-factor (~> 3.0.0)
   diffy (~> 3.0.3)
   doorkeeper (~> 3.1)
   dropzonejs-rails (~> 0.7.1)
@@ -931,7 +841,11 @@ DEPENDENCIES
   ffaker (~> 2.0.0)
   flay
   flog
-  fog (~> 1.36.0)
+  fog-aws (~> 0.9)
+  fog-core (~> 1.40)
+  fog-google (~> 0.3)
+  fog-local (~> 0.3)
+  fog-openstack (~> 0.1)
   font-awesome-rails (~> 4.2)
   foreman
   fuubar (~> 2.0.0)
@@ -1000,6 +914,7 @@ DEPENDENCIES
   rack-oauth2 (~> 1.2.1)
   rails (= 4.2.6)
   rails-deprecated_sanitizer (~> 1.0.3)
+  rainbow (~> 2.1.0)
   raphael-rails (~> 2.1.2)
   rblineprof
   rdoc (~> 3.6)
@@ -1049,6 +964,7 @@ DEPENDENCIES
   thin (~> 1.6.1)
   tinder (~> 1.10.0)
   turbolinks (~> 2.5.0)
+  u2f (~> 0.2.1)
   uglifier (~> 2.7.2)
   underscore-rails (~> 1.8.0)
   unf (~> 0.1.4)
@@ -1061,4 +977,4 @@ DEPENDENCIES
   wikicloth (= 0.8.1)
 
 BUNDLED WITH
-   1.12.4
+   1.12.5

README.md

 # GitLab
 
 [![build status](https://gitlab.com/gitlab-org/gitlab-ce/badges/master/build.svg)](https://gitlab.com/gitlab-org/gitlab-ce/commits/master)
-[![Build Status](https://semaphoreci.com/api/v1/projects/2f1a5809-418b-4cc2-a1f4-819607579fe7/400484/shields_badge.svg)](https://semaphoreci.com/gitlabhq/gitlabhq)
 [![Code Climate](https://codeclimate.com/github/gitlabhq/gitlabhq.svg)](https://codeclimate.com/github/gitlabhq/gitlabhq)
-[![Coverage Status](https://coveralls.io/repos/gitlabhq/gitlabhq/badge.svg?branch=master)](https://coveralls.io/r/gitlabhq/gitlabhq?branch=master)
 
 ## Canonical source
 

app/assets/javascripts/application.js.coffee

@@ -4,7 +4,7 @@
 # It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
 # the compiled file.
 #
-#= require jquery
+#= require jquery2
 #= require jquery-ui/autocomplete
 #= require jquery-ui/datepicker
 #= require jquery-ui/draggable
@@ -18,7 +18,6 @@
 #= require jquery.atwho
 #= require jquery.scrollTo
 #= require jquery.turbolinks
-#= require d3
 #= require turbolinks
 #= require autosave
 #= require bootstrap/affix
@@ -51,9 +50,17 @@
 #= require shortcuts_network
 #= require jquery.nicescroll
 #= require date.format
-#= require_tree .
+#= require_directory ./behaviors
+#= require_directory ./blob
+#= require_directory ./ci
+#= require_directory ./commit
+#= require_directory ./extensions
+#= require_directory ./lib
+#= require_directory ./u2f
+#= require_directory .
 #= require fuzzaldrin-plus
 #= require cropper
+#= require u2f
 
 window.slugify = (text) ->
   text.replace(/[^-a-zA-Z0-9]+/g, '_').toLowerCase()

app/assets/javascripts/dispatcher.js.coffee

@@ -17,11 +17,13 @@ class Dispatcher
     switch page
       when 'projects:issues:index'
         Issuable.init()
+        new IssuableBulkActions()
         shortcut_handler = new ShortcutsNavigation()
       when 'projects:issues:show'
         new Issue()
         shortcut_handler = new ShortcutsIssuable()
         new ZenMode()
+        window.awardsHandler = new AwardsHandler()
       when 'projects:milestones:show', 'groups:milestones:show', 'dashboard:milestones:show'
         new Milestone()
       when 'dashboard:todos:index'
@@ -52,6 +54,7 @@ class Dispatcher
         new Diff()
         shortcut_handler = new ShortcutsIssuable(true)
         new ZenMode()
+        window.awardsHandler = new AwardsHandler()
       when "projects:merge_requests:diffs"
         new Diff()
         new ZenMode()

app/assets/javascripts/due_date_select.js.coffee

@@ -21,7 +21,7 @@ class @DueDateSelect
       $dropdown.glDropdown(
         hidden: ->
           $selectbox.hide()
-          $value.removeAttr('style')
+          $value.css('display', '')
       )
 
       addDueDate = (isDropdown) ->
@@ -42,12 +42,13 @@ class @DueDateSelect
           type: 'PUT'
           url: issueUpdateURL
           data: data
+          dataType: 'json'
           beforeSend: ->
             $loading.fadeIn()
             if isDropdown
               $dropdown.trigger('loading.gl.dropdown')
               $selectbox.hide()
-            $value.removeAttr('style')
+            $value.css('display', '')
 
             $valueContent.html(mediumDate)
             $sidebarValue.html(mediumDate)

app/assets/javascripts/flash.js.coffee

 class @Flash
-  constructor: (message, type)->
+  constructor: (message, type = 'alert')->
     @flash = $(".flash-container")
     @flash.html("")
 

app/assets/javascripts/gl_dropdown.js.coffee

@@ -11,6 +11,8 @@ class GitLabDropdownFilter
     $inputContainer = @input.parent()
     $clearButton = $inputContainer.find('.js-dropdown-input-clear')
 
+    @indeterminateIds = []
+
     # Clear click
     $clearButton.on 'click', (e) =>
       e.preventDefault()
@@ -35,20 +37,20 @@ class GitLabDropdownFilter
       if keyCode is 13
         return false
 
-      clearTimeout timeout
-      timeout = setTimeout =>
-        blur_field = @shouldBlur keyCode
-        search_text = @input.val()
+      # Only filter asynchronously only if option remote is set
+      if @options.remote
+        clearTimeout timeout
+        timeout = setTimeout =>
+          blur_field = @shouldBlur keyCode
 
-        if blur_field and @filterInputBlur
-          @input.blur()
+          if blur_field and @filterInputBlur
+            @input.blur()
 
-        if @options.remote
-          @options.query search_text, (data) =>
+          @options.query @input.val(), (data) =>
             @options.callback(data)
-        else
-          @filter search_text
-      , 250
+        , 250
+      else
+        @filter @input.val()
 
   shouldBlur: (keyCode) ->
     return BLUR_KEYCODES.indexOf(keyCode) >= 0
@@ -142,6 +144,7 @@ class GitLabDropdown
   LOADING_CLASS = "is-loading"
   PAGE_TWO_CLASS = "is-page-two"
   ACTIVE_CLASS = "is-active"
+  INDETERMINATE_CLASS = "is-indeterminate"
   currentIndex = -1
 
   FILTER_INPUT = '.dropdown-input .dropdown-input-field'
@@ -182,9 +185,6 @@ class GitLabDropdown
             @fullData = data
 
             @parseData @fullData
-
-            if @options.filterable
-              @filterInput.trigger 'keyup'
         }
 
     # Init filterable
@@ -298,6 +298,13 @@ class GitLabDropdown
   opened: =>
     @addArrowKeyEvent()
 
+    if @options.setIndeterminateIds
+      @options.setIndeterminateIds.call(@)
+
+    # Makes indeterminate items effective
+    if @fullData and @dropdown.find('.dropdown-menu-toggle').hasClass('js-filter-bulk-update')
+      @parseData @fullData
+
     contentHtml = $('.dropdown-content', @dropdown).html()
     if @remote && contentHtml is ""
       @remote.execute()
@@ -309,12 +316,18 @@ class GitLabDropdown
 
   hidden: (e) =>
     @removeArrayKeyEvent()
+
+    $input = @dropdown.find(".dropdown-input-field")
+
     if @options.filterable
-      @dropdown
-        .find(".dropdown-input-field")
+      $input
         .blur()
         .val("")
-        .trigger("keyup")
+
+    # Triggering 'keyup' will re-render the dropdown which is not always required
+    # specially if we want to keep the state of the dropdown needed for bulk-assignment
+    if not @options.persistWhenHide
+      $input.trigger("keyup")
 
     if @dropdown.find(".dropdown-toggle-page").length
       $('.dropdown-menu', @dropdown).removeClass PAGE_TWO_CLASS
@@ -358,7 +371,7 @@ class GitLabDropdown
 
     if @options.renderRow
       # Call the render function
-      html = @options.renderRow(data)
+      html = @options.renderRow.call(@options, data, @)
     else
       if not selected
         value = if @options.id then @options.id(data) else data.id
@@ -443,6 +456,17 @@ class GitLabDropdown
         $(@el).find(".dropdown-toggle-text").text @options.toggleLabel
       else
         selectedObject
+    else if el.hasClass(INDETERMINATE_CLASS)
+      el.addClass ACTIVE_CLASS
+      el.removeClass INDETERMINATE_CLASS
+
+      if not value?
+        field.remove()
+
+      if not field.length and fieldName
+        @addInput(fieldName, value)
+
+      return selectedObject
     else
       if not @options.multiSelect or el.hasClass('dropdown-clear-active')
         @dropdown.find(".#{ACTIVE_CLASS}").removeClass ACTIVE_CLASS
@@ -459,31 +483,42 @@ class GitLabDropdown
         $(@el).find(".dropdown-toggle-text").text @options.toggleLabel(selectedObject, el)
       if value?
         if !field.length and fieldName
-          # Create hidden input for form
-          input = "<input type='hidden' name='#{fieldName}' value='#{value}' />"
-          if @options.inputId?
-            input = $(input)
-                      .attr('id', @options.inputId)
-          @dropdown.before input
+          @addInput(fieldName, value)
         else
           field.val value
 
       return selectedObject
 
-  selectRowAtIndex: (index) ->
-    selector = ".dropdown-content li:not(.divider):eq(#{index}) a"
+  addInput: (fieldName, value)->
+    # Create hidden input for form
+    $input = $('<input>').attr('type', 'hidden')
+                         .attr('name', fieldName)
+                        .val(value)
+
+    if @options.inputId?
+      $input.attr('id', @options.inputId)
+
+    @dropdown.before $input
+
+  selectRowAtIndex: (e, index) ->
+    selector = ".dropdown-content li:not(.divider,.dropdown-header,.separator):eq(#{index}) a"
 
     if @dropdown.find(".dropdown-toggle-page").length
       selector = ".dropdown-page-one #{selector}"
 
     # simulate a click on the first link
-    $(selector, @dropdown).trigger "click"
+    $el = $(selector, @dropdown)
+
+    if $el.length
+      e.preventDefault()
+      e.stopImmediatePropagation()
+      $(selector, @dropdown)[0].click()
 
   addArrowKeyEvent: ->
     ARROW_KEY_CODES = [38, 40]
     $input = @dropdown.find(".dropdown-input-field")
 
-    selector = '.dropdown-content li:not(.divider)'
+    selector = '.dropdown-content li:not(.divider,.dropdown-header,.separator)'
     if @dropdown.find(".dropdown-toggle-page").length
       selector = ".dropdown-page-one #{selector}"
 
@@ -511,8 +546,8 @@ class GitLabDropdown
 
         return false
 
-      if currentKeyCode is 13
-        @selectRowAtIndex if currentIndex < 0 then 0 else currentIndex
+      if currentKeyCode is 13 and currentIndex isnt -1
+        @selectRowAtIndex e, currentIndex
 
   removeArrayKeyEvent: ->
     $('body').off 'keydown'

app/assets/javascripts/graphs/application.js.coffee

+# This is a manifest file that'll be compiled into including all the files listed below.
+# Add new JavaScript/Coffee code in separate files in this directory and they'll automatically
+# be included in the compiled file accessible from http://example.com/assets/application.js
+# It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+# the compiled file.
+#
+#= require_tree .

app/assets/javascripts/stat_graph_contributors.js.coffee → app/assets/javascripts/graphs/stat_graph_contributors.js.coffee

 #= require d3
-#= require stat_graph_contributors_util
 
 class @ContributorsStatGraph
   init: (log) ->

app/assets/javascripts/stat_graph_contributors_graph.js.coffee → app/assets/javascripts/graphs/stat_graph_contributors_graph.js.coffee

 #= require d3
-#= require jquery
-#= require underscore
 
 class @ContributorsGraph
   MARGIN:

app/assets/javascripts/issues-bulk-assignment.js.coffee

+class @IssuableBulkActions
+  constructor: (opts = {}) ->
+    # Set defaults
+    {
+      @container = $('.content')
+      @form = @getElement('.bulk-update')
+      @issues = @getElement('.issues-list .issue')
+    } = opts
+
+    @bindEvents()
+
+  getElement: (selector) ->
+    @container.find selector
+
+  bindEvents: ->
+    @form.off('submit').on('submit', @onFormSubmit.bind(@))
+
+  onFormSubmit: (e) ->
+    e.preventDefault()
+    @submit()
+
+  submit: ->
+    _this = @
+
+    xhr = $.ajax
+            url: @form.attr 'action'
+            method: @form.attr 'method'
+            dataType: 'JSON',
+            data: @getFormDataAsObject()
+
+    xhr.done (response, status, xhr) ->
+      location.reload()
+
+    xhr.fail ->
+      new Flash("Issue update failed")
+
+    xhr.always @onFormSubmitAlways.bind(@)
+
+  onFormSubmitAlways: ->
+    @form.find('[type="submit"]').enable()
+
+  getSelectedIssues: ->
+    @issues.has('.selected_issue:checked')
+
+  getLabelsFromSelection: ->
+    labels = []
+
+    @getSelectedIssues().map ->
+      _labels = $(@).data('labels')
+      if _labels
+        _labels.map (labelId) ->
+          labels.push(labelId) if labels.indexOf(labelId) is -1
+
+    labels
+
+  ###*
+   * Will return only labels that were marked previously and the user has unmarked
+   * @return {Array} Label IDs
+  ###
+  getUnmarkedIndeterminedLabels: ->
+    result = []
+    labelsToKeep = []
+
+    for el in @getElement('.labels-filter .is-indeterminate')
+      labelsToKeep.push $(el).data('labelId')
+
+    for id in @getLabelsFromSelection()
+      # Only the ones that we are not going to keep
+      result.push(id) if labelsToKeep.indexOf(id) is -1
+
+    result
+
+  ###*
+   * Simple form serialization, it will return just what we need
+   * Returns key/value pairs from form data
+  ###
+  getFormDataAsObject: ->
+    formData =
+      update:
+        state_event       : @form.find('input[name="update[state_event]"]').val()
+        assignee_id       : @form.find('input[name="update[assignee_id]"]').val()
+        milestone_id      : @form.find('input[name="update[milestone_id]"]').val()
+        issues_ids        : @form.find('input[name="update[issues_ids]"]').val()
+        add_label_ids     : []
+        remove_label_ids  : []
+
+    @getLabelsToApply().map (id) ->
+      formData.update.add_label_ids.push id
+
+    @getLabelsToRemove().map (id) ->
+      formData.update.remove_label_ids.push id
+
+    formData
+
+  getLabelsToApply: ->
+    labelIds = []
+    $labels = @form.find('.labels-filter input[name="update[label_ids][]"]')
+
+    $labels.each (k, label) ->
+      labelIds.push $(label).val() if label
+
+    labelIds
+
+  ###*
+   * Just an alias of @getUnmarkedIndeterminedLabels
+   * @return {Array} Array of labels
+  ###
+  getLabelsToRemove: ->
+    @getUnmarkedIndeterminedLabels()

app/assets/javascripts/labels_select.js.coffee

 class @LabelsSelect
   constructor: ->
+    _this = @
+
     $('.js-label-select').each (i, dropdown) ->
       $dropdown = $(dropdown)
       projectId = $dropdown.data('project-id')
@@ -196,10 +198,18 @@ class @LabelsSelect
 
             callback data
 
-        renderRow: (label) ->
-          removesAll = label.id is 0 or not label.id?
+        renderRow: (label, instance) ->
+          $li = $('<li>')
+          $a  = $('<a href="#">')
 
           selectedClass = []
+          removesAll = label.id is 0 or not label.id?
+
+          if $dropdown.hasClass('js-filter-bulk-update')
+            indeterminate = instance.indeterminateIds
+            if indeterminate.indexOf(label.id) isnt -1
+              selectedClass.push 'is-indeterminate'
+
           if $form.find("input[type='hidden']\
             [name='#{$dropdown.data('fieldName')}']\
             [value='#{this.id(label)}']").length
@@ -230,13 +240,17 @@ class @LabelsSelect
           else
             colorEl = ''
 
-          "<li>
-            <a href='#' class='#{selectedClass.join(' ')}'>
-              #{colorEl}
-              #{_.escape(label.title)}
-            </a>
-          </li>"
-        filterable: true
+          # We need to identify which items are actually labels
+          if label.id
+            selectedClass.push('label-item')
+            $a.attr('data-label-id', label.id)
+
+          $a.addClass(selectedClass.join(' '))
+            .html("#{colorEl} #{_.escape(label.title)}")
+
+          # Return generated html
+          $li.html($a).prop('outerHTML')
+        persistWhenHide: $dropdown.data('persistWhenHide')
         search:
           fields: ['title']
         selectable: true
@@ -280,10 +294,19 @@ class @LabelsSelect
             else if $dropdown.hasClass('js-filter-submit')
               $dropdown.closest('form').submit()
             else
-              saveLabelData()
+              if not $dropdown.hasClass 'js-filter-bulk-update'
+                saveLabelData()
+
+          if $dropdown.hasClass('js-filter-bulk-update')
+            # If we are persisting state we need the classes
+            if not @options.persistWhenHide
+              $dropdown.parent().find('.is-active, .is-indeterminate').removeClass()
 
         multiSelect: $dropdown.hasClass 'js-multiselect'
         clicked: (label) ->
+          if $dropdown.hasClass('js-filter-bulk-update')
+            return
+
           page = $('body').data 'page'
           isIssueIndex = page is 'projects:issues:index'
           isMRIndex = page is 'projects:merge_requests:index'
@@ -298,4 +321,31 @@ class @LabelsSelect
               return
             else
               saveLabelData()
+
+        setIndeterminateIds: ->
+          if @dropdown.find('.dropdown-menu-toggle').hasClass('js-filter-bulk-update')
+            @indeterminateIds = _this.getIndeterminateIds()
       )
+
+    @bindEvents()
+
+  bindEvents: ->
+    $('body').on 'change', '.selected_issue', @onSelectCheckboxIssue
+
+  onSelectCheckboxIssue: ->
+    return if $('.selected_issue:checked').length
+
+    # Remove inputs
+    $('.issues_bulk_update .labels-filter input[type="hidden"]').remove()
+
+    # Also restore button text
+    $('.issues_bulk_update .labels-filter .dropdown-toggle-text').text('Label')
+
+  getIndeterminateIds: ->
+    label_ids = []
+
+    $('.selected_issue:checked').each (i, el) ->
+      issue_id = $(el).data('id')
+      label_ids.push $("#issue_#{issue_id}").data('labels')
+
+    _.flatten(label_ids)

app/assets/javascripts/lib/emoji_aliases.js.coffee.erb

+window.emojiAliases = ->
+  JSON.parse('<%= Gitlab::AwardEmoji.aliases.to_json %>')

app/assets/javascripts/milestone_select.js.coffee

@@ -83,7 +83,7 @@ class @MilestoneSelect
           $selectbox.hide()
 
           # display:block overrides the hide-collapse rule
-          $value.removeAttr('style')
+          $value.css('display', '')
         clicked: (selected) ->
           page = $('body').data 'page'
           isIssueIndex = page is 'projects:issues:index'
@@ -118,7 +118,7 @@ class @MilestoneSelect
               $dropdown.trigger('loaded.gl.dropdown')
               $loading.fadeOut()
               $selectbox.hide()
-              $value.removeAttr('style')
+              $value.css('display', '')
               if data.milestone?
                 data.milestone.namespace = _this.currentProject.namespace
                 data.milestone.path = _this.currentProject.path

app/assets/javascripts/notes.js.coffee

@@ -167,7 +167,7 @@ class @Notes
       return
 
     if note.award
-      awardsHandler.addAwardToEmojiBar(note.note)
+      awardsHandler.addAwardToEmojiBar(note.name)
       awardsHandler.scrollToAwards()
 
     # render note if it not present in loaded list

app/assets/javascripts/search_autocomplete.js.coffee

@@ -20,8 +20,7 @@ class @SearchAutocomplete
     @dropdown = @wrap.find('.dropdown')
     @dropdownContent = @dropdown.find('.dropdown-content')
 
-    @locationBadgeEl = @getElement('.search-location-badge')
-    @locationText = @getElement('.location-text')
+    @locationBadgeEl = @getElement('.location-badge')
     @scopeInputEl = @getElement('#scope')
     @searchInput = @getElement('.search-input')
     @projectInputEl = @getElement('#search_project_id')
@@ -133,7 +132,7 @@ class @SearchAutocomplete
       scope: @scopeInputEl.val()
 
       # Location badge
-      _location: @locationText.text()
+      _location: @locationBadgeEl.text()
     }
 
   bindEvents: ->
@@ -143,23 +142,28 @@ class @SearchAutocomplete
     @searchInput.on 'click', @onSearchInputClick
     @searchInput.on 'focus', @onSearchInputFocus
     @clearInput.on 'click', @onClearInputClick
+    @locationBadgeEl.on 'click', =>
+      @searchInput.focus()
 
   onDocumentClick: (e) =>
     # If clicking outside the search box
     # And search input is not focused
     # And we are not clicking inside a suggestion
-    if not $.contains(@dropdown[0], e.target) and @isFocused and not $(e.target).parents('ul').length
+    if not $.contains(@dropdown[0], e.target) and @isFocused and not $(e.target).closest('.search-form').length
       @onSearchInputBlur()
 
   enableAutocomplete: ->
     # No need to enable anything if user is not logged in
     return if !gon.current_user_id
 
-    _this = @
-    @loadingSuggestions = false
+    unless @dropdown.hasClass('open')
+      _this = @
+      @loadingSuggestions = false
 
-    @dropdown.addClass('open')
-    @searchInput.removeClass('disabled')
+      @dropdown
+        .addClass('open')
+        .trigger('shown.bs.dropdown')
+      @searchInput.removeClass('disabled')
 
   onSearchInputKeyDown: =>
     # Saves last length of the entered text
@@ -190,7 +194,7 @@ class @SearchAutocomplete
           @disableAutocomplete()
         else
           # We should display the menu only when input is not empty
-          @enableAutocomplete()
+          @enableAutocomplete() if e.keyCode isnt KEYCODE.ENTER
 
     @wrap.toggleClass 'has-value', !!e.target.value
 
@@ -221,10 +225,8 @@ class @SearchAutocomplete
     category = if item.category? then "#{item.category}: " else ''
     value = if item.value? then item.value else ''
 
-    html = "<span class='location-badge'>
-              <i class='location-text'>#{category}#{value}</i>
-            </span>"
-    @locationBadgeEl.html(html)
+    badgeText = "#{category}#{value}"
+    @locationBadgeEl.text(badgeText).show()
     @wrap.addClass('has-location-badge')
 
   restoreOriginalState: ->
@@ -233,9 +235,8 @@ class @SearchAutocomplete
     for input in inputs
       @getElement("##{input}").val(@originalState[input])
 
-
     if @originalState._location is ''
-      @locationBadgeEl.empty()
+      @locationBadgeEl.hide()
     else
       @addLocationBadge(
         value: @originalState._location
@@ -244,7 +245,7 @@ class @SearchAutocomplete
     @dropdown.removeClass 'open'
 
   badgePresent: ->
-    @locationBadgeEl.children().length
+    @locationBadgeEl.length
 
   resetSearchState: ->
     inputs = Object.keys @originalState
@@ -257,7 +258,7 @@ class @SearchAutocomplete
       @getElement("##{input}").val('')
 
   removeLocationBadge: ->
-    @locationBadgeEl.empty()
+    @locationBadgeEl.hide()
 
     # Reset state
     @resetSearchState()

app/assets/javascripts/u2f/authenticate.js.coffee

+# Authenticate U2F (universal 2nd factor) devices for users to authenticate with.
+#
+# State Flow #1: setup -> in_progress -> authenticated -> POST to server
+# State Flow #2: setup -> in_progress -> error -> setup
+
+class @U2FAuthenticate
+  constructor: (@container, u2fParams) ->
+    @appId = u2fParams.app_id
+    @challenges = u2fParams.challenges
+    @signRequests = u2fParams.sign_requests
+
+  start: () =>
+    if U2FUtil.isU2FSupported()
+      @renderSetup()
+    else
+      @renderNotSupported()
+
+  authenticate: () =>
+    u2f.sign(@appId, @challenges, @signRequests, (response) =>
+      if response.errorCode
+        error = new U2FError(response.errorCode)
+        @renderError(error);
+      else
+        @renderAuthenticated(JSON.stringify(response))
+    , 10)
+
+  #############
+  # Rendering #
+  #############
+
+  templates: {
+    "notSupported": "#js-authenticate-u2f-not-supported",
+    "setup": '#js-authenticate-u2f-setup',
+    "inProgress": '#js-authenticate-u2f-in-progress',
+    "error": '#js-authenticate-u2f-error',
+    "authenticated": '#js-authenticate-u2f-authenticated'
+  }
+
+  renderTemplate: (name, params) =>
+    templateString = $(@templates[name]).html()
+    template = _.template(templateString)
+    @container.html(template(params))
+
+  renderSetup: () =>
+    @renderTemplate('setup')
+    @container.find('#js-login-u2f-device').on('click', @renderInProgress)
+
+  renderInProgress: () =>
+    @renderTemplate('inProgress')
+    @authenticate()
+
+  renderError: (error) =>
+    @renderTemplate('error', {error_message: error.message()})
+    @container.find('#js-u2f-try-again').on('click', @renderSetup)
+
+  renderAuthenticated: (deviceResponse) =>
+    @renderTemplate('authenticated')
+    # Prefer to do this instead of interpolating using Underscore templates
+    # because of JSON escaping issues.
+    @container.find("#js-device-response").val(deviceResponse)
+
+  renderNotSupported: () =>
+    @renderTemplate('notSupported')

app/assets/javascripts/u2f/error.js.coffee

+class @U2FError
+  constructor: (@errorCode) ->
+    @httpsDisabled = (window.location.protocol isnt 'https:')
+    console.error("U2F Error Code: #{@errorCode}")
+
+  message: () =>
+    switch
+      when (@errorCode is u2f.ErrorCodes.BAD_REQUEST and @httpsDisabled)
+        "U2F only works with HTTPS-enabled websites. Contact your administrator for more details."
+      when @errorCode is u2f.ErrorCodes.DEVICE_INELIGIBLE
+        "This device has already been registered with us."
+      else
+        "There was a problem communicating with your device."

app/assets/javascripts/u2f/register.js.coffee

+# Register U2F (universal 2nd factor) devices for users to authenticate with.
+#
+# State Flow #1: setup -> in_progress -> registered -> POST to server
+# State Flow #2: setup -> in_progress -> error -> setup
+
+class @U2FRegister
+  constructor: (@container, u2fParams) ->
+    @appId = u2fParams.app_id
+    @registerRequests = u2fParams.register_requests
+    @signRequests = u2fParams.sign_requests
+
+  start: () =>
+    if U2FUtil.isU2FSupported()
+      @renderSetup()
+    else
+      @renderNotSupported()
+
+  register: () =>
+    u2f.register(@appId, @registerRequests, @signRequests, (response) =>
+      if response.errorCode
+        error = new U2FError(response.errorCode)
+        @renderError(error);
+      else
+        @renderRegistered(JSON.stringify(response))
+    , 10)
+
+  #############
+  # Rendering #
+  #############
+
+  templates: {
+    "notSupported": "#js-register-u2f-not-supported",
+    "setup": '#js-register-u2f-setup',
+    "inProgress": '#js-register-u2f-in-progress',
+    "error": '#js-register-u2f-error',
+    "registered": '#js-register-u2f-registered'
+  }
+
+  renderTemplate: (name, params) =>
+    templateString = $(@templates[name]).html()
+    template = _.template(templateString)
+    @container.html(template(params))
+
+  renderSetup: () =>
+    @renderTemplate('setup')
+    @container.find('#js-setup-u2f-device').on('click', @renderInProgress)
+
+  renderInProgress: () =>
+    @renderTemplate('inProgress')
+    @register()
+
+  renderError: (error) =>
+    @renderTemplate('error', {error_message: error.message()})
+    @container.find('#js-u2f-try-again').on('click', @renderSetup)
+
+  renderRegistered: (deviceResponse) =>
+    @renderTemplate('registered')
+    # Prefer to do this instead of interpolating using Underscore templates
+    # because of JSON escaping issues.
+    @container.find("#js-device-response").val(deviceResponse)
+
+  renderNotSupported: () =>
+    @renderTemplate('notSupported')

app/assets/javascripts/u2f/util.js.coffee.erb

+# Helper class for U2F (universal 2nd factor) device registration and authentication.
+
+class @U2FUtil
+  @isU2FSupported: ->
+    if @testMode
+      true
+    else
+      gon.u2f.browser_supports_u2f
+
+  @enableTestMode: ->
+    @testMode = true
+
+<% if Rails.env.test? %>
+U2FUtil.enableTestMode();
+<% end %>

app/assets/javascripts/users/application.js.coffee

+# This is a manifest file that'll be compiled into including all the files listed below.
+# Add new JavaScript/Coffee code in separate files in this directory and they'll automatically
+# be included in the compiled file accessible from http://example.com/assets/application.js
+# It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+# the compiled file.
+#
+#= require d3
+#= require_tree .

app/assets/javascripts/users_select.js.coffee

@@ -149,7 +149,7 @@ class @UsersSelect
         hidden: (e) ->
           $selectbox.hide()
           # display:block overrides the hide-collapse rule
-          $value.removeAttr('style')
+          $value.css('display', '')
 
         clicked: (user) ->
           page = $('body').data 'page'

app/assets/stylesheets/framework/dropdowns.scss

@@ -232,9 +232,8 @@
   a {
     padding-left: 25px;
 
-    &.is-active {
+    &.is-indeterminate, &.is-active {
       &::before {
-        content: "\f00c";
         position: absolute;
         left: 5px;
         top: 50%;
@@ -246,6 +245,14 @@
         -moz-osx-font-smoothing: grayscale;
       }
     }
+
+    &.is-indeterminate::before {
+      content: "\f068";
+    }
+
+    &.is-active::before {
+      content: "\f00c";
+    }
   }
 }
 

app/assets/stylesheets/framework/mixins.scss

@@ -2,18 +2,10 @@
  * Generic mixins
  */
 @mixin box-shadow($shadow) {
-  -webkit-box-shadow: $shadow;
-  -moz-box-shadow: $shadow;
-  -ms-box-shadow: $shadow;
-  -o-box-shadow: $shadow;
   box-shadow: $shadow;
 }
 
 @mixin border-radius($radius) {
-  -webkit-border-radius: $radius;
-  -moz-border-radius: $radius;
-  -ms-border-radius: $radius;
-  -o-border-radius: $radius;
   border-radius: $radius;
 }
 

app/assets/stylesheets/framework/variables.scss

@@ -63,7 +63,8 @@ $gl-padding-top: 10px;
 /*
  * Misc
  */
-$row-hover: #f4f8fe;
+$row-hover: #f7faff;
+$row-hover-border: #b2d7ff;
 $progress-color: #c0392b;
 $avatar_radius: 50%;
 $header-height: 50px;

app/assets/stylesheets/pages/awards.scss

 .awards {
-  line-height: 34px;
-
   .emoji-icon {
     width: 20px;
     height: 20px;
@@ -9,8 +7,6 @@
 
 .emoji-menu {
   position: absolute;
-  top: 100%;
-  left: 0;
   margin-top: 3px;
   z-index: 1000;
   min-width: 160px;
@@ -23,7 +19,12 @@
   opacity: 0;
   transform: scale(.2);
   transform-origin: 0 -45px;
-  transition: all .3s cubic-bezier(.87,-.41,.19,1.44);
+  transition: .3s cubic-bezier(.87,-.41,.19,1.44);
+  transition-property: transform, opacity;
+
+  &.is-aligned-right {
+    transform-origin: 100% -45px;
+  }
 
   &.is-visible {
     pointer-events: all;
@@ -107,7 +108,7 @@
   }
 
   &.is-loading {
-    .award-control-icon {
+    .award-control-icon-normal {
       display: none;
     }
 

app/assets/stylesheets/pages/builds.scss

@@ -3,12 +3,7 @@
     background: #111;
     color: #fff;
     font-family: $monospace_font;
-    white-space: pre;
-    white-space: pre-wrap;       /* css-3 */
-    white-space: -moz-pre-wrap;  /* Mozilla, since 1999 */
-    white-space: -pre-wrap;      /* Opera 4-6 */
-    white-space: -o-pre-wrap;    /* Opera 7 */
-    word-wrap: break-word;       /* Internet Explorer 5.5+ */
+    white-space: pre-wrap;
     overflow: auto;
     overflow-y: hidden;
     font-size: 12px;

app/assets/stylesheets/pages/detail_page.scss

@@ -29,8 +29,6 @@
     margin-top: 6px;
 
     p {
-      overflow-x: auto;
-
       &:last-child {
         margin-bottom: 0;
       }

app/assets/stylesheets/pages/merge_requests.scss

@@ -41,7 +41,7 @@
       margin: 0;
       margin-left: 20px;
       padding: 5px;
-      padding-top: 12px;
+      padding-top: 8px;
       line-height: 20px;
 
       &.right {
@@ -110,6 +110,29 @@
     p:last-child {
       margin-bottom: 0;
     }
+
+    @media (max-width: $screen-sm-max) {
+      h4 {
+        font-size: 15px;
+      }
+
+      p {
+        font-size: 13px;
+      }
+
+      .btn,
+      .btn-group,
+      .accept-action {
+        width: 100%;
+        margin-bottom: 4px;
+      }
+
+      .accept-control {
+        width: 100%;
+        text-align: center;
+        margin: 0;
+      }
+    }
   }
 
   .mr-widget-footer {

app/assets/stylesheets/pages/search.scss

@@ -28,6 +28,7 @@
   }
 
   .search-input {
+    padding-right: 20px;
     border: none;
     font-size: 14px;
     outline: none;
@@ -47,6 +48,7 @@
     display: inline-block;
     background-color: $location-badge-bg;
     vertical-align: top;
+    cursor: default;
   }
 
   .search-input-container {
@@ -55,7 +57,7 @@
     position: relative;
   }
 
-  .search-location-badge, .search-input-wrap {
+  .search-input-wrap {
     // Fallback if flexbox is not supported
     display: inline-block;
   }
@@ -156,13 +158,11 @@
 .search-holder {
   @media (min-width: $screen-sm-min) {
     display: -webkit-flex;
-    display: -ms-flexbox;
     display: flex;
   }
 
   .search-field-holder {
     -webkit-flex: 1 0 auto;
-    -ms-flex: 1 0 auto;
     flex: 1 0 auto;
     position: relative;
     margin-right: 0;

app/assets/stylesheets/pages/tree.scss

@@ -15,16 +15,23 @@
     margin-bottom: 0;
 
     tr {
-      > td, > th {
+      border-bottom: 1px solid $table-border-gray;
+      border-top: 1px solid $table-border-gray;
+
+      td, th {
         line-height: 23px;
       }
 
       &:hover {
+        cursor: pointer;
+
         td {
-          background: $row-hover;
+          background-color: $row-hover;
+          border-top: 1px solid $row-hover-border;
+          border-bottom: 1px solid $row-hover-border;
         }
-        cursor: pointer;
       }
+
       &.selected {
         td {
           background: $gray-dark;

app/controllers/application_controller.rb

@@ -182,8 +182,8 @@ class ApplicationController < ActionController::Base
   end
 
   def check_2fa_requirement
-    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor?
-      redirect_to new_profile_two_factor_auth_path
+    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled? && !skip_two_factor?
+      redirect_to profile_two_factor_auth_path
     end
   end
 
@@ -232,7 +232,7 @@ class ApplicationController < ActionController::Base
   end
 
   def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email, :password, :login, :remember_me, :otp_attempt) }
+    devise_parameter_sanitizer.permit(:sign_in, keys: [:username, :email, :password, :login, :remember_me, :otp_attempt])
   end
 
   def hexdigest(string)
@@ -342,6 +342,10 @@ class ApplicationController < ActionController::Base
     session[:skip_tfa] && session[:skip_tfa] > Time.current
   end
 
+  def browser_supports_u2f?
+    browser.chrome? && browser.version.to_i >= 41 && !browser.device.mobile?
+  end
+
   def redirect_to_home_page_url?
     # If user is not signed-in and tries to access root_path - redirect him to landing page
     # Don't redirect to the default URL to prevent endless redirections
@@ -355,6 +359,13 @@ class ApplicationController < ActionController::Base
     current_user.nil? && root_path == request.path
   end
 
+  # U2F (universal 2nd factor) devices need a unique identifier for the application
+  # to perform authentication.
+  # https://developers.yubico.com/U2F/App_ID.html
+  def u2f_app_id
+    request.base_url
+  end
+
   private
 
   def set_default_sort

app/controllers/concerns/authenticates_with_two_factor.rb

@@ -24,7 +24,64 @@ module AuthenticatesWithTwoFactor
   # Returns nil
   def prompt_for_two_factor(user)
     session[:otp_user_id] = user.id
+    setup_u2f_authentication(user)
+    render 'devise/sessions/two_factor'
+  end
+
+  def authenticate_with_two_factor
+    user = self.resource = find_user
+
+    if user_params[:otp_attempt].present? && session[:otp_user_id]
+      authenticate_with_two_factor_via_otp(user)
+    elsif user_params[:device_response].present? && session[:otp_user_id]
+      authenticate_with_two_factor_via_u2f(user)
+    elsif user && user.valid_password?(user_params[:password])
+      prompt_for_two_factor(user)
+    end
+  end
+
+  private
+
+  def authenticate_with_two_factor_via_otp(user)
+    if valid_otp_attempt?(user)
+      # Remove any lingering user data from login
+      session.delete(:otp_user_id)
+
+      remember_me(user) if user_params[:remember_me] == '1'
+      sign_in(user)
+    else
+      flash.now[:alert] = 'Invalid two-factor code.'
+      render :two_factor
+    end
+  end
+
+  # Authenticate using the response from a U2F (universal 2nd factor) device
+  def authenticate_with_two_factor_via_u2f(user)
+    if U2fRegistration.authenticate(user, u2f_app_id, user_params[:device_response], session[:challenges])
+      # Remove any lingering user data from login
+      session.delete(:otp_user_id)
+      session.delete(:challenges)
+
+      sign_in(user)
+    else
+      flash.now[:alert] = 'Authentication via U2F device failed.'
+      prompt_for_two_factor(user)
+    end
+  end
+
+  # Setup in preparation of communication with a U2F (universal 2nd factor) device
+  # Actual communication is performed using a Javascript API
+  def setup_u2f_authentication(user)
+    key_handles = user.u2f_registrations.pluck(:key_handle)
+    u2f = U2F::U2F.new(u2f_app_id)
 
-    render 'devise/sessions/two_factor' and return
+    if key_handles.present?
+      sign_requests = u2f.authentication_requests(key_handles)
+      challenges = sign_requests.map(&:challenge)
+      session[:challenges] = challenges
+      gon.push(u2f: { challenges: challenges, app_id: u2f_app_id,
+                      sign_requests: sign_requests,
+                      browser_supports_u2f: browser_supports_u2f? })
+    end
   end
 end

app/controllers/concerns/toggle_award_emoji.rb

+module ToggleAwardEmoji
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authenticate_user!, only: [:toggle_award_emoji]
+  end
+
+  def toggle_award_emoji
+    name = params.require(:name)
+
+    awardable.toggle_award_emoji(name, current_user)
+    TodoService.new.new_award_emoji(awardable, current_user)
+
+    render json: { ok: true }
+  end
+
+  private
+
+  def awardable
+    raise NotImplementedError
+  end
+end

app/controllers/profiles/two_factor_auths_controller.rb

 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   skip_before_action :check_2fa_requirement
 
-  def new
+  def show
     unless current_user.otp_secret
       current_user.otp_secret = User.generate_otp_secret(32)
     end
@@ -12,21 +12,22 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
 
     current_user.save! if current_user.changed?
 
-    if two_factor_authentication_required?
+    if two_factor_authentication_required? && !current_user.two_factor_enabled?
       if two_factor_grace_period_expired?
-        flash.now[:alert] = 'You must enable Two-factor Authentication for your account.'
+        flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.'
       else
         grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
-        flash.now[:alert] = "You must enable Two-factor Authentication for your account before #{l(grace_period_deadline)}."
+        flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}."
       end
     end
 
     @qr_code = build_qr_code
+    setup_u2f_registration
   end
 
   def create
     if current_user.validate_and_consume_otp!(params[:pin_code])
-      current_user.two_factor_enabled = true
+      current_user.otp_required_for_login = true
       @codes = current_user.generate_otp_backup_codes!
       current_user.save!
 
@@ -34,8 +35,23 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     else
       @error = 'Invalid pin code'
       @qr_code = build_qr_code
+      setup_u2f_registration
+      render 'show'
+    end
+  end
+
+  # A U2F (universal 2nd factor) device's information is stored after successful
+  # registration, which is then used while 2FA authentication is taking place.
+  def create_u2f
+    @u2f_registration = U2fRegistration.register(current_user, u2f_app_id, params[:device_response], session[:challenges])
 
-      render 'new'
+    if @u2f_registration.persisted?
+      session.delete(:challenges)
+      redirect_to profile_account_path, notice: "Your U2F device was registered!"
+    else
+      @qr_code = build_qr_code
+      setup_u2f_registration
+      render :show
     end
   end
 
@@ -70,4 +86,21 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   def issuer_host
     Gitlab.config.gitlab.host
   end
+
+  # Setup in preparation of communication with a U2F (universal 2nd factor) device
+  # Actual communication is performed using a Javascript API
+  def setup_u2f_registration
+    @u2f_registration ||= U2fRegistration.new
+    @registration_key_handles = current_user.u2f_registrations.pluck(:key_handle)
+    u2f = U2F::U2F.new(u2f_app_id)
+
+    registration_requests = u2f.registration_requests
+    sign_requests = u2f.authentication_requests(@registration_key_handles)
+    session[:challenges] = registration_requests.map(&:challenge)
+
+    gon.push(u2f: { challenges: session[:challenges], app_id: u2f_app_id,
+                    register_requests: registration_requests,
+                    sign_requests: sign_requests,
+                    browser_supports_u2f: browser_supports_u2f? })
+  end
 end

app/controllers/projects/artifacts_controller.rb

@@ -37,7 +37,7 @@ class Projects::ArtifactsController < Projects::ApplicationController
   private
 
   def build
-    @build ||= project.builds.unscoped.find_by!(id: params[:build_id])
+    @build ||= project.builds.find_by!(id: params[:build_id])
   end
 
   def artifacts_file

app/controllers/projects/branches_controller.rb

@@ -50,7 +50,7 @@ class Projects::BranchesController < Projects::ApplicationController
         redirect_to namespace_project_branches_path(@project.namespace,
                                                     @project), status: 303
       end
-      format.js { render status: status[:return_code] }
+      format.js { render nothing: true, status: status[:return_code] }
     end
   end
 

app/controllers/projects/builds_controller.rb

@@ -81,7 +81,7 @@ class Projects::BuildsController < Projects::ApplicationController
   private
 
   def build
-    @build ||= project.builds.unscoped.find_by!(id: params[:id])
+    @build ||= project.builds.find_by!(id: params[:id])
   end
 
   def build_path(build)

app/controllers/projects/issues_controller.rb

 class Projects::IssuesController < Projects::ApplicationController
   include ToggleSubscriptionAction
   include IssuableActions
+  include ToggleAwardEmoji
 
   before_action :module_enabled
   before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
@@ -62,7 +63,7 @@ class Projects::IssuesController < Projects::ApplicationController
 
   def show
     @note     = @project.notes.new(noteable: @issue)
-    @notes    = @issue.notes.nonawards.with_associations.fresh
+    @notes    = @issue.notes.with_associations.fresh
     @noteable = @issue
 
     respond_to do |format|
@@ -155,7 +156,12 @@ class Projects::IssuesController < Projects::ApplicationController
 
   def bulk_update
     result = Issues::BulkUpdateService.new(project, current_user, bulk_update_params).execute
-    redirect_back_or_default(default: { action: 'index' }, options: { notice: "#{result[:count]} issues updated" })
+
+    respond_to do |format|
+      format.json do
+        render json: { notice: "#{result[:count]} issues updated" }
+      end
+    end
   end
 
   protected
@@ -169,6 +175,7 @@ class Projects::IssuesController < Projects::ApplicationController
   end
   alias_method :subscribable_resource, :issue
   alias_method :issuable, :issue
+  alias_method :awardable, :issue
 
   def authorize_read_issue!
     return render_404 unless can?(current_user, :read_issue, @issue)
@@ -214,7 +221,10 @@ class Projects::IssuesController < Projects::ApplicationController
       :issues_ids,
       :assignee_id,
       :milestone_id,
-      :state_event
+      :state_event,
+      label_ids: [],
+      add_label_ids: [],
+      remove_label_ids: []
     )
   end
 end

app/controllers/projects/merge_requests_controller.rb

@@ -2,6 +2,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   include ToggleSubscriptionAction
   include DiffHelper
   include IssuableActions
+  include ToggleAwardEmoji
 
   before_action :module_enabled
   before_action :merge_request, only: [
@@ -190,13 +191,18 @@ class Projects::MergeRequestsController < Projects::ApplicationController
       return
     end
 
+    if params[:sha] != @merge_request.source_sha
+      @status = :sha_mismatch
+      return
+    end
+
     TodoService.new.merge_merge_request(merge_request, current_user)
 
     @merge_request.update(merge_error: nil)
 
     if params[:merge_when_build_succeeds].present? && @merge_request.ci_commit && @merge_request.ci_commit.active?
       MergeRequests::MergeWhenBuildSucceedsService.new(@project, current_user, merge_params)
-                                                      .execute(@merge_request)
+        .execute(@merge_request)
       @status = :merge_when_build_succeeds
     else
       MergeWorker.perform_async(@merge_request.id, current_user.id, params)
@@ -265,6 +271,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   end
   alias_method :subscribable_resource, :merge_request
   alias_method :issuable, :merge_request
+  alias_method :awardable, :merge_request
 
   def closes_issues
     @closes_issues ||= @merge_request.closes_issues
@@ -300,7 +307,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   def define_show_vars
     # Build a note object for comment form
     @note = @project.notes.new(noteable: @merge_request)
-    @notes = @merge_request.mr_and_commit_notes.nonawards.inc_author.fresh
+    @notes = @merge_request.mr_and_commit_notes.inc_author.fresh
     @discussions = @notes.discussions
     @noteable = @merge_request
 

app/controllers/projects/notes_controller.rb

@@ -3,7 +3,7 @@ class Projects::NotesController < Projects::ApplicationController
   before_action :authorize_read_note!
   before_action :authorize_create_note!, only: [:create]
   before_action :authorize_admin_note!, only: [:update, :destroy]
-  before_action :find_current_user_notes, except: [:destroy, :delete_attachment, :award_toggle]
+  before_action :find_current_user_notes, only: [:index]
 
   def index
     current_fetched_at = Time.now.to_i
@@ -56,30 +56,6 @@ class Projects::NotesController < Projects::ApplicationController
     end
   end
 
-  def award_toggle
-    noteable = if note_params[:noteable_type] == "issue"
-                 project.issues.find(note_params[:noteable_id])
-               else
-                 project.merge_requests.find(note_params[:noteable_id])
-               end
-
-    data = {
-      author: current_user,
-      is_award: true,
-      note: note_params[:note].delete(":")
-    }
-
-    note = noteable.notes.find_by(data)
-
-    if note
-      note.destroy
-    else
-      Notes::CreateService.new(project, current_user, note_params).execute
-    end
-
-    render json: { ok: true }
-  end
-
   private
 
   def note
@@ -131,13 +107,20 @@ class Projects::NotesController < Projects::ApplicationController
   end
 
   def note_json(note)
-    if note.valid?
+    if note.is_a?(AwardEmoji)
+      {
+        valid:  note.valid?,
+        award:  true,
+        id:     note.id,
+        name:   note.name
+      }
+    elsif note.valid?
       {
         valid: true,
         id: note.id,
         discussion_id: note.discussion_id,
         html: note_to_html(note),
-        award: note.is_award,
+        award: false,
         note: note.note,
         discussion_html: note_to_discussion_html(note),
         discussion_with_diff_html: note_to_discussion_with_diff_html(note)
@@ -145,7 +128,7 @@ class Projects::NotesController < Projects::ApplicationController
     else
       {
         valid: false,
-        award: note.is_award,
+        award: false,
         errors: note.errors
       }
     end

app/controllers/projects_controller.rb

@@ -139,7 +139,7 @@ class ProjectsController < Projects::ApplicationController
     participants = ::Projects::ParticipantsService.new(@project, current_user).execute(note_type, note_id)
 
     @suggestions = {
-      emojis: AwardEmoji.urls,
+      emojis: Gitlab::AwardEmoji.urls,
       issues: autocomplete.issues,
       milestones: autocomplete.milestones,
       mergerequests: autocomplete.merge_requests,

app/controllers/sessions_controller.rb

@@ -30,8 +30,7 @@ class SessionsController < Devise::SessionsController
         resource.update_attributes(reset_password_token: nil,
                                    reset_password_sent_at: nil)
       end
-      authenticated_with = user_params[:otp_attempt] ? "two-factor" : "standard"
-      log_audit_event(current_user, with: authenticated_with)
+      log_audit_event(current_user, with: authentication_method)
     end
   end
 
@@ -54,7 +53,7 @@ class SessionsController < Devise::SessionsController
   end
 
   def user_params
-    params.require(:user).permit(:login, :password, :remember_me, :otp_attempt)
+    params.require(:user).permit(:login, :password, :remember_me, :otp_attempt, :device_response)
   end
 
   def find_user
@@ -89,27 +88,6 @@ class SessionsController < Devise::SessionsController
     find_user.try(:two_factor_enabled?)
   end
 
-  def authenticate_with_two_factor
-    user = self.resource = find_user
-
-    if user_params[:otp_attempt].present? && session[:otp_user_id]
-      if valid_otp_attempt?(user)
-        # Remove any lingering user data from login
-        session.delete(:otp_user_id)
-
-        remember_me(user) if user_params[:remember_me] == '1'
-        sign_in(user) and return
-      else
-        flash.now[:alert] = 'Invalid two-factor code.'
-        render :two_factor and return
-      end
-    else
-      if user && user.valid_password?(user_params[:password])
-        prompt_for_two_factor(user)
-      end
-    end
-  end
-
   def auto_sign_in_with_provider
     provider = Gitlab.config.omniauth.auto_sign_in_with_provider
     return unless provider.present?
@@ -138,4 +116,14 @@ class SessionsController < Devise::SessionsController
   def load_recaptcha
     Gitlab::Recaptcha.load_configurations!
   end
+
+  def authentication_method
+    if user_params[:otp_attempt]
+      "two-factor"
+    elsif user_params[:device_response]
+      "two-factor-via-u2f-device"
+    else
+      "standard"
+    end
+  end
 end

app/finders/notes_finder.rb

@@ -12,9 +12,9 @@ class NotesFinder
       when "commit"
         project.notes.for_commit_id(target_id).non_diff_notes
       when "issue"
-        project.issues.find(target_id).notes.nonawards.inc_author
+        project.issues.find(target_id).notes.inc_author
       when "merge_request"
-        project.merge_requests.find(target_id).mr_and_commit_notes.nonawards.inc_author
+        project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
       when "snippet", "project_snippet"
         project.snippets.find(target_id).notes
       else

app/finders/todos_finder.rb

@@ -30,7 +30,7 @@ class TodosFinder
     items = by_state(items)
     items = by_type(items)
 
-    items
+    items.reorder(id: :desc)
   end
 
   private
@@ -78,6 +78,16 @@ class TodosFinder
     @project
   end
 
+  def projects
+    return @projects if defined?(@projects)
+
+    if project?
+      @projects = project
+    else
+      @projects = ProjectsFinder.new.execute(current_user)
+    end
+  end
+
   def type?
     type.present? && ['Issue', 'MergeRequest'].include?(type)
   end
@@ -105,6 +115,8 @@ class TodosFinder
   def by_project(items)
     if project?
       items = items.where(project: project)
+    elsif projects
+      items = items.merge(projects).joins(:project)
     end
 
     items

app/helpers/auth_helper.rb

@@ -66,7 +66,7 @@ module AuthHelper
 
   def two_factor_skippable?
     current_application_settings.require_two_factor_authentication &&
-      !current_user.two_factor_enabled &&
+      !current_user.two_factor_enabled? &&
       current_application_settings.two_factor_grace_period &&
       !two_factor_grace_period_expired?
   end

app/helpers/button_helper.rb

@@ -30,7 +30,7 @@ module ButtonHelper
 
     content_tag :a, protocol,
       class: klass,
-      href: @project.http_url_to_repo,
+      href: project.http_url_to_repo,
       data: {
         html: true,
         placement: 'right',

app/helpers/groups_helper.rb

@@ -31,7 +31,7 @@ module GroupsHelper
     if group && group.avatar.present?
       group.avatar.url
     else
-      'no_group_avatar.png'
+      image_path('no_group_avatar.png')
     end
   end
 

app/helpers/issuables_helper.rb

@@ -96,5 +96,4 @@ module IssuablesHelper
       issuable.open? ? :opened : :closed
     end
   end
-
 end

app/helpers/issues_helper.rb

@@ -145,16 +145,14 @@ module IssuesHelper
     end
   end
 
-  def emoji_author_list(notes, current_user)
-    list = notes.map do |note|
-      note.author == current_user ? "me" : note.author.name
-    end
-
-    list.join(", ")
+  def award_user_list(awards, current_user)
+    awards.map do |award|
+      award.user == current_user ? 'me' : award.user.name
+    end.join(', ')
   end
 
-  def note_active_class(notes, current_user)
-    if current_user && notes.pluck(:author_id).include?(current_user.id)
+  def award_active_class(awards, current_user)
+    if current_user && awards.find { |a| a.user_id == current_user.id }
       "active"
     else
       ""

app/helpers/javascript_helper.rb

+module JavascriptHelper
+  def page_specific_javascripts(js = nil)
+    @page_specific_javascripts = js unless js.nil?
+
+    @page_specific_javascripts
+  end
+end

app/helpers/todos_helper.rb

@@ -17,7 +17,9 @@ module TodosHelper
 
   def todo_target_link(todo)
     target = todo.target_type.titleize.downcase
-    link_to "#{target} #{todo.target_reference}", todo_target_path(todo), { title: todo.target.title }
+    link_to "#{target} #{todo.target_reference}", todo_target_path(todo),
+      class: 'has-tooltip',
+      title: todo.target.title
   end
 
   def todo_target_path(todo)

app/models/award_emoji.rb

+class AwardEmoji < ActiveRecord::Base
+  DOWNVOTE_NAME = "thumbsdown".freeze
+  UPVOTE_NAME   = "thumbsup".freeze
+
+  include Participable
+
+  belongs_to :awardable, polymorphic: true
+  belongs_to :user
+
+  validates :awardable, :user, presence: true
+  validates :name, presence: true, inclusion: { in: Emoji.emojis_names }
+  validates :name, uniqueness: { scope: [:user, :awardable_type, :awardable_id] }
+
+  participant :user
+
+  scope :downvotes, -> { where(name: DOWNVOTE_NAME) }
+  scope :upvotes,   -> { where(name: UPVOTE_NAME) }
+
+  def downvote?
+    self.name == DOWNVOTE_NAME
+  end
+
+  def upvote?
+    self.name == UPVOTE_NAME
+  end
+end

app/models/ci/build.rb

@@ -313,6 +313,7 @@ module Ci
       build_data = Gitlab::BuildDataBuilder.build(self)
       project.execute_hooks(build_data.dup, :build_hooks)
       project.execute_services(build_data.dup, :build_hooks)
+      project.running_or_pending_build_count(force: true)
     end
 
     def artifacts?

app/models/ci/variable.rb

@@ -11,6 +11,9 @@ module Ci
       format: { with: /\A[a-zA-Z0-9_]+\z/,
                 message: "can contain only letters, digits and '_'." }
 
-    attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: Gitlab::Application.secrets.db_key_base
+    attr_encrypted :value, 
+       mode: :per_attribute_iv_and_salt,
+       key: Gitlab::Application.secrets.db_key_base,
+       algorithm: 'aes-256-cbc'
   end
 end

app/models/concerns/awardable.rb

+module Awardable
+  extend ActiveSupport::Concern
+
+  included do
+    has_many :award_emoji, as: :awardable, dependent: :destroy
+
+    if self < Participable
+      participant :award_emoji
+    end
+  end
+
+  module ClassMethods
+    def order_upvotes_desc
+      order_votes_desc(AwardEmoji::UPVOTE_NAME)
+    end
+
+    def order_downvotes_desc
+      order_votes_desc(AwardEmoji::DOWNVOTE_NAME)
+    end
+
+    def order_votes_desc(emoji_name)
+      awardable_table = self.arel_table
+      awards_table = AwardEmoji.arel_table
+
+      join_clause = awardable_table.join(awards_table, Arel::Nodes::OuterJoin).on(
+        awards_table[:awardable_id].eq(awardable_table[:id]).and(
+          awards_table[:awardable_type].eq(self.name).and(
+            awards_table[:name].eq(emoji_name)
+          )
+        )
+      ).join_sources
+
+      joins(join_clause).group(awardable_table[:id]).reorder("COUNT(award_emoji.id) DESC")
+    end
+  end
+
+  def grouped_awards(with_thumbs: true)
+    awards = award_emoji.group_by(&:name)
+
+    if with_thumbs
+      awards[AwardEmoji::UPVOTE_NAME]   ||= []
+      awards[AwardEmoji::DOWNVOTE_NAME] ||= []
+    end
+
+    awards
+  end
+
+  def downvotes
+    award_emoji.downvotes.count
+  end
+
+  def upvotes
+    award_emoji.upvotes.count
+  end
+
+  def emoji_awardable?
+    true
+  end
+
+  def awarded_emoji?(emoji_name, current_user)
+    award_emoji.where(name: emoji_name, user: current_user).exists?
+  end
+
+  def create_award_emoji(name, current_user)
+    return unless emoji_awardable?
+
+    award_emoji.create(name: name, user: current_user)
+  end
+
+  def remove_award_emoji(name, current_user)
+    award_emoji.where(name: name, user: current_user).destroy_all
+  end
+
+  def toggle_award_emoji(emoji_name, current_user)
+    if awarded_emoji?(emoji_name, current_user)
+      remove_award_emoji(emoji_name, current_user)
+    else
+      create_award_emoji(emoji_name, current_user)
+    end
+  end
+end

app/models/concerns/issuable.rb

@@ -10,6 +10,7 @@ module Issuable
   include Mentionable
   include Subscribable
   include StripAttribute
+  include Awardable
 
   included do
     belongs_to :author, class_name: "User"
@@ -68,6 +69,14 @@ module Issuable
     strip_attributes :title
 
     acts_as_paranoid
+
+    after_save :update_assignee_cache_counts, if: :assignee_id_changed?
+
+    def update_assignee_cache_counts
+      # make sure we flush the cache for both the old *and* new assignee
+      User.find(assignee_id_was).update_cache_counts if assignee_id_was
+      assignee.update_cache_counts if assignee
+    end
   end
 
   module ClassMethods
@@ -107,29 +116,6 @@ module Issuable
       end
     end
 
-    def order_downvotes_desc
-      order_votes_desc('thumbsdown')
-    end
-
-    def order_upvotes_desc
-      order_votes_desc('thumbsup')
-    end
-
-    def order_votes_desc(award_emoji_name)
-      issuable_table = self.arel_table
-      note_table = Note.arel_table
-
-      join_clause = issuable_table.join(note_table, Arel::Nodes::OuterJoin).on(
-        note_table[:noteable_id].eq(issuable_table[:id]).and(
-          note_table[:noteable_type].eq(self.name).and(
-            note_table[:is_award].eq(true).and(note_table[:note].eq(award_emoji_name))
-          )
-        )
-      ).join_sources
-
-      joins(join_clause).group(issuable_table[:id]).reorder("COUNT(notes.id) DESC")
-    end
-
     def with_label(title, sort = nil)
       if title.is_a?(Array) && title.size > 1
         joins(:labels).where(labels: { title: title }).group(*grouping_columns(sort)).having("COUNT(DISTINCT labels.title) = #{title.size}")
@@ -163,10 +149,6 @@ module Issuable
     today? && created_at == updated_at
   end
 
-  def is_assigned?
-    !!assignee_id
-  end
-
   def is_being_reassigned?
     assignee_id_changed?
   end
@@ -175,14 +157,6 @@ module Issuable
     opened? || reopened?
   end
 
-  def downvotes
-    notes.awards.where(note: "thumbsdown").count
-  end
-
-  def upvotes
-    notes.awards.where(note: "thumbsup").count
-  end
-
   def user_notes_count
     notes.user.count
   end
@@ -205,6 +179,10 @@ module Issuable
     hook_data
   end
 
+  def labels_array
+    labels.to_a
+  end
+
   def label_names
     labels.order('title ASC').pluck(:title)
   end

app/models/legacy_diff_note.rb

@@ -110,6 +110,10 @@ class LegacyDiffNote < Note
     @active
   end
 
+  def award_emoji_supported?
+    false
+  end
+
   private
 
   def find_diff

app/models/network/graph.rb

@@ -164,7 +164,7 @@ module Network
           i != range.last &&
           @commits[i].spaces.include?(overlap_space)
 
-          return true;
+          return true
         end
       end
 
@@ -205,7 +205,7 @@ module Network
       # Visit branching chains
       leaves.each do |l|
         parents = l.parents(@map).select{|p| p.space.zero?}
-        for p in parents
+        parents.each do |p|
           place_chain(p, l.time)
         end
       end
@@ -223,7 +223,7 @@ module Network
     end
 
     def mark_reserved(time_range, space)
-      for day in time_range
+      time_range.each do |day|
         @reserved[day].push(space)
       end
     end
@@ -232,7 +232,7 @@ module Network
       space_default ||= space_base
 
       reserved = []
-      for day in time_range
+      time_range.each do |day|
         reserved.push(*@reserved[day])
       end
       reserved.uniq!

app/models/note.rb

@@ -21,11 +21,8 @@ class Note < ActiveRecord::Base
   delegate :name, :email, to: :author, prefix: true
   delegate :title, to: :noteable, allow_nil: true
 
-  before_validation :set_award!
-
   validates :note, :project, presence: true
-  validates :note, uniqueness: { scope: [:author, :noteable_type, :noteable_id] }, if: ->(n) { n.is_award }
-  validates :note, inclusion: { in: Emoji.emojis_names }, if: ->(n) { n.is_award }
+
   # Attachments are deprecated and are handled by Markdown uploader
   validates :attachment, file_size: { maximum: :max_attachment_size }
 
@@ -43,8 +40,6 @@ class Note < ActiveRecord::Base
   mount_uploader :attachment, AttachmentUploader
 
   # Scopes
-  scope :awards, ->{ where(is_award: true) }
-  scope :nonawards, ->{ where(is_award: false) }
   scope :for_commit_id, ->(commit_id) { where(noteable_type: "Commit", commit_id: commit_id) }
   scope :system, ->{ where(system: true) }
   scope :user, ->{ where(system: false) }
@@ -109,19 +104,6 @@ class Note < ActiveRecord::Base
         found_notes.where('issues.confidential IS NULL OR issues.confidential IS FALSE')
       end
     end
-
-    def grouped_awards
-      notes = {}
-
-      awards.select(:note).distinct.map do |note|
-        notes[note.note] = where(note: note.note)
-      end
-
-      notes["thumbsup"] ||= Note.none
-      notes["thumbsdown"] ||= Note.none
-
-      notes
-    end
   end
 
   def cross_reference?
@@ -205,44 +187,24 @@ class Note < ActiveRecord::Base
     Event.reset_event_cache_for(self)
   end
 
-  def downvote?
-    is_award && note == "thumbsdown"
-  end
-
-  def upvote?
-    is_award && note == "thumbsup"
-  end
-
   def editable?
-    !system? && !is_award
+    !system?
   end
 
   def cross_reference_not_visible_for?(user)
     cross_reference? && referenced_mentionables(user).empty?
   end
 
-  # Checks if note is an award added as a comment
-  #
-  # If note is an award, this method sets is_award to true
-  #   and changes content of the note to award name.
-  #
-  # Method is executed as a before_validation callback.
-  #
-  def set_award!
-    return unless awards_supported? && contains_emoji_only?
-
-    self.is_award = true
-    self.note = award_emoji_name
+  def award_emoji?
+    award_emoji_supported? && contains_emoji_only?
   end
 
-  private
-
   def clear_blank_line_code!
     self.line_code = nil if self.line_code.blank?
   end
 
-  def awards_supported?
-    (for_issue? || for_merge_request?) && !diff_note?
+  def award_emoji_supported?
+    noteable.is_a?(Awardable)
   end
 
   def contains_emoji_only?
@@ -251,6 +213,6 @@ class Note < ActiveRecord::Base
 
   def award_emoji_name
     original_name = note.match(Banzai::Filter::EmojiFilter.emoji_pattern)[1]
-    AwardEmoji.normilize_emoji_name(original_name)
+    Gitlab::AwardEmoji.normalize_emoji_name(original_name)
   end
 end

app/models/project.rb

@@ -309,21 +309,25 @@ class Project < ActiveRecord::Base
     @repository ||= Repository.new(path_with_namespace, self)
   end
 
+  def container_registry_path_with_namespace
+    path_with_namespace.downcase
+  end
+
   def container_registry_repository
     return unless Gitlab.config.registry.enabled
 
     @container_registry_repository ||= begin
-      token = Auth::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace)
+      token = Auth::ContainerRegistryAuthenticationService.full_access_token(container_registry_path_with_namespace)
       url = Gitlab.config.registry.api_url
       host_port = Gitlab.config.registry.host_port
       registry = ContainerRegistry::Registry.new(url, token: token, path: host_port)
-      registry.repository(path_with_namespace)
+      registry.repository(container_registry_path_with_namespace)
     end
   end
 
   def container_registry_repository_url
     if Gitlab.config.registry.enabled
-      "#{Gitlab.config.registry.host_port}/#{path_with_namespace}"
+      "#{Gitlab.config.registry.host_port}/#{container_registry_path_with_namespace}"
     end
   end
 
@@ -1007,4 +1011,22 @@ class Project < ActiveRecord::Base
 
     update_attribute(:pending_delete, true)
   end
+
+  def running_or_pending_build_count(force: false)
+    Rails.cache.fetch(['projects', id, 'running_or_pending_build_count'], force: force) do
+      builds.running_or_pending.count(:all)
+    end
+  end
+
+  def mark_import_as_failed(error_message)
+    original_errors = errors.dup
+    sanitized_message = Gitlab::UrlSanitizer.sanitize(error_message)
+
+    import_fail
+    update_column(:import_error, sanitized_message)
+  rescue ActiveRecord::ActiveRecordError => e
+    Rails.logger.error("Error setting import status to failed: #{e.message}. Original error: #{sanitized_message}")
+  ensure
+    @errors = original_errors
+  end
 end

app/models/project_import_data.rb

@@ -6,7 +6,8 @@ class ProjectImportData < ActiveRecord::Base
                  key: Gitlab::Application.secrets.db_key_base,
                  marshal: true,
                  encode: true,
-                 mode: :per_attribute_iv_and_salt
+                 mode: :per_attribute_iv_and_salt,
+                 algorithm: 'aes-256-cbc'
 
   serialize :data, JSON
 

app/models/project_services/irker_service.rb

@@ -83,7 +83,7 @@ class IrkerService < Service
     self.channels = recipients.split(/\s+/).map do |recipient|
       format_channel(recipient)
     end
-    channels.reject! &:nil?
+    channels.reject!(&:nil?)
   end
 
   def format_channel(recipient)

app/models/u2f_registration.rb

+# Registration information for U2F (universal 2nd factor) devices, like Yubikeys
+
+class U2fRegistration < ActiveRecord::Base
+  belongs_to :user
+
+  def self.register(user, app_id, json_response, challenges)
+    u2f = U2F::U2F.new(app_id)
+    registration = self.new
+
+    begin
+      response = U2F::RegisterResponse.load_from_json(json_response)
+      registration_data = u2f.register!(challenges, response)
+      registration.update(certificate: registration_data.certificate,
+                          key_handle: registration_data.key_handle,
+                          public_key: registration_data.public_key,
+                          counter: registration_data.counter,
+                          user: user)
+    rescue JSON::ParserError, NoMethodError, ArgumentError
+      registration.errors.add(:base, 'Your U2F device did not send a valid JSON response.')
+    rescue U2F::Error => e
+      registration.errors.add(:base, e.message)
+    end
+
+    registration
+  end
+
+  def self.authenticate(user, app_id, json_response, challenges)
+    response = U2F::SignResponse.load_from_json(json_response)
+    registration = user.u2f_registrations.find_by_key_handle(response.key_handle)
+    u2f = U2F::U2F.new(app_id)
+
+    if registration
+      u2f.authenticate!(challenges, response, Base64.decode64(registration.public_key), registration.counter)
+      registration.update(counter: response.counter)
+      true
+    end
+  rescue JSON::ParserError, NoMethodError, ArgumentError, U2F::Error
+    false
+  end
+end

app/models/user.rb

@@ -20,14 +20,18 @@ class User < ActiveRecord::Base
   default_value_for :hide_no_password, false
   default_value_for :theme_id, gitlab_config.default_theme
 
+  attr_encrypted :otp_secret,
+    key:       Gitlab::Application.config.secret_key_base,
+    mode:      :per_attribute_iv_and_salt,
+    algorithm: 'aes-256-cbc'
+
   devise :two_factor_authenticatable,
          otp_secret_encryption_key: Gitlab::Application.config.secret_key_base
-  alias_attribute :two_factor_enabled, :otp_required_for_login
 
   devise :two_factor_backupable, otp_number_of_backup_codes: 10
   serialize :otp_backup_codes, JSON
 
-  devise :lockable, :async, :recoverable, :rememberable, :trackable,
+  devise :lockable, :recoverable, :rememberable, :trackable,
     :validatable, :omniauthable, :confirmable, :registerable
 
   attr_accessor :force_random_password
@@ -46,6 +50,7 @@ class User < ActiveRecord::Base
   has_many :keys, dependent: :destroy
   has_many :emails, dependent: :destroy
   has_many :identities, dependent: :destroy, autosave: true
+  has_many :u2f_registrations, dependent: :destroy
 
   # Groups
   has_many :members, dependent: :destroy
@@ -79,6 +84,7 @@ class User < ActiveRecord::Base
   has_many :builds,                   dependent: :nullify, class_name: 'Ci::Build'
   has_many :todos,                    dependent: :destroy
   has_many :notification_settings,    dependent: :destroy
+  has_many :award_emoji,              as: :awardable, dependent: :destroy
 
   #
   # Validations
@@ -169,8 +175,16 @@ class User < ActiveRecord::Base
   scope :active, -> { with_state(:active) }
   scope :not_in_project, ->(project) { project.users.present? ? where("id not in (:ids)", ids: project.users.map(&:id) ) : all }
   scope :without_projects, -> { where('id NOT IN (SELECT DISTINCT(user_id) FROM members)') }
-  scope :with_two_factor,    -> { where(two_factor_enabled: true) }
-  scope :without_two_factor, -> { where(two_factor_enabled: false) }
+
+  def self.with_two_factor
+    joins("LEFT OUTER JOIN u2f_registrations AS u2f ON u2f.user_id = users.id").
+      where("u2f.id IS NOT NULL OR otp_required_for_login = ?", true).distinct(arel_table[:id])
+  end
+
+  def self.without_two_factor
+    joins("LEFT OUTER JOIN u2f_registrations AS u2f ON u2f.user_id = users.id").
+      where("u2f.id IS NULL AND otp_required_for_login = ?", false)
+  end
 
   #
   # Class methods
@@ -317,14 +331,29 @@ class User < ActiveRecord::Base
   end
 
   def disable_two_factor!
-    update_attributes(
-      two_factor_enabled:          false,
-      encrypted_otp_secret:        nil,
-      encrypted_otp_secret_iv:     nil,
-      encrypted_otp_secret_salt:   nil,
-      otp_grace_period_started_at: nil,
-      otp_backup_codes:            nil
-    )
+    transaction do
+      update_attributes(
+        otp_required_for_login:      false,
+        encrypted_otp_secret:        nil,
+        encrypted_otp_secret_iv:     nil,
+        encrypted_otp_secret_salt:   nil,
+        otp_grace_period_started_at: nil,
+        otp_backup_codes:            nil
+      )
+      self.u2f_registrations.destroy_all
+    end
+  end
+
+  def two_factor_enabled?
+    two_factor_otp_enabled? || two_factor_u2f_enabled?
+  end
+
+  def two_factor_otp_enabled?
+    self.otp_required_for_login?
+  end
+
+  def two_factor_u2f_enabled?
+    self.u2f_registrations.exists?
   end
 
   def namespace_uniq
@@ -771,6 +800,23 @@ class User < ActiveRecord::Base
     notification_settings.find_or_initialize_by(source: source)
   end
 
+  def assigned_open_merge_request_count(force: false)
+    Rails.cache.fetch(['users', id, 'assigned_open_merge_request_count'], force: force) do
+      assigned_merge_requests.opened.count
+    end
+  end
+
+  def assigned_open_issues_count(force: false)
+    Rails.cache.fetch(['users', id, 'assigned_open_issues_count'], force: force) do
+      assigned_issues.opened.count
+    end
+  end
+
+  def update_cache_counts
+    assigned_open_merge_request_count(force: true)
+    assigned_open_issues_count(force: true)
+  end
+
   private
 
   def projects_union

app/services/issuable_base_service.rb

@@ -45,6 +45,8 @@ class IssuableBaseService < BaseService
 
     unless can?(current_user, ability, project)
       params.delete(:milestone_id)
+      params.delete(:add_label_ids)
+      params.delete(:remove_label_ids)
       params.delete(:label_ids)
       params.delete(:assignee_id)
     end
@@ -67,10 +69,34 @@ class IssuableBaseService < BaseService
   end
 
   def filter_labels
-    return if params[:label_ids].to_a.empty?
+    if params[:add_label_ids].present? || params[:remove_label_ids].present?
+      params.delete(:label_ids)
+
+      filter_labels_in_param(:add_label_ids)
+      filter_labels_in_param(:remove_label_ids)
+    else
+      filter_labels_in_param(:label_ids)
+    end
+  end
+
+  def filter_labels_in_param(key)
+    return if params[key].to_a.empty?
 
-    params[:label_ids] =
-      project.labels.where(id: params[:label_ids]).pluck(:id)
+    params[key] = project.labels.where(id: params[key]).pluck(:id)
+  end
+
+  def update_issuable(issuable, attributes)
+    issuable.with_transaction_returning_status do
+      add_label_ids = attributes.delete(:add_label_ids)
+      remove_label_ids = attributes.delete(:remove_label_ids)
+
+      issuable.label_ids |= add_label_ids if add_label_ids
+      issuable.label_ids -= remove_label_ids if remove_label_ids
+
+      issuable.assign_attributes(attributes.merge(updated_by: current_user))
+
+      issuable.save
+    end
   end
 
   def update(issuable)
@@ -78,7 +104,7 @@ class IssuableBaseService < BaseService
     filter_params
     old_labels = issuable.labels.to_a
 
-    if params.present? && issuable.update_attributes(params.merge(updated_by: current_user))
+    if params.present? && update_issuable(issuable, params)
       issuable.reset_events_cache
       handle_common_system_notes(issuable, old_labels: old_labels)
       handle_changes(issuable, old_labels: old_labels)

app/services/issues/bulk_update_service.rb

@@ -4,9 +4,9 @@ module Issues
       issues_ids   = params.delete(:issues_ids).split(",")
       issue_params = params
 
-      issue_params.delete(:state_event)   unless issue_params[:state_event].present?
-      issue_params.delete(:milestone_id)  unless issue_params[:milestone_id].present?
-      issue_params.delete(:assignee_id)   unless issue_params[:assignee_id].present?
+      %i(state_event milestone_id assignee_id add_label_ids remove_label_ids).each do |key|
+        issue_params.delete(key) unless issue_params[key].present?
+      end
 
       issues = Issue.where(id: issues_ids)
       issues.each do |issue|

app/services/issues/move_service.rb

@@ -24,6 +24,7 @@ module Issues
         @new_issue = create_new_issue
 
         rewrite_notes
+        rewrite_award_emoji
         add_note_moved_from
 
         # Old issue tasks
@@ -72,6 +73,14 @@ module Issues
       end
     end
 
+    def rewrite_award_emoji
+      @old_issue.award_emoji.each do |award|
+        new_award = award.dup
+        new_award.awardable = @new_issue
+        new_award.save
+      end
+    end
+
     def rewrite_content(content)
       return unless content
 

app/services/notes/create_service.rb

@@ -5,6 +5,13 @@ module Notes
       note.author = current_user
       note.system = false
 
+      if note.award_emoji?
+        noteable = note.noteable
+        todo_service.new_award_emoji(noteable, current_user)
+
+        return noteable.create_award_emoji(note.award_emoji_name, current_user)
+      end
+
       if note.save
         # Finish the harder work in the background
         NewNoteWorker.perform_in(2.seconds, note.id, params)

app/services/notes/post_process_service.rb

@@ -8,7 +8,7 @@ module Notes
 
     def execute
       # Skip system notes, like status changes and cross-references and awards
-      unless @note.system || @note.is_award
+      unless @note.system?
         EventCreateService.new.leave_note(@note, @note.author)
         @note.create_cross_references!
         execute_note_hooks

app/services/notification_service.rb

@@ -130,8 +130,7 @@ class NotificationService
 
     # ignore gitlab service messages
     return true if note.note.start_with?('Status changed to closed')
-    return true if note.cross_reference? && note.system == true
-    return true if note.is_award
+    return true if note.cross_reference? && note.system?
 
     target = note.noteable
 

app/services/oauth2/access_token_validation_service.rb

@@ -22,6 +22,7 @@ module Oauth2::AccessTokenValidationService
     end
 
     protected
+
     # True if the token's scope is a superset of required scopes,
     # or the required scopes is empty.
     def sufficient_scope?(token, scopes)

app/services/projects/create_service.rb

@@ -56,14 +56,14 @@ module Projects
 
       after_create_actions if @project.persisted?
 
-      @project.add_import_job if @project.import?
-
+      if @project.errors.empty?
+        @project.add_import_job if @project.import?
+      else
+        fail(error: @project.errors.full_messages.join(', '))
+      end
       @project
     rescue => e
-      message = "Unable to save project: #{e.message}"
-      Rails.logger.error(message)
-      @project.errors.add(:base, message) if @project
-      @project
+      fail(error: e.message)
     end
 
     protected
@@ -103,5 +103,19 @@ module Projects
         end
       end
     end
+
+    def fail(error:)
+      message = "Unable to save project. Error: #{error}"
+      message << "Project ID: #{@project.id}" if @project && @project.id
+
+      Rails.logger.error(message)
+
+      if @project && @project.import?
+        @project.errors.add(:base, message)
+        @project.mark_import_as_failed(message)
+      end
+
+      @project
+    end
   end
 end

app/services/projects/import_service.rb

@@ -39,7 +39,7 @@ module Projects
       begin
         gitlab_shell.import_repository(project.path_with_namespace, project.import_url)
       rescue Gitlab::Shell::Error => e
-        raise Error, e.message
+        raise Error,  "Error importing repository #{project.import_url} into #{project.path_with_namespace} - #{e.message}"
       end
     end
 

app/services/todo_service.rb

@@ -122,6 +122,14 @@ class TodoService
     handle_note(note, current_user)
   end
 
+  # When an emoji is awarded we should:
+  #
+  #  * mark all pending todos related to the awardable for the current user as done
+  #
+  def new_award_emoji(awardable, current_user)
+    mark_pending_todos_as_done(awardable, current_user)
+  end
+
   # When marking pending todos as done we should:
   #
   #  * mark all pending todos related to the target for the current user as done

app/views/award_emoji/_awards_block.html.haml

+- grouped_emojis = awardable.grouped_awards(with_thumbs: inline)
+.awards.js-awards-block{ class: ("hidden" if !inline && grouped_emojis.empty?), data: { award_url: url_for([:toggle_award_emoji, @project.namespace.becomes(Namespace), @project, awardable]) } }
+  - awards_sort(grouped_emojis).each do |emoji, awards|
+    %button.btn.award-control.js-emoji-btn.has-tooltip{ type: "button", class: (award_active_class(awards, current_user)), data: { placement: "bottom", title: award_user_list(awards, current_user) } }
+      = emoji_icon(emoji, sprite: false)
+      %span.award-control-text.js-counter
+        = awards.count
+
+  - if current_user
+    :javascript
+      gl.awardMenuUrl = "#{emojis_path}"
+
+    .award-menu-holder.js-award-holder
+      %button.btn.award-control.js-add-award{ type: "button", data: { award_menu_url: emojis_path } }
+        = icon('smile-o', class: "award-control-icon award-control-icon-normal")
+        = icon('spinner spin', class: "award-control-icon award-control-icon-loading")
+        %span.award-control-text
+          Add

app/views/devise/sessions/two_factor.html.haml

 %div
   .login-box
     .login-heading
-      %h3 Two-factor Authentication
+      %h3 Two-Factor Authentication
     .login-body
-      = form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
-        = f.hidden_field :remember_me, value: params[resource_name][:remember_me]
-        = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-factor Authentication code', required: true, autofocus: true
-        %p.help-block.hint Enter the code from the two-factor app on your mobile device. If you've lost your device, you may enter one of your recovery codes.
-        .prepend-top-20
-          = f.submit "Verify code", class: "btn btn-save"
+      - if @user.two_factor_otp_enabled?
+        %h5 Authenticate via Two-Factor App
+        = form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
+          = f.hidden_field :remember_me, value: params[resource_name][:remember_me]
+          = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-Factor Authentication code', required: true, autofocus: true, autocomplete: 'off'
+          %p.help-block.hint Enter the code from the two-factor app on your mobile device. If you've lost your device, you may enter one of your recovery codes.
+          .prepend-top-20
+            = f.submit "Verify code", class: "btn btn-save"
+
+      - if @user.two_factor_u2f_enabled?
+
+        %hr
+        = render "u2f/authenticate"

app/views/emojis/index.html.haml

 .emoji-menu
   .emoji-menu-content
     = text_field_tag :emoji_search, "", class: "emoji-search search-input form-control"
-    - AwardEmoji.emoji_by_category.each do |category, emojis|
+    - Gitlab::AwardEmoji.emoji_by_category.each do |category, emojis|
       %h5.emoji-menu-title
-        = AwardEmoji::CATEGORIES[category]
+        = Gitlab::AwardEmoji::CATEGORIES[category]
       %ul.clearfix.emoji-menu-list
         - emojis.each do |emoji|
           %li.pull-left.text-center.emoji-menu-list-item

app/views/help/_shortcuts.html.haml

@@ -24,7 +24,7 @@
                 %td Show/hide this dialog
               %tr
                 %td.shortcut
-                  - if browser.mac?
+                  - if browser.platform.mac?
                     .key ⌘ shift p
                   - else
                     .key ctrl shift p

app/views/layouts/_head.html.haml

@@ -30,9 +30,10 @@
 
   = javascript_include_tag "application"
 
-  = csrf_meta_tags
+  - if page_specific_javascripts
+    = javascript_include_tag page_specific_javascripts, {"data-turbolinks-track" => true}
 
-  = include_gon
+  = csrf_meta_tags
 
   - unless browser.safari?
     %meta{name: 'referrer', content: 'origin-when-cross-origin'}

app/views/layouts/_search.html.haml

@@ -6,11 +6,8 @@
 .search.search-form{class: "#{'has-location-badge' if label.present?}"}
   = form_tag search_path, method: :get, class: 'navbar-form' do |f|
     .search-input-container
-      .search-location-badge
-        - if label.present?
-          %span.location-badge
-            %i.location-text
-              = label
+      - if label.present?
+        .location-badge= label
       .search-input-wrap
         .dropdown{ data: {url: search_autocomplete_path } }
           = search_field_tag "search", nil, placeholder: 'Search', class: "search-input dropdown-menu-toggle", spellcheck: false, tabindex: "1", autocomplete: 'off',  data: { toggle: 'dropdown' }

app/views/layouts/application.html.haml

@@ -2,6 +2,8 @@
 %html{ lang: "en"}
   = render "layouts/head"
   %body{class: "#{user_application_theme}", 'data-page' => body_data_page}
+    = Gon::Base.render_data
+
     -# Ideally this would be inside the head, but turbolinks only evaluates page-specific JS in the body.
     = yield :scripts_body_top
 

app/views/layouts/devise.html.haml

@@ -2,6 +2,7 @@
 %html{ lang: "en"}
   = render "layouts/head"
   %body.ui_charcoal.login-page.application.navless
+    = Gon::Base.render_data
     = render "layouts/header/empty"
     = render "layouts/broadcast"
     .container.navless-container

app/views/layouts/devise_empty.html.haml

@@ -2,6 +2,7 @@
 %html{ lang: "en"}
   = render "layouts/head"
   %body.ui_charcoal.login-page.application.navless
+    = Gon::Base.render_data
     = render "layouts/header/empty"
     = render "layouts/broadcast"
     .container.navless-container

app/views/layouts/errors.html.haml

@@ -2,6 +2,7 @@
 %html{ lang: "en"}
   = render "layouts/head"
   %body{class: "#{user_application_theme} application navless"}
+    = Gon::Base.render_data
     = render "layouts/header/empty"
     .container.navless-container
       = render "layouts/flash"

app/views/layouts/nav/_dashboard.html.haml

@@ -30,13 +30,13 @@
       = icon('exclamation-circle fw')
       %span
         Issues
-        %span.count= number_with_delimiter(current_user.assigned_issues.opened.count)
+        %span.count= number_with_delimiter(current_user.assigned_open_issues_count)
   = nav_link(path: 'dashboard#merge_requests') do
     = link_to assigned_mrs_dashboard_path, title: 'Merge Requests', class: 'dashboard-shortcuts-merge_requests' do
       = icon('tasks fw')
       %span
         Merge Requests
-        %span.count= number_with_delimiter(current_user.assigned_merge_requests.opened.count)
+        %span.count= number_with_delimiter(current_user.assigned_open_merge_request_count)
   = nav_link(controller: :snippets) do
     = link_to dashboard_snippets_path, title: 'Snippets' do
       = icon('clipboard fw')

app/views/layouts/nav/_project.html.haml

@@ -33,18 +33,11 @@
         %span
           Activity
     - if project_nav_tab? :files
-      = nav_link(controller: %w(tree blob blame edit_tree new_tree find_file)) do
+      = nav_link(controller: %w(tree blob blame edit_tree new_tree find_file commit commits compare repositories tags branches releases network)) do
         = link_to project_files_path(@project), title: 'Files',  class: 'shortcuts-tree' do
-          = icon('files-o fw')
+          = icon('code fw')
           %span
-            Files
-
-    - if project_nav_tab? :commits
-      = nav_link(controller: %w(commit commits compare repositories tags branches releases network)) do
-        = link_to project_commits_path(@project), title: 'Commits', class: 'shortcuts-commits' do
-          = icon('history fw')
-          %span
-            Commits
+            Code
 
     - if project_nav_tab? :pipelines
       = nav_link(controller: :pipelines) do
@@ -52,22 +45,13 @@
           = icon('ship fw')
           %span
             Pipelines
-            %span.badge.count.ci_counter= number_with_delimiter(@project.ci_commits.running_or_pending.count)
-
-    - if project_nav_tab? :builds
-      = nav_link(controller: %w(builds)) do
-        = link_to project_builds_path(@project), title: 'Builds', class: 'shortcuts-builds' do
-          = icon('cubes fw')
-          %span
-            Builds
-            %span.badge.count.builds_counter= number_with_delimiter(@project.builds.running_or_pending.count(:all))
 
     - if project_nav_tab? :container_registry
       = nav_link(controller: %w(container_registry)) do
         = link_to project_container_registry_path(@project), title: 'Container Registry', class: 'shortcuts-container-registry' do
           = icon('hdd-o fw')
           %span
-            Container Registry
+            Registry
 
     - if project_nav_tab? :graphs
       = nav_link(controller: %w(graphs)) do
@@ -132,4 +116,16 @@
       = link_to new_namespace_project_issue_path(@project.namespace, @project), class: 'shortcuts-new-issue' do
         Create a new issue
 
+    -# Shortcut to builds page
+    - if project_nav_tab? :builds
+      %li.hidden
+        = link_to project_builds_path(@project), title: 'Builds', class: 'shortcuts-builds' do
+          Builds
+
+    -# Shortcut to commits page
+    - if project_nav_tab? :commits
+      %li.hidden
+        = link_to project_commits_path(@project), title: 'Commits', class: 'shortcuts-commits' do
+          Commits
+
     .fade-right

app/views/profiles/accounts/show.html.haml

@@ -11,7 +11,7 @@
     %p
       Your private token is used to access application resources without authentication.
   .col-lg-9
-    = form_for @user, url: reset_private_token_profile_path, method: :put, html: {class: "private-token"} do |f|
+    = form_for @user, url: reset_private_token_profile_path, method: :put, html: { class: "private-token" } do |f|
       %p.cgray
         - if current_user.private_token
           = label_tag "token", "Private token", class: "label-light"
@@ -29,21 +29,22 @@
 .row.prepend-top-default
   .col-lg-3.profile-settings-sidebar
     %h4.prepend-top-0
-      Two-factor Authentication
+      Two-Factor Authentication
     %p
-      Increase your account's security by enabling two-factor authentication (2FA).
+      Increase your account's security by enabling Two-Factor Authentication (2FA).
   .col-lg-9
     %p
-      Status: #{current_user.two_factor_enabled? ? 'enabled' : 'disabled'}
-    - if !current_user.two_factor_enabled?
-      %p
-        Download the Google Authenticator application from App Store for iOS or Google Play for Android and scan this code.
-        More information is available in the #{link_to('documentation', help_page_path('profile', 'two_factor_authentication'))}.
-      .append-bottom-10
-        = link_to 'Enable two-factor authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
+      Status: #{current_user.two_factor_enabled? ? 'Enabled' : 'Disabled'}
+    - if current_user.two_factor_enabled?
+      = link_to 'Manage Two-Factor Authentication', profile_two_factor_auth_path, class: 'btn btn-info'
+      = link_to 'Disable', profile_two_factor_auth_path,
+                method: :delete,
+                data: { confirm: "Are you sure? This will invalidate your registered applications and U2F devices." },
+                class: 'btn btn-danger'
     - else
-      = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-danger',
-              data: { confirm: 'Are you sure?' }
+      .append-bottom-10
+        = link_to 'Enable Two-Factor Authentication', profile_two_factor_auth_path, class: 'btn btn-success'
+
 %hr
 - if button_based_providers.any?
   .row.prepend-top-default

app/views/profiles/two_factor_auths/new.html.haml

-- page_title 'Two-factor Authentication', 'Account'
-
-.row.prepend-top-default
-  .col-lg-3
-    %h4.prepend-top-0
-      Two-factor Authentication (2FA)
-    %p
-      Increase your account's security by enabling two-factor authentication (2FA).
-  .col-lg-9
-    %p
-      Download the Google Authenticator application from App Store for iOS or Google Play for Android and scan this code.
-      More information is available in the #{link_to('documentation', help_page_path('profile', 'two_factor_authentication'))}.
-    .row.append-bottom-10
-      .col-md-3
-        = raw @qr_code
-      .col-md-9
-        .account-well
-          %p.prepend-top-0.append-bottom-0
-            Can't scan the code?
-          %p.prepend-top-0.append-bottom-0
-            To add the entry manually, provide the following details to the application on your phone.
-          %p.prepend-top-0.append-bottom-0
-            Account:
-            = current_user.email
-          %p.prepend-top-0.append-bottom-0
-            Key:
-            = current_user.otp_secret.scan(/.{4}/).join(' ')
-          %p.two-factor-new-manual-content
-            Time based: Yes
-    = form_tag profile_two_factor_auth_path, method: :post do |f|
-      - if @error
-        .alert.alert-danger
-          = @error
-      .form-group
-        = label_tag :pin_code, nil, class: "label-light"
-        = text_field_tag :pin_code, nil, class: "form-control", required: true
-      .prepend-top-default
-        = submit_tag 'Enable two-factor authentication', class: 'btn btn-success'
-        = link_to 'Configure it later', skip_profile_two_factor_auth_path, :method => :patch,  class: 'btn btn-cancel' if two_factor_skippable?

app/views/profiles/two_factor_auths/show.html.haml

+- page_title 'Two-Factor Authentication', 'Account'
+- header_title "Two-Factor Authentication", profile_two_factor_auth_path
+
+.row.prepend-top-default
+  .col-lg-3
+    %h4.prepend-top-0
+      Register Two-Factor Authentication App
+    %p
+      Use an app on your mobile device to enable two-factor authentication (2FA).
+  .col-lg-9
+    - if current_user.two_factor_otp_enabled?
+      = icon "check inverse", base: "circle", class: "text-success", text: "You've already enabled two-factor authentication using mobile authenticator applications. You can disable it from your account settings page."
+    - else
+      %p
+        Download the Google Authenticator application from App Store or Google Play Store and scan this code.
+        More information is available in the #{link_to('documentation', help_page_path('profile', 'two_factor_authentication'))}.
+      .row.append-bottom-10
+        .col-md-3
+          = raw @qr_code
+        .col-md-9
+          .account-well
+            %p.prepend-top-0.append-bottom-0
+              Can't scan the code?
+            %p.prepend-top-0.append-bottom-0
+              To add the entry manually, provide the following details to the application on your phone.
+            %p.prepend-top-0.append-bottom-0
+              Account:
+              = current_user.email
+            %p.prepend-top-0.append-bottom-0
+              Key:
+              = current_user.otp_secret.scan(/.{4}/).join(' ')
+            %p.two-factor-new-manual-content
+              Time based: Yes
+      = form_tag profile_two_factor_auth_path, method: :post do |f|
+        - if @error
+          .alert.alert-danger
+            = @error
+        .form-group
+          = label_tag :pin_code, nil, class: "label-light"
+          = text_field_tag :pin_code, nil, class: "form-control", required: true
+        .prepend-top-default
+          = submit_tag 'Register with Two-Factor App', class: 'btn btn-success'
+
+%hr
+
+.row.prepend-top-default
+
+  .col-lg-3
+    %h4.prepend-top-0
+      Register Universal Two-Factor (U2F) Device
+    %p
+      Use a hardware device to add the second factor of authentication.
+    %p
+      As U2F devices are only supported by a few browsers, it's recommended that you set up a
+      two-factor authentication app as well as a U2F device so you'll always be able to log in
+      using an unsupported browser.
+  .col-lg-9
+    %p
+      - if @registration_key_handles.present?
+        = icon "check inverse", base: "circle", class: "text-success", text: "You have #{pluralize(@registration_key_handles.size, 'U2F device')} registered with GitLab."
+    - if @u2f_registration.errors.present?
+      = form_errors(@u2f_registration)
+    = render "u2f/register"
+
+- if two_factor_skippable?
+  :javascript
+    var button = "<a class='btn btn-xs btn-warning pull-right' data-method='patch' href='#{skip_profile_two_factor_auth_path}'>Configure it later</a>";
+    $(".flash-alert").append(button);
+

app/views/projects/branches/destroy.js.haml

-$('.js-totalbranch-count').html("#{@repository.branch_count}")