Merge remote-tracking branch 'upstream/master' into new-issue-by-email

* upstream/master: (38 commits) Remove useless new route Update gitlab-shell version to 3.2.1 in the 8.9->8.10 update guide Fix typo in Elixir CI template Add a spec for access_for_user_ids Fix typo in comment Rubocop offenses Optimize the invited group link access level check Incorporate review comments Optimize maximum user access level lookup in loading of notes Fix missing schema update for 20160722221922 Whitelist 'Simplified BSD' license Fix a bug where forking a project from a repository storage to another would fail Remove inline scripts from import pages. Make branches sortable without push permission (!5462) Profile requests when a header is passed Upgrade database_cleaner from 1.4.1 to 1.5.3. Show release notes in tag list Fix expand all diffs button in compare view Add route for Import::GithubController#new Update CHANGELOG ...

Merge remote-tracking branch 'upstream/master' into new-issue-by-email
* upstream/master: (38 commits) Remove useless new route Update gitlab-shell version to 3.2.1 in the 8.9->8.10 update guide Fix typo in Elixir CI template Add a spec for access_for_user_ids Fix typo in comment Rubocop offenses Optimize the invited group link access level check Incorporate review comments Optimize maximum user access level lookup in loading of notes Fix missing schema update for 20160722221922 Whitelist 'Simplified BSD' license Fix a bug where forking a project from a repository storage to another would fail Remove inline scripts from import pages. Make branches sortable without push permission (!5462) Profile requests when a header is passed Upgrade database_cleaner from 1.4.1 to 1.5.3. Show release notes in tag list Fix expand all diffs button in compare view Add route for Import::GithubController#new Update CHANGELOG ...
a1f08a76 · Lin Jen-Shin · d2b026f0 · f4804d5b · a1f08a76 · a1f08a76
Commit a1f08a76 authored Jul 27, 2016 by Lin Jen-Shin
74 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.
 v 8.11.0 (unreleased)
-  - Remove magic comments (`# encoding: UTF-8`) from Ruby files !5456 (winniehell)
+  - Remove magic comments (`# encoding: UTF-8`) from Ruby files. !5456 (winniehell)
  - Fix CI status icon link underline (ClemMakesApps)
  - Fix of 'Commits being passed to custom hooks are already reachable when using the UI'
+  - Add support for using RequestStore within Sidekiq tasks via SIDEKIQ_REQUEST_STORE env variable
+  - Optimize maximum user access level lookup in loading of notes
  - Limit git rev-list output count to one in forced push check
-  - Add green outline to New Branch button !5447 (winniehell)
+  - Clean up unused routes (Josef Strzibny)
+  - Add green outline to New Branch button. !5447 (winniehell)
  - Retrieve rendered HTML from cache in one request
  - Nokogiri's various parsing methods are now instrumented
  - Make fork counter always clickable !5463 (winniehell)
  - Load project invited groups and members eagerly in ProjectTeam#fetch_members
  - Add a way to send an email and create an issue based on private personal token. Find the email address from issues page. !3363
+  - Make fork counter always clickable. !5463 (winniehell)
+  - Remove `search_id` of labels dropdown filter to fix 'Missleading URI for labels in Merge Requests and Issues view'. !5368 (Scott Le)
+  - Load project invited groups and members eagerly in `ProjectTeam#fetch_members`
+  - Make branches sortable without push permission !5462 (winniehell)
  - Add GitLab Workhorse version to admin dashboard (Katarzyna Kobierska Ula Budziszewska)
-  - Add ES6 gem
+  - Add the `sprockets-es6` gem
+  - Multiple trigger variables show in separate lines (Katarzyna Kobierska Ula Budziszewska)
+  - Profile requests when a header is passed
 v 8.10.2 (unreleased)
  - User can now search branches by name. !5144
+  - Add ENV variable to skip repository storages validations
  - Fix backup restore. !5459
+  - Rescue Rugged::OSError (lock exists) when creating references. !5497
+  - Disable MySQL foreign key checks before dropping all tables. !5472
+  - Fix a bug where forking a project from a repository storage to another would fail
+  - Show release notes in tags list
  - Use project ID in repository cache to prevent stale data from persisting across projects. !5460
+  - Ensure relative paths for video are rewritten as we do for images. !5474
+  - Ensure current user can retry a build before showing the 'Retry' button. !5476
+  - Fix expand all diffs button in compare view
 v 8.10.1
  - Refactor repository storages documentation. !5428
@@ -27,10 +44,6 @@ v 8.10.1
  - Fix bug where replies to commit notes displayed in the MR discussion tab wouldn't show up on the commit page. !5446
  - Ignore invalid trusted proxies in X-Forwarded-For header. !5454
  - Add links to the real markdown.md file for all GFM examples. !5458
-  - Remove `search_id` of labels dropdown filter to fix 'Missleading URI for labels in Merge Requests and Issues view' !5368 (Scott Le)
-v 8.10.1 (unreleased)
- - Fix bug where replies to commit notes displayed in the MR discussion tab wouldn't show up on the commit page
 v 8.10.0
  - Fix profile activity heatmap to show correct day name (eanplatter)

--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
-3.2.0
+3.2.1
--- a/Gemfile
+++ b/Gemfile
@@ -275,7 +275,7 @@ group :development, :test do
  gem 'awesome_print', '~> 1.2.0', require: false
  gem 'fuubar', '~> 2.0.0'
-  gem 'database_cleaner',   '~> 1.4.0'
+  gem 'database_cleaner',   '~> 1.5.0'
  gem 'factory_girl_rails', '~> 4.6.0'
  gem 'rspec-rails',        '~> 3.5.0'
  gem 'rspec-retry',        '~> 0.4.5'
@@ -334,6 +334,8 @@ gem 'mail_room', '~> 0.8'
 gem 'email_reply_parser', '~> 0.5.8'
+gem 'ruby-prof', '~> 0.15.9'
 ## CI
 gem 'activerecord-session_store', '~> 1.0.0'
 gem 'nested_form', '~> 0.3.2'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -153,7 +153,7 @@ GEM
    d3_rails (3.5.11)
      railties (>= 3.1.0)
    daemons (1.2.3)
-    database_cleaner (1.4.1)
+    database_cleaner (1.5.3)
    debug_inspector (0.0.2)
    debugger-ruby_core_source (1.3.8)
    default_value_for (3.0.1)
@@ -620,6 +620,7 @@ GEM
      rubocop (>= 0.40.0)
    ruby-fogbugz (0.2.1)
      crack (~> 0.4)
+    ruby-prof (0.15.9)
    ruby-progressbar (1.8.1)
    ruby-saml (1.3.0)
      nokogiri (>= 1.5.10)
@@ -841,7 +842,7 @@ DEPENDENCIES
  connection_pool (~> 2.0)
  creole (~> 0.5.0)
  d3_rails (~> 3.5.0)
-  database_cleaner (~> 1.4.0)
+  database_cleaner (~> 1.5.0)
  default_value_for (~> 3.0.0)
  devise (~> 4.0)
  devise-two-factor (~> 3.0.0)
@@ -948,6 +949,7 @@ DEPENDENCIES
  rubocop (~> 0.41.2)
  rubocop-rspec (~> 1.5.0)
  ruby-fogbugz (~> 0.2.1)
+  ruby-prof (~> 0.15.9)
  sanitize (~> 2.0)
  sass-rails (~> 5.0.0)
  scss_lint (~> 0.47.0)

--- a/app/assets/javascripts/importer_status.js
+++ b/app/assets/javascripts/importer_status.js
@@ -66,4 +66,12 @@
  })();
+  $(function() {
+    if ($('.js-importer-status').length) {
+      var jobsImportPath = $('.js-importer-status').data('jobs-import-path');
+      var importPath = $('.js-importer-status').data('import-path');
+      new ImporterStatus(jobsImportPath, importPath);
+    }
+  });
 }).call(this);
--- a/app/controllers/admin/requests_profiles_controller.rb
+++ b/app/controllers/admin/requests_profiles_controller.rb
+class Admin::RequestsProfilesController < Admin::ApplicationController
+  def index
+    @profile_token = Gitlab::RequestProfiler.profile_token
+    @profiles      = Gitlab::RequestProfiler::Profile.all.group_by(&:request_path)
+  end
+  def show
+    clean_name = Rack::Utils.clean_path_info(params[:name])
+    profile    = Gitlab::RequestProfiler::Profile.find(clean_name)
+    if profile
+      render text: profile.content
+    else
+      redirect_to admin_requests_profiles_path, alert: 'Profile not found'
+    end
+  end
+end
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
 class Projects::IssuesController < Projects::ApplicationController
+  include NotesHelper
  include ToggleSubscriptionAction
  include IssuableActions
  include ToggleAwardEmoji
@@ -70,6 +71,8 @@ class Projects::IssuesController < Projects::ApplicationController
    @note     = @project.notes.new(noteable: @issue)
    @noteable = @issue
+    preload_max_access_for_authors(@notes, @project)
    respond_to do |format|
      format.html
      format.json do

--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -3,6 +3,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
  include DiffForPath
  include DiffHelper
  include IssuableActions
+  include NotesHelper
  include ToggleAwardEmoji
  before_action :module_enabled
@@ -385,6 +386,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController
      @project_wiki,
      @ref
    )
+    preload_max_access_for_authors(@notes, @project)
  end
  def define_widget_vars

--- a/app/controllers/projects/tags_controller.rb
+++ b/app/controllers/projects/tags_controller.rb
@@ -10,11 +10,12 @@ class Projects::TagsController < Projects::ApplicationController
    @tags = @repository.tags_sorted_by(@sort)
    @tags = Kaminari.paginate_array(@tags).page(params[:page])
-    @releases = project.releases.where(tag: @tags)
+    @releases = project.releases.where(tag: @tags.map(&:name))
  end
  def show
    @tag = @repository.find_tag(params[:id])
    @release = @project.releases.find_or_initialize_by(tag: @tag.name)
    @commit = @repository.commit(@tag.target)
  end

--- a/app/helpers/notes_helper.rb
+++ b/app/helpers/notes_helper.rb
@@ -7,7 +7,7 @@ module NotesHelper
  end
  def note_editable?(note)
-    note.editable? && can?(current_user, :admin_note, note)
+    Ability.can_edit_note?(current_user, note)
  end
  def noteable_json(noteable)
@@ -87,14 +87,13 @@ module NotesHelper
    end
  end
-  def note_max_access_for_user(note)
+  def preload_max_access_for_authors(notes, project)
-    @max_access_by_user_id ||= Hash.new do |hash, key|
+    user_ids = notes.map(&:author_id)
-      project = key[:project]
+    project.team.max_member_access_for_user_ids(user_ids)
-      hash[key] = project.team.human_max_access(key[:user_id])
+  end
-    end
-    full_key = { project: note.project, user_id: note.author_id }
+  def note_max_access_for_user(note)
-    @max_access_by_user_id[full_key]
+    note.project.team.human_max_access(note.author_id)
  end
  def discussion_diff_path(discussion)

--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -388,6 +388,18 @@ class Ability
      GroupProjectsFinder.new(group).execute(user).any?
    end
+    def can_edit_note?(user, note)
+      return false if !note.editable? || !user.present?
+      return true if note.author == user || user.admin?
+      if note.project
+        max_access_level = note.project.team.max_member_access(user.id)
+        max_access_level >= Gitlab::Access::MASTER
+      else
+        false
+      end
+    end
    def namespace_abilities(user, namespace)
      rules = []

--- a/app/models/blob.rb
+++ b/app/models/blob.rb
@@ -31,6 +31,10 @@ class Blob < SimpleDelegator
    text? && language && language.name == 'SVG'
  end
+  def video?
+    UploaderHelper::VIDEO_EXT.include?(extname.downcase.delete('.'))
+  end
  def to_partial_path
    if lfs_pointer?
      'download'

--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -295,8 +295,8 @@ class Commit
  def uri_type(path)
    entry = @raw.tree.path(path)
    if entry[:type] == :blob
-      blob = Gitlab::Git::Blob.new(name: entry[:name])
+      blob = ::Blob.decorate(Gitlab::Git::Blob.new(name: entry[:name]))
-      blob.image? ? :raw : :blob
+      blob.image? || blob.video? ? :raw : :blob
    else
      entry[:type]
    end

--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -53,6 +53,10 @@ class Member < ActiveRecord::Base
  default_value_for :notification_level, NotificationSetting.levels[:global]
  class << self
+    def access_for_user_ids(user_ids)
+      where(user_id: user_ids).has_access.pluck(:user_id, :access_level).to_h
+    end
    def find_by_invite_token(invite_token)
      invite_token = Devise.token_generator.digest(self, :invite_token, invite_token)
      find_by(invite_token: invite_token)

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -451,7 +451,9 @@ class Project < ActiveRecord::Base
  def add_import_job
    if forked?
-      job_id = RepositoryForkWorker.perform_async(self.id, forked_from_project.path_with_namespace, self.namespace.path)
+      job_id = RepositoryForkWorker.perform_async(id, forked_from_project.repository_storage_path,
+                                                  forked_from_project.path_with_namespace,
+                                                  self.namespace.path)
    else
      job_id = RepositoryImportWorker.perform_async(self.id)
    end

--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -132,39 +132,63 @@ class ProjectTeam
    Gitlab::Access.options_with_owner.key(max_member_access(user_id))
  end
-  # This method assumes project and group members are eager loaded for optimal
+  # Determine the maximum access level for a group of users in bulk.
-  # performance.
+  #
-  def max_member_access(user_id)
+  # Returns a Hash mapping user ID -> maximum access level.
-    access = []
+  def max_member_access_for_user_ids(user_ids)
+    user_ids = user_ids.uniq
+    key = "max_member_access:#{project.id}"
+    RequestStore.store[key] ||= {}
+    access = RequestStore.store[key]
-    access += project.members.where(user_id: user_id).has_access.pluck(:access_level)
+    # Lookup only the IDs we need
+    user_ids = user_ids - access.keys
-    if group
+    if user_ids.present?
-      access += group.members.where(user_id: user_id).has_access.pluck(:access_level)
+      user_ids.each { |id| access[id] = Gitlab::Access::NO_ACCESS }
-    end
-    if project.invited_groups.any? && project.allowed_to_share_with_group?
+      member_access = project.members.access_for_user_ids(user_ids)
-      access << max_invited_level(user_id)
+      merge_max!(access, member_access)
+      if group
+        group_access = group.members.access_for_user_ids(user_ids)
+        merge_max!(access, group_access)
+      end
+      # Each group produces a list of maximum access level per user. We take the
+      # max of the values produced by each group.
+      if project.invited_groups.any? && project.allowed_to_share_with_group?
+        project.project_group_links.each do |group_link|
+          invited_access = max_invited_level_for_users(group_link, user_ids)
+          merge_max!(access, invited_access)
+        end
+      end
    end
-    access.compact.max
+    access
+  end
+  def max_member_access(user_id)
+    max_member_access_for_user_ids([user_id])[user_id]
  end
  private
-  def max_invited_level(user_id)
+  # For a given group, return the maximum access level for the user. This is the min of
-    project.project_group_links.map do |group_link|
+  # the invited access level of the group and the access level of the user within the group.
-      invited_group = group_link.group
+  # For example, if the group has been given DEVELOPER access but the member has MASTER access,
-      access = invited_group.group_members.find_by(user_id: user_id).try(:access_field)
+  # the user should receive only DEVELOPER access.
+  def max_invited_level_for_users(group_link, user_ids)
+    invited_group = group_link.group
+    capped_access_level = group_link.group_access
+    access = invited_group.group_members.access_for_user_ids(user_ids)
-      # If group member has higher access level we should restrict it
+    # If the user is not in the list, assume he/she does not have access
-      # to max allowed access level
+    missing_users = user_ids - access.keys
-      if access && access > group_link.group_access
+    missing_users.each { |id| access[id] = Gitlab::Access::NO_ACCESS }
-        access = group_link.group_access
-      end
-      access
+    # Cap the maximum access by the invited level access
-    end.compact.max
+    access.each { |key, value| access[key] = [value, capped_access_level].min }
  end
  def fetch_members(level = nil)
@@ -215,4 +239,8 @@ class ProjectTeam
  def group
    project.group
  end
+  def merge_max!(first_hash, second_hash)
+    first_hash.merge!(second_hash) { |_key, old, new| old > new ? old : new }
+  end
 end
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -211,6 +211,9 @@ class Repository
      rugged.references.create(keep_around_ref_name(sha), sha, force: true)
    rescue Rugged::ReferenceError => ex
      Rails.logger.error "Unable to create keep-around reference for repository #{path}: #{ex}"
+    rescue Rugged::OSError => ex
+      raise unless ex.message =~ /Failed to create locked file/ && ex.message =~ /File exists/
+      Rails.logger.error "Unable to create keep-around reference for repository #{path}: #{ex}"
    end
  end

--- a/app/views/admin/background_jobs/_head.html.haml
+++ b/app/views/admin/background_jobs/_head.html.haml
@@ -16,3 +16,7 @@
      = link_to admin_health_check_path, title: 'Health Check' do
        %span
          Health Check
+    = nav_link(controller: :requests_profiles) do
+      = link_to admin_requests_profiles_path, title: 'Requests Profiles' do
+        %span
+          Requests Profiles
--- a/app/views/admin/requests_profiles/index.html.haml
+++ b/app/views/admin/requests_profiles/index.html.haml
+- @no_container = true
+- page_title 'Requests Profiles'
+= render 'admin/background_jobs/head'
+%div{ class: container_class }
+  %h3.page-title
+    = page_title
+  .bs-callout.clearfix
+    Pass the header
+    %code X-Profile-Token: #{@profile_token}
+    to profile the request
+  - if @profiles.present?
+    .prepend-top-default
+      - @profiles.each do |path, profiles|
+        .panel.panel-default.panel-small
+          .panel-heading
+            %code= path
+          %ul.content-list
+            - profiles.each do |profile|
+              %li
+                = link_to profile.time.to_s(:long), admin_requests_profile_path(profile), data: {no_turbolink: true}
+  - else
+    %p
+      No profiles found
--- a/app/views/import/bitbucket/status.html.haml
+++ b/app/views/import/bitbucket/status.html.haml
@@ -74,6 +74,4 @@
    = link_to "import flow", status_import_bitbucket_path, "data-no-turbolink" => "true"
    again.
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_bitbucket_path}", import_path: "#{import_bitbucket_path}" } }
-:javascript
-  new ImporterStatus("#{jobs_import_bitbucket_path}", "#{import_bitbucket_path}");
--- a/app/views/import/fogbugz/status.html.haml
+++ b/app/views/import/fogbugz/status.html.haml
@@ -56,5 +56,4 @@
              Import
              = icon("spinner spin", class: "loading-icon")
-:javascript
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_fogbugz_path}", import_path: "#{import_fogbugz_path}" } }
-  new ImporterStatus("#{jobs_import_fogbugz_path}", "#{import_fogbugz_path}");
--- a/app/views/import/github/status.html.haml
+++ b/app/views/import/github/status.html.haml
@@ -55,5 +55,4 @@
              Import
              = icon("spinner spin", class: "loading-icon")
-:javascript
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_github_path}", import_path: "#{import_github_path}" } }
-  new ImporterStatus("#{jobs_import_github_path}", "#{import_github_path}");
--- a/app/views/import/gitlab/status.html.haml
+++ b/app/views/import/gitlab/status.html.haml
@@ -51,5 +51,4 @@
              Import
              = icon("spinner spin", class: "loading-icon")
-:javascript
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_gitlab_path}", import_path: "#{import_gitlab_path}" } }
-  new ImporterStatus("#{jobs_import_gitlab_path}", "#{import_gitlab_path}");
--- a/app/views/import/gitorious/status.html.haml
+++ b/app/views/import/gitorious/status.html.haml
@@ -51,5 +51,4 @@
              Import
              = icon("spinner spin", class: "loading-icon")
-:javascript
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_gitorious_path}", import_path: "#{import_gitorious_path}" } }
-  new ImporterStatus("#{jobs_import_gitorious_path}", "#{import_gitorious_path}");
--- a/app/views/import/google_code/status.html.haml
+++ b/app/views/import/google_code/status.html.haml
@@ -77,5 +77,4 @@
    = link_to "import flow", new_import_google_code_path
    again.
-:javascript
+.js-importer-status{ data: { jobs_import_path: "#{jobs_import_google_code_path}", import_path: "#{import_google_code_path}" } }
-  new ImporterStatus("#{jobs_import_google_code_path}", "#{import_google_code_path}");
--- a/app/views/layouts/nav/_admin.html.haml
+++ b/app/views/layouts/nav/_admin.html.haml
@@ -9,7 +9,7 @@
      = link_to admin_root_path, title: 'Overview', class: 'shortcuts-tree' do
        %span
          Overview
-    = nav_link(controller: %w(system_info background_jobs logs health_check)) do
+    = nav_link(controller: %w(system_info background_jobs logs health_check requests_profiles)) do
      = link_to admin_system_info_path, title: 'Monitoring' do
        %span
          Monitoring

--- a/app/views/projects/branches/index.html.haml
+++ b/app/views/projects/branches/index.html.haml
@@ -7,28 +7,31 @@
    .nav-text
      Protected branches can be managed in project settings
-    - if can? current_user, :push_code, @project
+    .nav-controls
-      .nav-controls
+      = form_tag(filter_branches_path, method: :get) do
-        = form_tag(filter_branches_path, method: :get) do
+        = search_field_tag :search, params[:search], { placeholder: 'Filter by branch name', id: 'branch-search', class: 'form-control search-text-input input-short', spellcheck: false }
-          = search_field_tag :search, params[:search], { placeholder: 'Filter by branch name', id: 'branch-search', class: 'form-control search-text-input input-short', spellcheck: false }
-        .dropdown.inline
+      .dropdown.inline
-          %button.dropdown-toggle.btn{type: 'button', 'data-toggle' => 'dropdown'}
+        %button.dropdown-toggle.btn{type: 'button', 'data-toggle' => 'dropdown'}
-            %span.light
+          %span.light
-            - if params[:sort].present?
+          - if params[:sort].present?
-              = params[:sort].humanize
+            = params[:sort].humanize
-            - else
+          - else
-              Name
+            Name
-            %b.caret
+          %b.caret
-          %ul.dropdown-menu.dropdown-menu-align-right
+        %ul.dropdown-menu.dropdown-menu-align-right
-            %li
+          %li
-              = link_to filter_branches_path(sort: nil) do
+            = link_to filter_branches_path(sort: nil) do
-                = sort_title_name
+              = sort_title_name
-              = link_to filter_branches_path(sort: 'recently_updated') do
+            = link_to filter_branches_path(sort: 'recently_updated') do
-                = sort_title_recently_updated
+              = sort_title_recently_updated
-              = link_to filter_branches_path(sort: 'last_updated') do
+            = link_to filter_branches_path(sort: 'last_updated') do
-                = sort_title_oldest_updated
+              = sort_title_oldest_updated
+      - if can? current_user, :push_code, @project
        = link_to new_namespace_project_branch_path(@project.namespace, @project), class: 'btn btn-create' do
          New branch
  - if @branches.any?
    %ul.content-list.all-branches
      - @branches.each do |branch|

--- a/app/views/projects/builds/_sidebar.html.haml
+++ b/app/views/projects/builds/_sidebar.html.haml
@@ -40,7 +40,7 @@
  .block{ class: ("block-first" if !@build.coverage && !(can?(current_user, :read_build, @project) && (@build.artifacts? || @build.artifacts_expired?))) }
    .title
      Build details
-      - if @build.retryable?
+      - if can?(current_user, :update_build, @build) && @build.retryable?
        = link_to "Retry", retry_namespace_project_build_path(@project.namespace, @project, @build), class: 'pull-right', method: :post
    - if @build.merge_request
      %p.build-detail-row
@@ -88,8 +88,9 @@
        %p
          %span.build-light-text Variables:
-        %code
-          - @build.trigger_request.variables.each do |key, value|
+        - @build.trigger_request.variables.each do |key, value|
+          %code
            #{key}=#{value}
  .block

--- a/app/views/projects/ci/builds/_build.html.haml
+++ b/app/views/projects/ci/builds/_build.html.haml
@@ -22,6 +22,8 @@
      - if defined?(ref) && ref
        - if build.ref
+          .icon-container
+            = build.tag? ? icon('tag') : icon('code-fork')
          = link_to build.ref, namespace_project_commits_path(build.project.namespace, build.project, build.ref), class: "monospace branch-name"
        - else
          .light none

--- a/app/views/projects/diffs/_diffs.html.haml
+++ b/app/views/projects/diffs/_diffs.html.haml
@@ -7,7 +7,7 @@
 .content-block.oneline-block.files-changed
  .inline-parallel-buttons
    - if !expand_all_diffs? && diff_files.any? { |diff_file| diff_file.collapsed? }
-      = link_to 'Expand all', url_for(params.merge(expand_all_diffs: 1, format: 'html')), class: 'btn btn-default'
+      = link_to 'Expand all', url_for(params.merge(expand_all_diffs: 1, format: nil)), class: 'btn btn-default'
    - if show_whitespace_toggle
      - if current_controller?(:commit)
        = commit_diff_whitespace_link(@project, @commit, class: 'hidden-xs')

--- a/app/views/projects/graphs/ci/_build_times.haml
+++ b/app/views/projects/graphs/ci/_build_times.haml
@@ -19,4 +19,9 @@
    ]
  }
  var ctx = $("#build_timesChart").get(0).getContext("2d");
-  new Chart(ctx).Bar(data,{"scaleOverlay": true, responsive: true, maintainAspectRatio: false});
+  var options = { scaleOverlay: true, responsive: true, maintainAspectRatio: false };
+  if (window.innerWidth < 768) {
+    // Scale fonts if window width lower than 768px (iPad portrait)
+    options.scaleFontSize = 8
+  }
+  new Chart(ctx).Bar(data, options);
--- a/app/views/projects/graphs/ci/_builds.haml
+++ b/app/views/projects/graphs/ci/_builds.haml
@@ -48,4 +48,9 @@
      ]
    }
    var ctx = $("##{scope}Chart").get(0).getContext("2d");
-    new Chart(ctx).Line(data,{"scaleOverlay": true, responsive: true, maintainAspectRatio: false});
+    var options = { scaleOverlay: true, responsive: true, maintainAspectRatio: false };
+    if (window.innerWidth < 768) {
+      // Scale fonts if window width lower than 768px (iPad portrait)
+      options.scaleFontSize = 8
+    }
+    new Chart(ctx).Line(data, options);
--- a/app/views/projects/graphs/commits.html.haml
+++ b/app/views/projects/graphs/commits.html.haml
@@ -59,6 +59,10 @@
    var container = $(selector).parent();
    var generateChart = function() {
      selector.attr('width', $(container).width());
+      if (window.innerWidth < 768) {
+        // Scale fonts if window width lower than 768px (iPad portrait)
+        options.scaleFontSize = 8
+      }
      return new Chart(ctx).Bar(data, options);
    };
    // enabling auto-resizing

--- a/app/workers/repository_fork_worker.rb
+++ b/app/workers/repository_fork_worker.rb
@@ -4,7 +4,7 @@ class RepositoryForkWorker
  sidekiq_options queue: :gitlab_shell
-  def perform(project_id, source_path, target_path)
+  def perform(project_id, forked_from_repository_storage_path, source_path, target_path)
    project = Project.find_by_id(project_id)
    unless project.present?
@@ -12,7 +12,8 @@ class RepositoryForkWorker
      return
    end
-    result = gitlab_shell.fork_repository(project.repository_storage_path, source_path, target_path)
+    result = gitlab_shell.fork_repository(forked_from_repository_storage_path, source_path,
+                                          project.repository_storage_path, target_path)
    unless result
      logger.error("Unable to fork project #{project_id} for repository #{source_path} -> #{target_path}")
      project.mark_import_as_failed('The project could not be forked.')

--- a/app/workers/requests_profiles_worker.rb
+++ b/app/workers/requests_profiles_worker.rb
+class RequestsProfilesWorker
+  include Sidekiq::Worker
+  sidekiq_options queue: :default
+  def perform
+    Gitlab::RequestProfiler.remove_all_profiles
+  end
+end
--- a/config/dependency_decisions.yml
+++ b/config/dependency_decisions.yml
@@ -68,6 +68,25 @@
    :why: https://opensource.org/licenses/BSD-2-Clause
    :versions: []
    :when: 2016-05-02 05:55:09.796363000 Z
+- - :whitelist
+  - LGPLv2+
+  - :who: Stan Hu
+    :why: Equivalent to LGPLv2
+    :versions: []
+    :when: 2016-06-07 17:14:10.907682000 Z
+- - :whitelist
+  - Artistic 2.0
+  - :who: Josh Frye
+    :why: Disk/mount information display on Admin pages
+    :versions: []
+    :when: 2016-06-29 16:32:45.432113000 Z
+- - :whitelist
+  - Simplified BSD
+  - :who: Douwe Maan
+    :why: https://opensource.org/licenses/BSD-2-Clause
+    :versions: []
+    :when: 2016-07-26 21:24:07.248480000 Z
 # LICENSE BLACKLIST
 - - :blacklist
@@ -175,15 +194,3 @@
    :why: https://github.com/jmcnevin/rubypants/blob/master/LICENSE.rdoc
    :versions: []
    :when: 2016-05-02 05:56:50.696858000 Z
- - :whitelist
-  - LGPLv2+
-  - :who: Stan Hu
-    :why: Equivalent to LGPLv2
-    :versions: []
-    :when: 2016-06-07 17:14:10.907682000 Z
- - :whitelist
-  - Artistic 2.0
-  - :who: Josh Frye
-    :why: Disk/mount information display on Admin pages
-    :versions: []
-    :when: 2016-06-29 16:32:45.432113000 Z
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -290,6 +290,9 @@ Settings.cron_jobs['repository_archive_cache_worker']['job_class'] = 'Repository
 Settings.cron_jobs['gitlab_remove_project_export_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['gitlab_remove_project_export_worker']['cron'] ||= '0 * * * *'
 Settings.cron_jobs['gitlab_remove_project_export_worker']['job_class'] = 'GitlabRemoveProjectExportWorker'
+Settings.cron_jobs['requests_profiles_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['requests_profiles_worker']['cron'] ||= '0 0 * * *'
+Settings.cron_jobs['requests_profiles_worker']['job_class'] = 'RequestsProfilesWorker'
 #
 # GitLab Shell

--- a/config/initializers/6_validations.rb
+++ b/config/initializers/6_validations.rb
@@ -26,4 +26,4 @@ def validate_storages
  end
 end
-validate_storages unless Rails.env.test?
+validate_storages unless Rails.env.test? || ENV['SKIP_STORAGE_VALIDATION'] == 'true'
--- a/config/initializers/request_profiler.rb
+++ b/config/initializers/request_profiler.rb
+Rails.application.configure do |config|
+  config.middleware.use(Gitlab::RequestProfiler::Middleware)
+end
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -7,6 +7,7 @@ Sidekiq.configure_server do |config|
  config.server_middleware do |chain|
    chain.add Gitlab::SidekiqMiddleware::ArgumentsLogger if ENV['SIDEKIQ_LOG_ARGUMENTS']
    chain.add Gitlab::SidekiqMiddleware::MemoryKiller if ENV['SIDEKIQ_MEMORY_KILLER_MAX_RSS']
+    chain.add Gitlab::SidekiqMiddleware::RequestStoreMiddleware unless ENV['SIDEKIQ_REQUEST_STORE'] == '0'
  end
  # Sidekiq-cron: load recurring jobs from gitlab.yml

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -42,10 +42,9 @@ Rails.application.routes.draw do
    resource :lint, only: [:show, :create]
-    resources :projects do
+    resources :projects, only: [:index, :show] do
      member do
        get :status, to: 'projects#badge'
-        get :integration
      end
    end
@@ -144,13 +143,13 @@ Rails.application.routes.draw do
      get :jobs
    end
-    resource :gitlab, only: [:create, :new], controller: :gitlab do
+    resource :gitlab, only: [:create], controller: :gitlab do
      get :status
      get :callback
      get :jobs
    end
-    resource :bitbucket, only: [:create, :new], controller: :bitbucket do
+    resource :bitbucket, only: [:create], controller: :bitbucket do
      get :status
      get :callback
      get :jobs
@@ -243,7 +242,6 @@ Rails.application.routes.draw do
        get :projects
        get :keys
        get :groups
-        put :team_update
        put :block
        put :unblock
        put :unlock
@@ -281,6 +279,7 @@ Rails.application.routes.draw do
    resource :health_check, controller: 'health_check', only: [:show]
    resource :background_jobs, controller: 'background_jobs', only: [:show]
    resource :system_info, controller: 'system_info', only: [:show]
+    resources :requests_profiles, only: [:index, :show], param: :name
    resources :namespaces, path: '/projects', constraints: { id: /[a-zA-Z.0-9_\-]+/ }, only: [] do
      root to: 'projects#index', as: :projects
@@ -300,7 +299,7 @@ Rails.application.routes.draw do
      end
    end
-    resource :appearances, path: 'appearance' do
+    resource :appearances, only: [:show, :create, :update], path: 'appearance' do
      member do
        get :preview
        delete :logo
@@ -309,7 +308,7 @@ Rails.application.routes.draw do
    end
    resource :application_settings, only: [:show, :update] do
-      resources :services
+      resources :services, only: [:index, :edit, :update]
      put :reset_runners_token
      put :reset_health_check_token
      put :clear_repository_check_states
@@ -346,7 +345,7 @@ Rails.application.routes.draw do
    end
    scope module: :profiles do
-      resource :account, only: [:show, :update] do
+      resource :account, only: [:show] do
        member do
          delete :unlink
        end
@@ -358,7 +357,7 @@ Rails.application.routes.draw do
        end
      end
      resource :preferences, only: [:show, :update]
-      resources :keys
+      resources :keys, only: [:index, :show, :new, :create, :destroy]
      resources :emails, only: [:index, :create, :destroy]
      resource :avatar, only: [:destroy]
@@ -660,7 +659,7 @@ Rails.application.routes.draw do
          post '/wikis/*id/markdown_preview', to: 'wikis#markdown_preview', constraints: WIKI_SLUG_ID, as: 'wiki_markdown_preview'
        end
-        resource :repository, only: [:show, :create] do
+        resource :repository, only: [:create] do
          member do
            get 'archive', constraints: { format: Gitlab::Regex.archive_formats_regex }
          end
@@ -782,7 +781,7 @@ Rails.application.routes.draw do
          end
        end
-        resources :labels, constraints: { id: /\d+/ } do
+        resources :labels, except: [:show], constraints: { id: /\d+/ } do
          collection do
            post :generate
            post :set_priorities
@@ -807,7 +806,7 @@ Rails.application.routes.draw do
          end
        end
-        resources :project_members, except: [:new, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }, concerns: :access_requestable do
+        resources :project_members, except: [:show, :new, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }, concerns: :access_requestable do
          collection do
            delete :leave

--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20160721081015) do
+ActiveRecord::Schema.define(version: 20160722221922) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

--- a/doc/ci/docker/using_docker_build.md
+++ b/doc/ci/docker/using_docker_build.md
@@ -38,7 +38,7 @@ GitLab Runner then executes build scripts as the `gitlab-runner` user.
    $ sudo gitlab-ci-multi-runner register -n \
      --url https://gitlab.com/ci \
      --registration-token REGISTRATION_TOKEN \
-      --executor shell
+      --executor shell \
      --description "My Runner"
    ```

--- a/doc/update/8.9-to-8.10.md
+++ b/doc/update/8.9-to-8.10.md
@@ -46,7 +46,7 @@ sudo -u git -H git checkout 8-10-stable-ee
 ```bash
 cd /home/git/gitlab-shell
 sudo -u git -H git fetch --all --tags
-sudo -u git -H git checkout v3.2.0
+sudo -u git -H git checkout v3.2.1
 ```
 ### 5. Update gitlab-workhorse

--- a/lib/banzai/filter/relative_link_filter.rb
+++ b/lib/banzai/filter/relative_link_filter.rb
@@ -20,7 +20,7 @@ module Banzai
          process_link_attr el.attribute('href')
        end
-        doc.search('img').each do |el|
+        doc.css('img, video').each do |el|
          process_link_attr el.attribute('src')
        end

--- a/lib/gitlab/access.rb
+++ b/lib/gitlab/access.rb
@@ -7,6 +7,7 @@ module Gitlab
  module Access
    class AccessDeniedError < StandardError; end
+    NO_ACCESS = 0
    GUEST     = 10
    REPORTER  = 20
    DEVELOPER = 30

--- a/lib/gitlab/backend/shell.rb
+++ b/lib/gitlab/backend/shell.rb
@@ -60,16 +60,18 @@ module Gitlab
    end
    # Fork repository to new namespace
-    # storage - project's storage path
+    # forked_from_storage - forked-from project's storage path
    # path - project path with namespace
+    # forked_to_storage - forked-to project's storage path
    # fork_namespace - namespace for forked project
    #
    # Ex.
-    #  fork_repository("/path/to/storage", "gitlab/gitlab-ci", "randx")
+    #  fork_repository("/path/to/forked_from/storage", "gitlab/gitlab-ci", "/path/to/forked_to/storage", "randx")
    #
-    def fork_repository(storage, path, fork_namespace)
+    def fork_repository(forked_from_storage, path, forked_to_storage, fork_namespace)
      Gitlab::Utils.system_silent([gitlab_shell_projects_path, 'fork-project',
-                                   storage, "#{path}.git", fork_namespace])
+                                   forked_from_storage, "#{path}.git", forked_to_storage,
+                                   fork_namespace])
    end
    # Remove repository from file system

--- a/lib/gitlab/request_profiler.rb
+++ b/lib/gitlab/request_profiler.rb
+require 'fileutils'
+module Gitlab
+  module RequestProfiler
+    PROFILES_DIR = "#{Gitlab.config.shared.path}/tmp/requests_profiles"
+    def profile_token
+      Rails.cache.fetch('profile-token') do
+        Devise.friendly_token
+      end
+    end
+    module_function :profile_token
+    def remove_all_profiles
+      FileUtils.rm_rf(PROFILES_DIR)
+    end
+    module_function :remove_all_profiles
+  end
+end
--- a/lib/gitlab/request_profiler/middleware.rb
+++ b/lib/gitlab/request_profiler/middleware.rb
+require 'ruby-prof'
+module Gitlab
+  module RequestProfiler
+    class Middleware
+      def initialize(app)
+        @app = app
+      end
+      def call(env)
+        if profile?(env)
+          call_with_profiling(env)
+        else
+          @app.call(env)
+        end
+      end
+      def profile?(env)
+        header_token = env['HTTP_X_PROFILE_TOKEN']
+        return unless header_token.present?
+        profile_token = RequestProfiler.profile_token
+        return unless profile_token.present?
+        header_token == profile_token
+      end
+      def call_with_profiling(env)
+        ret = nil
+        result = RubyProf::Profile.profile do
+          ret = @app.call(env)
+        end
+        printer   = RubyProf::CallStackPrinter.new(result)
+        file_name = "#{env['PATH_INFO'].tr('/', '|')}_#{Time.current.to_i}.html"
+        file_path = "#{PROFILES_DIR}/#{file_name}"
+        FileUtils.mkdir_p(PROFILES_DIR)
+        File.open(file_path, 'wb') do |file|
+          printer.print(file)
+        end
+        ret
+      end
+    end
+  end
+end
--- a/lib/gitlab/request_profiler/profile.rb
+++ b/lib/gitlab/request_profiler/profile.rb
+module Gitlab
+  module RequestProfiler
+    class Profile
+      attr_reader :name, :time, :request_path
+      alias_method :to_param, :name
+      def self.all
+        Dir["#{PROFILES_DIR}/*.html"].map do |path|
+          new(File.basename(path))
+        end
+      end
+      def self.find(name)
+        name_dup = name.dup
+        name_dup << '.html' unless name.end_with?('.html')
+        file_path = "#{PROFILES_DIR}/#{name_dup}"
+        return unless File.exist?(file_path)
+        new(name_dup)
+      end
+      def initialize(name)
+        @name = name
+        set_attributes
+      end
+      def content
+        File.read("#{PROFILES_DIR}/#{name}")
+      end
+      private
+      def set_attributes
+        _, path, timestamp = name.split(/(.*)_(\d+)\.html$/)
+        @request_path      = path.tr('|', '/')
+        @time              = Time.at(timestamp.to_i).utc
+      end
+    end
+  end
+end
--- a/lib/gitlab/sidekiq_middleware/request_store_middleware.rb
+++ b/lib/gitlab/sidekiq_middleware/request_store_middleware.rb
+module Gitlab
+  module SidekiqMiddleware
+    class RequestStoreMiddleware
+      def call(worker, job, queue)
+        RequestStore.begin!
+        yield
+      ensure
+        RequestStore.end!
+        RequestStore.clear!
+      end
+    end
+  end
+end
--- a/lib/tasks/gitlab/db.rake
+++ b/lib/tasks/gitlab/db.rake
@@ -25,6 +25,10 @@ namespace :gitlab do
    desc 'Drop all tables'
    task :drop_tables => :environment do
      connection = ActiveRecord::Base.connection
+      # If MySQL, turn off foreign key checks
+      connection.execute('SET FOREIGN_KEY_CHECKS=0') if Gitlab::Database.mysql?
      tables = connection.tables
      tables.delete 'schema_migrations'
      # Truncate schema_migrations to ensure migrations re-run
@@ -35,6 +39,9 @@ namespace :gitlab do
      # MySQL: http://dev.mysql.com/doc/refman/5.7/en/drop-table.html
      # Add `IF EXISTS` because cascade could have already deleted a table.
      tables.each { |t| connection.execute("DROP TABLE IF EXISTS #{connection.quote_table_name(t)} CASCADE") }
+      # If MySQL, re-enable foreign key checks
+      connection.execute('SET FOREIGN_KEY_CHECKS=1') if Gitlab::Database.mysql?
    end
    desc 'Configures the database by running migrate, or by loading the schema and seeding if needed'

--- a/spec/controllers/projects/tags_controller_spec.rb
+++ b/spec/controllers/projects/tags_controller_spec.rb
+require 'spec_helper'
+describe Projects::TagsController do
+  let(:project) { create(:project, :public) }
+  let!(:release) { create(:release, project: project) }
+  let!(:invalid_release) { create(:release, project: project, tag: 'does-not-exist') }
+  describe 'GET index' do
+    before { get :index, namespace_id: project.namespace.to_param, project_id: project.to_param }
+    it 'returns the tags for the page' do
+      expect(assigns(:tags).map(&:name)).to eq(['v1.1.0', 'v1.0.0'])
+    end
+    it 'returns releases matching those tags' do
+      expect(assigns(:releases)).to include(release)
+      expect(assigns(:releases)).not_to include(invalid_release)
+    end
+  end
+end
--- a/spec/factories/ci/trigger_requests.rb
+++ b/spec/factories/ci/trigger_requests.rb
@@ -5,7 +5,8 @@ FactoryGirl.define do
      variables do
        {
-          TRIGGER_KEY: 'TRIGGER_VALUE'
+          TRIGGER_KEY_1: 'TRIGGER_VALUE_1',
+          TRIGGER_KEY_2: 'TRIGGER_VALUE_2'
        }
      end
    end

--- a/spec/features/builds_spec.rb
+++ b/spec/features/builds_spec.rb
@@ -199,9 +199,13 @@ describe "Builds" do
        click_link 'Retry'
      end
-      it { expect(page.status_code).to eq(200) }
+      it 'shows the right status and buttons' do
-      it { expect(page).to have_content 'pending' }
+        expect(page).to have_http_status(200)
-      it { expect(page).to have_content 'Cancel' }
+        expect(page).to have_content 'pending'
+        page.within('aside.right-sidebar') do
+          expect(page).to have_content 'Cancel'
+        end
+      end
    end
    context "Build from other project" do
@@ -212,7 +216,25 @@ describe "Builds" do
        page.driver.post(retry_namespace_project_build_path(@project.namespace, @project, @build2))
      end
-      it { expect(page.status_code).to eq(404) }
+      it { expect(page).to have_http_status(404) }
+    end
+    context "Build that current user is not allowed to retry" do
+      before do
+        @build.run!
+        @build.cancel!
+        @project.update(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+        logout_direct
+        login_with(create(:user))
+        visit namespace_project_build_path(@project.namespace, @project, @build)
+      end
+      it 'does not show the Retry button' do
+        page.within('aside.right-sidebar') do
+          expect(page).not_to have_content 'Retry'
+        end
+      end
    end
  end

--- a/spec/features/projects/branches_spec.rb~HEAD
+++ b/spec/features/projects/branches_spec.rb~HEAD
-require 'spec_helper'
-describe 'Branches', feature: true do
-  let(:project) { create(:project) }
-  let(:repository) { project.repository }
-  before do
-    login_as :user
-    project.team << [@user, :developer]
-  end
-  describe 'Initial branches page' do
-    it 'shows all the branches' do
-      visit namespace_project_branches_path(project.namespace, project)
-      repository.branches { |branch| expect(page).to have_content("#{branch.name}") }
-      expect(page).to have_content("Protected branches can be managed in project settings")
-    end
-  end
-  describe 'Find branches' do
-    it 'shows filtered branches', js: true do
-      visit namespace_project_branches_path(project.namespace, project, project.id)
-      fill_in 'branch-search', with: 'fix'
-      find('#branch-search').native.send_keys(:enter)
-      expect(page).to have_content('fix')
-      expect(find('.all-branches')).to have_selector('li', count: 1)
-    end
-  end
-end
--- a/spec/finders/branches_finder_spec.rb
+++ b/spec/finders/branches_finder_spec.rb
@@ -20,7 +20,7 @@ describe BranchesFinder do
        result = branches_finder.execute
-        expect(result.first.name).to eq('expand-collapse-lines')
+        expect(result.first.name).to eq('video')
      end
      it 'sorts by last_updated' do

--- a/spec/helpers/notes_helper_spec.rb
+++ b/spec/helpers/notes_helper_spec.rb
 require "spec_helper"
 describe NotesHelper do
-  describe "#notes_max_access_for_users" do
+  let(:owner) { create(:owner) }
-    let(:owner) { create(:owner) }
+  let(:group) { create(:group) }
-    let(:group) { create(:group) }
+  let(:project) { create(:empty_project, namespace: group) }
-    let(:project) { create(:empty_project, namespace: group) }
+  let(:master) { create(:user) }
-    let(:master) { create(:user) }
+  let(:reporter) { create(:user) }
-    let(:reporter) { create(:user) }
+  let(:guest) { create(:user) }
-    let(:guest) { create(:user) }
-    let(:owner_note) { create(:note, author: owner, project: project) }
-    let(:master_note) { create(:note, author: master, project: project) }
-    let(:reporter_note) { create(:note, author: reporter, project: project) }
-    let!(:notes) { [owner_note, master_note, reporter_note] }
-    before do
-      group.add_owner(owner)
-      project.team << [master, :master]
-      project.team << [reporter, :reporter]
-      project.team << [guest, :guest]
-    end
-    it 'return human access levels' do
+  let(:owner_note) { create(:note, author: owner, project: project) }
-      original_method = project.team.method(:human_max_access)
+  let(:master_note) { create(:note, author: master, project: project) }
-      expect_any_instance_of(ProjectTeam).to receive(:human_max_access).exactly(3).times do |*args|
+  let(:reporter_note) { create(:note, author: reporter, project: project) }
-        original_method.call(args[1])
+  let!(:notes) { [owner_note, master_note, reporter_note] }
-      end
+  before do
+    group.add_owner(owner)
+    project.team << [master, :master]
+    project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
+  end
+  describe "#notes_max_access_for_users" do
+    it 'return human access levels' do
      expect(helper.note_max_access_for_user(owner_note)).to eq('Owner')
      expect(helper.note_max_access_for_user(master_note)).to eq('Master')
      expect(helper.note_max_access_for_user(reporter_note)).to eq('Reporter')
-      # Call it again to ensure value is cached
-      expect(helper.note_max_access_for_user(owner_note)).to eq('Owner')
    end
    it 'handles access in different projects' do
@@ -43,4 +36,16 @@ describe NotesHelper do
      expect(helper.note_max_access_for_user(other_note)).to eq('Reporter')
    end
  end
+  describe '#preload_max_access_for_authors' do
+    it 'loads multiple users' do
+      expected_access = {
+        owner.id => Gitlab::Access::OWNER,
+        master.id => Gitlab::Access::MASTER,
+        reporter.id => Gitlab::Access::REPORTER
+      }
+      expect(helper.preload_max_access_for_authors(notes, project)).to eq(expected_access)
+    end
+  end
 end
--- a/spec/lib/banzai/filter/relative_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb
@@ -17,6 +17,10 @@ describe Banzai::Filter::RelativeLinkFilter, lib: true do
    %(<img src="#{path}" />)
  end
+  def video(path)
+    %(<video src="#{path}"></video>)
+  end
  def link(path)
    %(<a href="#{path}">#{path}</a>)
  end
@@ -37,6 +41,12 @@ describe Banzai::Filter::RelativeLinkFilter, lib: true do
      doc = filter(image('files/images/logo-black.png'))
      expect(doc.at_css('img')['src']).to eq 'files/images/logo-black.png'
    end
+    it 'does not modify any relative URL in video' do
+      doc = filter(video('files/videos/intro.mp4'), commit: project.commit('video'), ref: 'video')
+      expect(doc.at_css('video')['src']).to eq 'files/videos/intro.mp4'
+    end
  end
  shared_examples :relative_to_requested do
@@ -111,11 +121,26 @@ describe Banzai::Filter::RelativeLinkFilter, lib: true do
    end
    it 'rebuilds relative URL for an image in the repo' do
+      doc = filter(image('files/images/logo-black.png'))
+      expect(doc.at_css('img')['src']).
+        to eq "/#{project_path}/raw/#{ref}/files/images/logo-black.png"
+    end
+    it 'rebuilds relative URL for link to an image in the repo' do
      doc = filter(link('files/images/logo-black.png'))
      expect(doc.at_css('a')['href']).
        to eq "/#{project_path}/raw/#{ref}/files/images/logo-black.png"
    end
+    it 'rebuilds relative URL for a video in the repo' do
+      doc = filter(video('files/videos/intro.mp4'), commit: project.commit('video'), ref: 'video')
+      expect(doc.at_css('video')['src']).
+        to eq "/#{project_path}/raw/video/files/videos/intro.mp4"
+    end
    it 'does not modify relative URL with an anchor only' do
      doc = filter(link('#section-1'))
      expect(doc.at_css('a')['href']).to eq '#section-1'

--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
 require 'spec_helper'
 describe Ability, lib: true do
+  describe '.can_edit_note?' do
+    let(:project) { create(:empty_project) }
+    let!(:note) { create(:note_on_issue, project: project) }
+    context 'using an anonymous user' do
+      it 'returns false' do
+        expect(described_class.can_edit_note?(nil, note)).to be_falsy
+      end
+    end
+    context 'using a system note' do
+      it 'returns false' do
+        system_note = create(:note, system: true)
+        user = create(:user)
+        expect(described_class.can_edit_note?(user, system_note)).to be_falsy
+      end
+    end
+    context 'using users with different access levels' do
+      let(:user) { create(:user) }
+      it 'returns true for the author' do
+        expect(described_class.can_edit_note?(note.author, note)).to be_truthy
+      end
+      it 'returns false for a guest user' do
+        project.team << [user, :guest]
+        expect(described_class.can_edit_note?(user, note)).to be_falsy
+      end
+      it 'returns false for a developer' do
+        project.team << [user, :developer]
+        expect(described_class.can_edit_note?(user, note)).to be_falsy
+      end
+      it 'returns true for a master' do
+        project.team << [user, :master]
+        expect(described_class.can_edit_note?(user, note)).to be_truthy
+      end
+      it 'returns true for a group owner' do
+        group = create(:group)
+        project.project_group_links.create(
+          group: group,
+          group_access: Gitlab::Access::MASTER)
+        group.add_owner(user)
+        expect(described_class.can_edit_note?(user, note)).to be_truthy
+      end
+    end
+  end
  describe '.users_that_can_read_project' do
    context 'using a public project' do
      it 'returns all the users' do

--- a/spec/models/blob_spec.rb
+++ b/spec/models/blob_spec.rb
@@ -33,6 +33,22 @@ describe Blob do
    end
  end
+  describe '#video?' do
+    it 'is falsey with image extension' do
+      git_blob = Gitlab::Git::Blob.new(name: 'image.png')
+      expect(described_class.decorate(git_blob)).not_to be_video
+    end
+    UploaderHelper::VIDEO_EXT.each do |ext|
+      it "is truthy when extension is .#{ext}" do
+        git_blob = Gitlab::Git::Blob.new(name: "video.#{ext}")
+        expect(described_class.decorate(git_blob)).to be_video
+      end
+    end
+  end
  describe '#to_partial_path' do
    def stubbed_blob(overrides = {})
      overrides.reverse_merge!(

--- a/spec/models/build_spec.rb
+++ b/spec/models/build_spec.rb
@@ -259,7 +259,7 @@ describe Ci::Build, models: true do
      let(:trigger) { create(:ci_trigger, project: project) }
      let(:trigger_request) { create(:ci_trigger_request_with_variables, pipeline: pipeline, trigger: trigger) }
      let(:user_trigger_variable) do
-        { key: :TRIGGER_KEY, value: 'TRIGGER_VALUE', public: false }
+        { key: :TRIGGER_KEY_1, value: 'TRIGGER_VALUE_1', public: false }
      end
      let(:predefined_trigger_variable) do
        { key: 'CI_BUILD_TRIGGERED', value: 'true', public: true }

--- a/spec/models/commit_spec.rb
+++ b/spec/models/commit_spec.rb
@@ -212,6 +212,7 @@ eos
    it 'returns the URI type at the given path' do
      expect(commit.uri_type('files/html')).to be(:tree)
      expect(commit.uri_type('files/images/logo-black.png')).to be(:raw)
+      expect(project.commit('video').uri_type('files/videos/intro.mp4')).to be(:raw)
      expect(commit.uri_type('files/js/application.js')).to be(:blob)
    end

--- a/spec/models/member_spec.rb
+++ b/spec/models/member_spec.rb
@@ -79,6 +79,18 @@ describe Member, models: true do
      @accepted_request_member = project.requesters.find_by(user_id: accepted_request_user.id).tap { |m| m.accept_request }
    end
+    describe '.access_for_user_ids' do
+      it 'returns the right access levels' do
+        users = [@owner_user.id, @master_user.id]
+        expected = {
+          @owner_user.id => Gitlab::Access::OWNER,
+          @master_user.id => Gitlab::Access::MASTER
+        }
+        expect(described_class.access_for_user_ids(users)).to eq(expected)
+      end
+    end
    describe '.invite' do
      it { expect(described_class.invite).not_to include @master }
      it { expect(described_class.invite).to include @invited_member }

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1272,6 +1272,32 @@ describe Project, models: true do
    end
  end
+  describe '#add_import_job' do
+    context 'forked' do
+      let(:forked_project_link) { create(:forked_project_link) }
+      let(:forked_from_project) { forked_project_link.forked_from_project }
+      let(:project) { forked_project_link.forked_to_project }
+      it 'schedules a RepositoryForkWorker job' do
+        expect(RepositoryForkWorker).to receive(:perform_async).
+          with(project.id, forked_from_project.repository_storage_path,
+              forked_from_project.path_with_namespace, project.namespace.path)
+        project.add_import_job
+      end
+    end
+    context 'not forked' do
+      let(:project) { create(:project) }
+      it 'schedules a RepositoryImportWorker job' do
+        expect(RepositoryImportWorker).to receive(:perform_async).with(project.id)
+        project.add_import_job
+      end
+    end
+  end
  describe '.where_paths_in' do
    context 'without any paths' do
      it 'returns an empty relation' do

--- a/spec/models/project_team_spec.rb
+++ b/spec/models/project_team_spec.rb
@@ -151,8 +151,8 @@ describe ProjectTeam, models: true do
        it { expect(project.team.max_member_access(master.id)).to eq(Gitlab::Access::MASTER) }
        it { expect(project.team.max_member_access(reporter.id)).to eq(Gitlab::Access::REPORTER) }
        it { expect(project.team.max_member_access(guest.id)).to eq(Gitlab::Access::GUEST) }
-        it { expect(project.team.max_member_access(nonmember.id)).to be_nil }
+        it { expect(project.team.max_member_access(nonmember.id)).to eq(Gitlab::Access::NO_ACCESS) }
-        it { expect(project.team.max_member_access(requester.id)).to be_nil }
+        it { expect(project.team.max_member_access(requester.id)).to eq(Gitlab::Access::NO_ACCESS) }
      end
      context 'when project is shared with group' do
@@ -168,14 +168,14 @@ describe ProjectTeam, models: true do
        it { expect(project.team.max_member_access(master.id)).to eq(Gitlab::Access::DEVELOPER) }
        it { expect(project.team.max_member_access(reporter.id)).to eq(Gitlab::Access::REPORTER) }
-        it { expect(project.team.max_member_access(nonmember.id)).to be_nil }
+        it { expect(project.team.max_member_access(nonmember.id)).to eq(Gitlab::Access::NO_ACCESS) }
-        it { expect(project.team.max_member_access(requester.id)).to be_nil }
+        it { expect(project.team.max_member_access(requester.id)).to eq(Gitlab::Access::NO_ACCESS) }
        context 'but share_with_group_lock is true' do
          before { project.namespace.update(share_with_group_lock: true) }
-          it { expect(project.team.max_member_access(master.id)).to be_nil }
+          it { expect(project.team.max_member_access(master.id)).to eq(Gitlab::Access::NO_ACCESS) }
-          it { expect(project.team.max_member_access(reporter.id)).to be_nil }
+          it { expect(project.team.max_member_access(reporter.id)).to eq(Gitlab::Access::NO_ACCESS) }
        end
      end
    end
@@ -194,8 +194,53 @@ describe ProjectTeam, models: true do
      it { expect(project.team.max_member_access(master.id)).to eq(Gitlab::Access::MASTER) }
      it { expect(project.team.max_member_access(reporter.id)).to eq(Gitlab::Access::REPORTER) }
      it { expect(project.team.max_member_access(guest.id)).to eq(Gitlab::Access::GUEST) }
-      it { expect(project.team.max_member_access(nonmember.id)).to be_nil }
+      it { expect(project.team.max_member_access(nonmember.id)).to eq(Gitlab::Access::NO_ACCESS) }
-      it { expect(project.team.max_member_access(requester.id)).to be_nil }
+      it { expect(project.team.max_member_access(requester.id)).to eq(Gitlab::Access::NO_ACCESS) }
+    end
+  end
+  describe "#max_member_access_for_users" do
+    it 'returns correct roles for different users' do
+      master = create(:user)
+      reporter = create(:user)
+      promoted_guest = create(:user)
+      guest = create(:user)
+      project = create(:project)
+      project.team << [master, :master]
+      project.team << [reporter, :reporter]
+      project.team << [promoted_guest, :guest]
+      project.team << [guest, :guest]
+      group = create(:group)
+      group_developer = create(:user)
+      second_developer = create(:user)
+      project.project_group_links.create(
+        group: group,
+        group_access: Gitlab::Access::DEVELOPER)
+      group.add_master(promoted_guest)
+      group.add_developer(group_developer)
+      group.add_developer(second_developer)
+      second_group = create(:group)
+      project.project_group_links.create(
+        group: second_group,
+        group_access: Gitlab::Access::MASTER)
+      second_group.add_master(second_developer)
+      users = [master, reporter, promoted_guest, guest, group_developer, second_developer].map(&:id)
+      expected = {
+        master.id => Gitlab::Access::MASTER,
+        reporter.id => Gitlab::Access::REPORTER,
+        promoted_guest.id => Gitlab::Access::DEVELOPER,
+        guest.id => Gitlab::Access::GUEST,
+        group_developer.id => Gitlab::Access::DEVELOPER,
+        second_developer.id => Gitlab::Access::MASTER
+      }
+      expect(project.team.max_member_access_for_user_ids(users)).to eq(expected)
    end
  end
 end
--- a/spec/requests/ci/api/builds_spec.rb
+++ b/spec/requests/ci/api/builds_spec.rb
@@ -98,7 +98,7 @@ describe Ci::API::API do
          { "key" => "CI_BUILD_TRIGGERED", "value" => "true", "public" => true },
          { "key" => "DB_NAME", "value" => "postgres", "public" => true },
          { "key" => "SECRET_KEY", "value" => "secret_value", "public" => false },
-          { "key" => "TRIGGER_KEY", "value" => "TRIGGER_VALUE", "public" => false }
+          { "key" => "TRIGGER_KEY_1", "value" => "TRIGGER_VALUE_1", "public" => false }
        )
      end

--- a/spec/routing/admin_routing_spec.rb
+++ b/spec/routing/admin_routing_spec.rb
 require 'spec_helper'
-# team_update_admin_user PUT    /admin/users/:id/team_update(.:format) admin/users#team_update
 #       block_admin_user PUT    /admin/users/:id/block(.:format)       admin/users#block
 #     unblock_admin_user PUT    /admin/users/:id/unblock(.:format)     admin/users#unblock
 #            admin_users GET    /admin/users(.:format)                 admin/users#index
@@ -11,10 +10,6 @@ require 'spec_helper'
 #                        PUT    /admin/users/:id(.:format)             admin/users#update
 #                        DELETE /admin/users/:id(.:format)             admin/users#destroy
 describe Admin::UsersController, "routing" do
-  it "to #team_update" do
-    expect(put("/admin/users/1/team_update")).to route_to('admin/users#team_update', id: '1')
-  end
  it "to #block" do
    expect(put("/admin/users/1/block")).to route_to('admin/users#block', id: '1')
  end

--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -135,10 +135,6 @@ describe Projects::RepositoriesController, 'routing' do
  it 'to #archive format:tar.bz2' do
    expect(get('/gitlab/gitlabhq/repository/archive.tar.bz2')).to route_to('projects/repositories#archive', namespace_id: 'gitlab', project_id: 'gitlabhq', format: 'tar.bz2')
  end
-  it 'to #show' do
-    expect(get('/gitlab/gitlabhq/repository')).to route_to('projects/repositories#show', namespace_id: 'gitlab', project_id: 'gitlabhq')
-  end
 end
 describe Projects::BranchesController, 'routing' do

--- a/spec/routing/routing_spec.rb
+++ b/spec/routing/routing_spec.rb
@@ -176,18 +176,10 @@ describe Profiles::KeysController, "routing" do
    expect(post("/profile/keys")).to route_to('profiles/keys#create')
  end
-  it "to #edit" do
-    expect(get("/profile/keys/1/edit")).to route_to('profiles/keys#edit', id: '1')
-  end
  it "to #show" do
    expect(get("/profile/keys/1")).to route_to('profiles/keys#show', id: '1')
  end
-  it "to #update" do
-    expect(put("/profile/keys/1")).to route_to('profiles/keys#update', id: '1')
-  end
  it "to #destroy" do
    expect(delete("/profile/keys/1")).to route_to('profiles/keys#destroy', id: '1')
  end

--- a/spec/support/test_env.rb
+++ b/spec/support/test_env.rb
@@ -20,7 +20,8 @@ module TestEnv
    'gitattributes'         => '5a62481',
    'expand-collapse-diffs' => '4842455',
    'expand-collapse-files' => '025db92',
-    'expand-collapse-lines' => '238e82d'
+    'expand-collapse-lines' => '238e82d',
+    'video'                 => '8879059'
  }
  # gitlab-test-fork is a fork of gitlab-fork, but we don't necessarily

--- a/spec/views/projects/builds/show.html.haml_spec.rb
+++ b/spec/views/projects/builds/show.html.haml_spec.rb
@@ -44,9 +44,29 @@ describe 'projects/builds/show' do
    it 'shows commit title and not show commit message' do
      render
      expect(rendered).to have_css('p.build-light-text.append-bottom-0',
        text: /\A\n#{Regexp.escape(commit_title)}\n\Z/)
    end
  end
+  describe 'shows trigger variables in sidebar' do
+    let(:trigger_request) { create(:ci_trigger_request_with_variables, pipeline: pipeline) }
+    before do
+      build.trigger_request = trigger_request
+      render
+    end
+    it 'shows trigger variables in separate lines' do
+      expect(rendered).to have_css('code', text: variable_regexp('TRIGGER_KEY_1', 'TRIGGER_VALUE_1'))
+      expect(rendered).to have_css('code', text: variable_regexp('TRIGGER_KEY_2', 'TRIGGER_VALUE_2'))
+    end
+  end
+  private
+  def variable_regexp(key, value)
+    /\A#{Regexp.escape("#{key}=#{value}")}\Z/
+  end
 end
--- a/spec/workers/repository_fork_worker_spec.rb
+++ b/spec/workers/repository_fork_worker_spec.rb
@@ -14,21 +14,24 @@ describe RepositoryForkWorker do
  describe "#perform" do
    it "creates a new repository from a fork" do
      expect(shell).to receive(:fork_repository).with(
-        project.repository_storage_path,
+        '/test/path',
        project.path_with_namespace,
+        project.repository_storage_path,
        fork_project.namespace.path
      ).and_return(true)
      subject.perform(
        project.id,
+        '/test/path',
        project.path_with_namespace,
        fork_project.namespace.path)
    end
    it 'flushes various caches' do
      expect(shell).to receive(:fork_repository).with(
-        project.repository_storage_path,
+        '/test/path',
        project.path_with_namespace,
+        project.repository_storage_path,
        fork_project.namespace.path
      ).and_return(true)
@@ -38,7 +41,7 @@ describe RepositoryForkWorker do
      expect_any_instance_of(Repository).to receive(:expire_exists_cache).
        and_call_original
-      subject.perform(project.id, project.path_with_namespace,
+      subject.perform(project.id, '/test/path', project.path_with_namespace,
                      fork_project.namespace.path)
    end
@@ -49,6 +52,7 @@ describe RepositoryForkWorker do
      subject.perform(
        project.id,
+        '/test/path',
        project.path_with_namespace,
        fork_project.namespace.path)
    end

--- a/vendor/gitlab-ci-yml/Elixir.gitlab-ci.yml
+++ b/vendor/gitlab-ci-yml/Elixir.gitlab-ci.yml
@@ -2,7 +2,7 @@
 # The image already has Hex installed. You might want to consider to use `elixir:latest`
 image: trenpixster/elixir:latest
-# Pic zero or more services to be used on all builds.
+# Pick zero or more services to be used on all builds.
 # Only needed when using a docker container to run your tests in.
 # Check out: http://docs.gitlab.com/ce/ci/docker/using_docker_images.html#what-is-service
 services: