Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce into ce-upstream

.rubocop.yml

@@ -953,10 +953,9 @@ Performance/DoubleStartEndWith:
 Performance/EndWith:
   Enabled: false
 
-# TODO: Enable LstripRstrip Cop.
 # Use `strip` instead of `lstrip.rstrip`.
 Performance/LstripRstrip:
-  Enabled: false
+  Enabled: true
 
 # TODO: Enable RangeInclude Cop.
 # Use `Range#cover?` instead of `Range#include?`.

.scss-lint.yml

@@ -244,11 +244,11 @@ linters:
   
   # URLs should be valid and not contain protocols or domain names.
   UrlFormat:
-    enabled: false
+    enabled: true
 
   # URLs should always be enclosed within quotes.
   UrlQuotes:
-    enabled: false
+    enabled: true
 
   # Properties, like color and font, are easier to read and maintain
   # when defined using variables rather than literals.

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.8.0 (unreleased)
+  - Project#open_branches has been cleaned up and no longer loads entire records into memory.
+  - Make build status canceled if any of the jobs was canceled and none failed
   - Remove future dates from contribution calendar graph.
+  - Support e-mail notifications for comments on project snippets
+  - Use ActionDispatch Remote IP for Akismet checking
   - Fix error when visiting commit builds page before build was updated
   - Add 'l' shortcut to open Label dropdown on issuables and 'i' to create new issue on a project
   - Updated search UI
-  - Replace Devise Async with Devise ActiveJob integration. !3902 (Connor Shea)
+  - Display informative message when new milestone is created
   - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea)
   - Added button to toggle whitespaces changes on diff view
-
-v 8.7.1 (unreleased)
+  - Backport GitLab Enterprise support from EE
+  - Create tags using Rugged for performance reasons. !3745
+  - Files over 5MB can only be viewed in their raw form, files over 1MB without highlighting !3718
+  - Add support for supressing text diffs using .gitattributes on the default branch (Matt Oakes)
+  - Added multiple colors for labels in dropdowns when dups happen.
+  - Improve description for the Two-factor Authentication sign-in screen. (Connor Shea)
+  - API support for the 'since' and 'until' operators on commit requests (Paco Guzman)
+
+v 8.7.3
+  - Emails, Gitlab::Email::Message, Gitlab::Diff, and Premailer::Adapter::Nokogiri are now instrumented
+
+v 8.7.2
+  - The "New Branch" button is now loaded asynchronously
+  - Fix error 500 when trying to create a wiki page
+  - Updated spacing between notification label and button
+
+v 8.7.1
   - Throttle the update of `project.last_activity_at` to 1 minute. !3848
   - Fix .gitlab-ci.yml parsing issue when hidde job is a template without script definition. !3849
   - Fix license detection to detect all license files, not only known licenses. !3878
   - Use the `can?` helper instead of `current_user.can?`. !3882
   - Prevent users from deleting Webhooks via API they do not own
   - Fix Error 500 due to stale cache when projects are renamed or transferred
+  - Update width of search box to fix Safari bug. !3900 (Jedidiah)
+  - Use the `can?` helper instead of `current_user.can?`
 
 v 8.7.0
   - Gitlab::GitAccess and Gitlab::GitAccessWiki are now instrumented
@@ -130,13 +151,25 @@ v 8.7.0
   - Import GitHub labels
   - Add option to filter by "Owned projects" on dashboard page
   - Import GitHub milestones
-  - Fix emoji catgories in the emoji picker
   - Execute system web hooks on push to the project
   - Allow enable/disable push events for system hooks
   - Fix GitHub project's link in the import page when provider has a custom URL
   - Add RAW build trace output and button on build page
   - Add incremental build trace update into CI API
 
+v 8.6.8
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent XSS via label drop-down
+  - Prevent information disclosure via milestone API
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.6.7
   - Fix persistent XSS vulnerability in `commit_person_link` helper
   - Fix persistent XSS vulnerability in Label and Milestone dropdowns
@@ -278,6 +311,17 @@ v 8.6.0
   - Trigger a todo for mentions on commits page
   - Let project owners and admins soft delete issues and merge requests
 
+v 8.5.12
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.5.11
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -446,6 +490,17 @@ v 8.5.0
   - Show label row when filtering issues or merge requests by label (Nuttanart Pornprasitsakul)
   - Add Todos
 
+v 8.4.10
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via Git branch and tag names
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via snippet API
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.4.9
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -577,6 +632,15 @@ v 8.4.0
   - Add IP check against DNSBLs at account sign-up
   - Added cache:key to .gitlab-ci.yml allowing to fine tune the caching
 
+v 8.3.9
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via custom issue tracker URL
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
 v 8.3.8
   - Fix persistent XSS vulnerability in `commit_person_link` helper
 
@@ -686,6 +750,17 @@ v 8.3.0
   - Expose Git's version in the admin area
   - Show "New Merge Request" buttons on canonical repos when you have a fork (Josh Frye)
 
+v 8.2.5
+  - Prevent privilege escalation via "impersonate" feature
+  - Prevent privilege escalation via notes API
+  - Prevent privilege escalation via project webhook API
+  - Prevent XSS via `window.opener`
+  - Prevent information disclosure via project labels
+  - Prevent information disclosure via new merge request page
+
+v 8.2.4
+  - Bump Git version requirement to 2.7.4
+
 v 8.2.3
   - Fix application settings cache not expiring after changes (Stan Hu)
   - Fix Error 500s when creating global milestones with Unicode characters (Stan Hu)

CONTRIBUTING.md

@@ -38,7 +38,7 @@ source edition, and GitLab Enterprise Edition (EE) which is our commercial
 edition. Throughout this guide you will see references to CE and EE for
 abbreviation.
 
-If you have read this guide and want to know how the GitLab [core team][core-team]
+If you have read this guide and want to know how the GitLab [core team]
 operates please see [the GitLab contributing process](PROCESS.md).
 
 ## Contributor license agreement
@@ -135,12 +135,23 @@ For feature proposals for EE, open an issue on the
 
 In order to help track the feature proposals, we have created a
 [`feature proposal`][fpl] label. For the time being, users that are not members
-of the project cannot add labels. You can instead ask one of the [core team][core-team]
-members to add the label `feature proposal` to the issue.
+of the project cannot add labels. You can instead ask one of the [core team]
+members to add the label `feature proposal` to the issue or add the following
+code snippet right after your description in a new line: `~"feature proposal"`.
 
 Please keep feature proposals as small and simple as possible, complex ones
 might be edited to make them small and simple.
 
+You are encouraged to use the template below for feature proposals.
+
+```
+## Description including problem, use cases, benefits, and/or goals
+
+## Proposal
+
+## Links / references
+```
+
 For changes in the interface, it can be helpful to create a mockup first.
 If you want to create something yourself, consider opening an issue first to
 discuss whether it is interesting to include this in GitLab.
@@ -344,12 +355,11 @@ is it will be merged (quickly). After that you can send more MRs to enhance it.
 For examples of feedback on merge requests please look at already
 [closed merge requests][closed-merge-requests]. If you would like quick feedback
 on your merge request feel free to mention one of the Merge Marshalls in the
-[core team][core-team] or one of the
-[Merge request coaches](https://about.gitlab.com/team/).
+[core team] or one of the [Merge request coaches](https://about.gitlab.com/team/).
 Please ensure that your merge request meets the contribution acceptance criteria.
 
 When having your code reviewed and when reviewing merge requests please take the
-[Thoughtbot code review guide] into account.
+[code review guidelines](doc/development/code_review.md) into account.
 
 ### Merge request description format
 
@@ -497,7 +507,7 @@ reported by emailing `contact@gitlab.com`.
 This Code of Conduct is adapted from the [Contributor Covenant][contributor-covenant], version 1.1.0,
 available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/).
 
-[core-team]: https://about.gitlab.com/core-team/
+[core team]: https://about.gitlab.com/core-team/
 [getting-help]: https://about.gitlab.com/getting-help/
 [codetriage]: http://www.codetriage.com/gitlabhq/gitlabhq
 [up-for-grabs]: https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name=up-for-grabs
@@ -523,4 +533,3 @@ available at [http://contributor-covenant.org/version/1/1/0/](http://contributor
 [gitlab-design]: https://gitlab.com/gitlab-org/gitlab-design
 [free Antetype viewer (Mac OSX only)]: https://itunes.apple.com/us/app/antetype-viewer/id824152298?mt=12
 [`gitlab1.atype` file]: https://gitlab.com/gitlab-org/gitlab-design/tree/master/gitlab1.atype/
-[Thoughtbot code review guide]: https://github.com/thoughtbot/guides/tree/master/code-review

Gemfile

@@ -19,7 +19,8 @@ gem "pg", '~> 0.18.2', group: :postgres
 
 # Authentication libraries
 gem 'devise',                 '~> 3.5.4'
-gem 'doorkeeper',             '~> 2.2.0'
+gem 'doorkeeper',             '~> 3.1'
+gem 'devise-async',           '~> 0.9.0'
 gem 'omniauth',               '~> 1.3.1'
 gem 'omniauth-auth0',         '~> 1.4.1'
 gem 'omniauth-azure-oauth2',  '~> 0.0.6'
@@ -279,7 +280,7 @@ group :development, :test do
 
   gem 'database_cleaner',   '~> 1.4.0'
   gem 'factory_girl_rails', '~> 4.6.0'
-  gem 'rspec-rails',        '~> 3.3.0'
+  gem 'rspec-rails',        '~> 3.4.0'
   gem 'rspec-retry'
   gem 'spinach-rails',      '~> 0.2.1'
   gem 'spinach-rerun-reporter', '~> 0.0.2'

Gemfile.lock

@@ -164,6 +164,8 @@ GEM
       responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
+    devise-async (0.9.0)
+      devise (~> 3.2)
     devise-two-factor (2.0.1)
       activesupport
       attr_encrypted (~> 1.3.2)
@@ -173,7 +175,7 @@ GEM
     diff-lcs (1.2.5)
     diffy (3.0.7)
     docile (1.1.5)
-    doorkeeper (2.2.2)
+    doorkeeper (3.1.0)
       railties (>= 3.2)
     dropzonejs-rails (0.7.2)
       rails (> 3.1)
@@ -197,7 +199,7 @@ GEM
     encryptor (1.3.0)
     equalizer (0.0.11)
     erubis (2.7.0)
-    escape_utils (1.1.0)
+    escape_utils (1.1.1)
     eventmachine (1.0.8)
     excon (0.45.4)
     execjs (2.6.0)
@@ -347,7 +349,7 @@ GEM
       json
     get_process_mem (0.2.0)
     gherkin-ruby (0.3.2)
-    github-linguist (4.7.3)
+    github-linguist (4.7.6)
       charlock_holmes (~> 0.7.3)
       escape_utils (~> 1.1.0)
       mime-types (>= 1.19)
@@ -373,7 +375,7 @@ GEM
     gitlab-license (0.0.4)
     gitlab_emoji (0.3.1)
       gemojione (~> 2.2, >= 2.2.1)
-    gitlab_git (10.0.0)
+    gitlab_git (10.0.2)
       activesupport (~> 4.0)
       charlock_holmes (~> 0.7.3)
       github-linguist (~> 4.7.0)
@@ -686,29 +688,29 @@ GEM
       chunky_png
     rqrcode-rails3 (0.1.7)
       rqrcode (>= 0.4.2)
-    rspec (3.3.0)
-      rspec-core (~> 3.3.0)
-      rspec-expectations (~> 3.3.0)
-      rspec-mocks (~> 3.3.0)
-    rspec-core (3.3.2)
-      rspec-support (~> 3.3.0)
-    rspec-expectations (3.3.1)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.4)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-mocks (3.3.2)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.3.0)
-    rspec-rails (3.3.3)
+      rspec-support (~> 3.4.0)
+    rspec-rails (3.4.2)
       actionpack (>= 3.0, < 4.3)
       activesupport (>= 3.0, < 4.3)
       railties (>= 3.0, < 4.3)
-      rspec-core (~> 3.3.0)
-      rspec-expectations (~> 3.3.0)
-      rspec-mocks (~> 3.3.0)
-      rspec-support (~> 3.3.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+      rspec-support (~> 3.4.0)
     rspec-retry (0.4.5)
       rspec-core
-    rspec-support (3.3.0)
+    rspec-support (3.4.1)
     rubocop (0.38.0)
       parser (>= 2.3.0.6, < 3.0)
       powerpack (~> 0.1)
@@ -947,9 +949,10 @@ DEPENDENCIES
   database_cleaner (~> 1.4.0)
   default_value_for (~> 3.0.0)
   devise (~> 3.5.4)
+  devise-async (~> 0.9.0)
   devise-two-factor (~> 2.0.0)
   diffy (~> 3.0.3)
-  doorkeeper (~> 2.2.0)
+  doorkeeper (~> 3.1)
   dropzonejs-rails (~> 0.7.1)
   elasticsearch-model
   elasticsearch-rails
@@ -1044,7 +1047,7 @@ DEPENDENCIES
   responders (~> 2.0)
   rouge (~> 1.10.1)
   rqrcode-rails3 (~> 0.1.7)
-  rspec-rails (~> 3.3.0)
+  rspec-rails (~> 3.4.0)
   rspec-retry
   rubocop (~> 0.38.0)
   ruby-fogbugz (~> 0.2.1)
@@ -1092,4 +1095,4 @@ DEPENDENCIES
   wikicloth (= 0.8.1)
 
 BUNDLED WITH
-   1.11.2
+   1.12.1

README.md

@@ -110,7 +110,7 @@ There are a lot of [third-party applications integrating with GitLab](https://ab
 
 ## GitLab release cycle
 
-For more information about the release process see the [release documentation](http://doc.gitlab.com/ce/release/).
+For more information about the release process see the [release documentation](https://gitlab.com/gitlab-org/release-tools/blob/master/README.md).
 
 ## Upgrading
 

app/assets/javascripts/gl_dropdown.js.coffee

@@ -184,6 +184,9 @@ class GitLabDropdown
     @dropdown.on "shown.bs.dropdown", @opened
     @dropdown.on "hidden.bs.dropdown", @hidden
     @dropdown.on "click", ".dropdown-menu, .dropdown-menu-close", @shouldPropagate
+    @dropdown.on 'keyup', (e) =>
+      if e.which is 27 # Escape key
+        $('.dropdown-menu-close', @dropdown).trigger 'click'
 
     if @dropdown.find(".dropdown-toggle-page").length
       @dropdown.find(".dropdown-toggle-page, .dropdown-menu-back").on "click", (e) =>

app/assets/javascripts/issue.js.coffee

@@ -12,6 +12,7 @@ class @Issue
 
     @initMergeRequests()
     @initRelatedBranches()
+    @initCanCreateBranch()
 
   initTaskList: ->
     $('.detail-page-description .js-task-list-container').taskList('enable')
@@ -92,3 +93,25 @@ class @Issue
       .success (data) ->
         if 'html' of data
           $container.html(data.html)
+
+  initCanCreateBranch: ->
+    $container = $('div#new-branch')
+
+    # If the user doesn't have the required permissions the container isn't
+    # rendered at all.
+    return unless $container
+
+    $.getJSON($container.data('path'))
+      .error ->
+        $container.find('.checking').hide()
+        $container.find('.unavailable').show()
+
+        new Flash('Failed to check if a new branch can be created.', 'alert')
+      .success (data) ->
+        if data.can_create_branch
+          $container.find('.checking').hide()
+          $container.find('.available').show()
+          $container.find('a').attr('disabled', false)
+        else
+          $container.find('.checking').hide()
+          $container.find('.unavailable').show()

app/assets/javascripts/labels_select.js.coffee

@@ -30,7 +30,7 @@ class @LabelsSelect
       if issueUpdateURL
         labelHTMLTemplate = _.template(
             '<% _.each(labels, function(label){ %>
-            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name=<%= _.escape(label.title) %>">
+            <a href="<%= ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%= _.escape(label.title) %>">
             <span class="label has-tooltip color-label" title="<%= _.escape(label.description) %>" style="background-color: <%= label.color %>; color: <%= label.text_color %>;">
             <%= _.escape(label.title) %>
             </span>
@@ -163,6 +163,21 @@ class @LabelsSelect
           $.ajax(
             url: labelUrl
           ).done (data) ->
+            data = _.chain data
+              .groupBy (label) ->
+                label.title
+              .map (label) ->
+                color = _.map label, (dup) ->
+                  dup.color
+
+                return {
+                  id: label[0].id
+                  title: label[0].title
+                  color: color
+                  duplicate: color.length > 1
+                }
+              .value()
+
             if $dropdown.hasClass 'js-extra-options'
               if showNo
                 data.unshift(
@@ -178,6 +193,7 @@ class @LabelsSelect
 
               if data.length > 2
                 data.splice 2, 0, 'divider'
+
             callback data
 
         renderRow: (label) ->
@@ -192,11 +208,31 @@ class @LabelsSelect
           if $dropdown.hasClass('js-multiselect') and removesAll
             selectedClass.push 'dropdown-clear-active'
 
-          color = if label.color? then "<span class='dropdown-label-box' style='background-color: #{label.color}'></span>" else ""
+          if label.duplicate
+            spacing = 100 / label.color.length
+
+            # Reduce the colors to 4
+            label.color = label.color.filter (color, i) ->
+              i < 4
+
+            color = _.map(label.color, (color, i) ->
+              percentFirst = Math.floor(spacing * i)
+              percentSecond = Math.floor(spacing * (i + 1))
+              "#{color} #{percentFirst}%,#{color} #{percentSecond}% "
+            ).join(',')
+            color = "linear-gradient(#{color})"
+          else
+            if label.color?
+              color = label.color[0]
+
+          if color
+            colorEl = "<span class='dropdown-label-box' style='background: #{color}'></span>"
+          else
+            colorEl = ''
 
           "<li>
             <a href='#' class='#{selectedClass.join(' ')}'>
-              #{color}
+              #{colorEl}
               #{_.escape(label.title)}
             </a>
           </li>"

app/assets/javascripts/notes.js.coffee

@@ -167,8 +167,8 @@ class @Notes
       return
 
     if note.award
-      awards_handler.addAwardToEmojiBar(note.note)
-      awards_handler.scrollToAwards()
+      awardsHandler.addAwardToEmojiBar(note.note)
+      awardsHandler.scrollToAwards()
 
     # render note if it not present in loaded list
     # or skip if rendered
@@ -373,11 +373,11 @@ class @Notes
 
     new GLForm form
     if scrollTo? and myLastNote?
-      # scroll to the bottom 
+      # scroll to the bottom
       # so the open of the last element doesn't make a jump
       $('html, body').scrollTop($(document).height());
       $('html, body').animate({
-        scrollTop: myLastNote.offset().top - 150  
+        scrollTop: myLastNote.offset().top - 150
       }, 500, ->
         $noteText = form.find(".js-note-text")
         $noteText.focus()

app/assets/javascripts/user_tabs.js.coffee

@@ -92,7 +92,7 @@ class @UserTabs
     @setCurrentAction(action)
 
   activateTab: (action) ->
-    @parentEl.find(".nav-links .#{action}-tab a").tab('show')
+    @parentEl.find(".nav-links .js-#{action}-tab a").tab('show')
 
   setTab: (source, action) ->
     return if @loaded[action] is true

app/assets/stylesheets/framework.scss

@@ -25,6 +25,7 @@
 @import "framework/lists.scss";
 @import "framework/markdown_area.scss";
 @import "framework/mobile.scss";
+@import "framework/modal.scss";
 @import "framework/nav.scss";
 @import "framework/pagination.scss";
 @import "framework/progress.scss";

app/assets/stylesheets/framework/blocks.scss

 .light-well {
-  background-color: #f8fafc;
+  background-color: $background-color;
   padding: 15px;
 }
 

app/assets/stylesheets/framework/buttons.scss

@@ -139,6 +139,10 @@
     pointer-events: auto !important;
   }
 
+  &[disabled] {
+    pointer-events: none !important;
+  }
+
   .caret {
     margin-left: 5px;
   }

app/assets/stylesheets/framework/forms.scss

@@ -78,6 +78,24 @@ label {
   border-radius: 3px;
 }
 
+.select-wrapper {
+  position: relative;
+
+  .caret {
+    position: absolute;
+    right: 10px;
+    top: $gl-padding;
+    color: $gray-darkest;
+    pointer-events: none;
+  }
+}
+
+.select-control {
+  padding-left: 10px;
+  padding-right: 10px;
+  -webkit-appearance: none;
+}
+
 .form-control-inline {
   display: inline;
 }

app/assets/stylesheets/framework/header.scss

@@ -26,9 +26,9 @@ header {
     z-index: 100;
     margin-bottom: 0;
     min-height: $header-height;
-    background-color: #fff;
+    background-color: $background-color;
     border: none;
-    border-bottom: 1px solid #eee;
+    border-bottom: 1px solid $border-color;
 
     .container-fluid {
       width: 100% !important;
@@ -47,7 +47,7 @@ header {
         text-align: center;
 
         &:hover, &:focus, &:active {
-          background-color: #fff;
+          background-color: $background-color;
         }
       }
 

app/assets/stylesheets/framework/modal.scss

+.modal-body {
+  position: relative;
+  overflow-y: auto;
+  padding: 15px;
+
+  .form-actions {
+    margin: -$gl-padding+1;
+    margin-top: 15px;
+  }
+
+  .text-danger {
+    font-weight: bold;
+  }
+}
+
+body.modal-open {
+  overflow: hidden;
+}
+
+.modal .modal-dialog {
+  width: 860px;
+}

app/assets/stylesheets/framework/nav.scss

@@ -185,3 +185,22 @@
     }
   }
 }
+
+.layout-nav {
+  background: $background-color;
+  border-bottom: 1px solid $border-color;
+
+  .controls {
+    float: right;
+    position: relative;
+    top: 10px;
+
+    .dropdown {
+      margin-left: 7px;
+    }
+  }
+
+  .nav-links {
+    border-bottom: none;
+  }
+}

app/assets/stylesheets/framework/selects.scss

@@ -7,13 +7,11 @@
   .select2-choice {
     background: #fff;
     border-color: $input-border;
-    border-color: $border-white-light;
     height: 35px;
     padding: $gl-vert-padding $gl-btn-padding;
     font-size: $gl-font-size;
     line-height: 1.42857143;
-
-    @include border-radius($border-radius-default);
+    border-radius: $border-radius-base;
 
     .select2-arrow {
       background-image: none;
@@ -199,6 +197,14 @@
   }
 }
 
+.select2-highlighted {
+  .group-result {
+    .group-path {
+      color: #fff;
+    }
+  }
+}
+
 .group-result {
   .group-image {
     float: left;

app/assets/stylesheets/framework/tw_bootstrap_variables.scss

@@ -153,8 +153,8 @@ $nav-link-padding: 13px $gl-padding;
 //== Code
 //
 //##
-$pre-bg:           #f8fafc !default;
+$pre-bg:           $background-color !default;
 $pre-color:        $gl-gray !default;
-$pre-border-color: #e7e9ed;
+$pre-border-color: $border-color;
 
 $table-bg-accent: $background-color;

app/assets/stylesheets/framework/typography.scss

@@ -205,6 +205,10 @@ h1, h2, h3, h4, h5, h6 {
   font-weight: 600;
 }
 
+.light-header {
+  font-weight: 600;
+}
+
 /** CODE **/
 pre {
   font-family: $monospace_font;
@@ -259,3 +263,9 @@ h1, h2, h3, h4 {
     color: $gl-gray;
   }
 }
+
+.text-right-lg {
+  @media (min-width: $screen-lg-min) {
+    text-align: right;
+  }
+}

app/assets/stylesheets/framework/variables.scss

@@ -71,8 +71,7 @@ $gl-avatar-size: 40px;
 $error-exclamation-point: #e62958;
 $border-radius-default: 2px;
 $btn-transparent-color: #8f8f8f;
-$ssh-key-icon-color: #8f8f8f;
-$ssh-key-icon-size: 18px;
+$settings-icon-size: 18px;
 $provider-btn-group-border: #e5e5e5;
 $provider-btn-not-active-color: #4688f1;
 

app/assets/stylesheets/pages/help.scss

@@ -55,25 +55,6 @@
   }
 }
 
-.modal-body {
-  position: relative;
-  overflow-y: auto;
-  padding: 15px;
-
-  .form-actions {
-    margin: -$gl-padding+1;
-    margin-top: 15px;
-  }
-}
-
-body.modal-open {
-  overflow: hidden;
-}
-
-.modal .modal-dialog {
-  width: 860px;
-}
-
 .documentation {
   padding: 7px;
 }

app/assets/stylesheets/pages/profile.scss

@@ -18,7 +18,8 @@
 }
 
 .account-btn-link,
-.profile-settings-sidebar a {
+.profile-settings-sidebar a,
+.settings-sidebar a {
   color: $md-link-color;
 }
 
@@ -123,12 +124,6 @@
   }
 }
 
-.key-icon {
-  color: $ssh-key-icon-color;
-  font-size: $ssh-key-icon-size;
-  line-height: 42px;
-}
-
 .key-created-at {
   line-height: 42px;
 }
@@ -180,14 +175,6 @@
   }
 }
 
-.profile-settings-message {
-  line-height: 32px;
-  color: $warning-message-color;
-  background-color: $warning-message-bg;
-  border: 1px solid $warning-message-border;
-  border-radius: $border-radius-base;
-}
-
 .oauth-applications {
   form {
     display: inline-block;

app/assets/stylesheets/pages/projects.scss

@@ -202,8 +202,31 @@
   min-width: 200px;
 }
 
-.deploy-project-label {
-  margin: 1px;
+.deploy-key-content {
+  @media (min-width: $screen-sm-min) {
+    float: left;
+
+    &:last-child {
+      float: right;
+    }
+  }
+}
+
+.deploy-key-projects {
+  @media (min-width: $screen-sm-min) {
+    line-height: 42px;
+  }
+}
+
+a.deploy-project-label {
+  padding: 5px;
+  margin-right: 5px;
+  color: $gl-gray;
+  background-color: $row-hover;
+
+  &:hover {
+    color: $gl-link-color;
+  }
 }
 
 .vs-public {
@@ -256,12 +279,6 @@
   }
 }
 
-table.table.protected-branches-list tr.no-border {
-  th, td {
-    border: 0;
-  }
-}
-
 .project-import .btn {
   float: left;
   margin-right: 10px;
@@ -475,6 +492,17 @@ pre.light-well {
   }
 }
 
+.protected-branches-list {
+  a {
+    color: $gl-gray;
+    font-weight: 600;
+
+    &:hover {
+      color: $gl-link-color;
+    }
+  }
+}
+
 .disabled-item {
   @extend .btn.disabled;
 }

app/assets/stylesheets/pages/settings.scss

+.settings-list-icon {
+  color: $gl-placeholder-color;
+  font-size: $settings-icon-size;
+  line-height: 42px;
+}
+
+.settings-message {
+  padding: 5px;
+  line-height: 1.3;
+  color: $warning-message-color;
+  background-color: $warning-message-bg;
+  border: 1px solid $warning-message-border;
+  border-radius: $border-radius-base;
+}

app/controllers/admin/application_controller.rb

@@ -6,12 +6,6 @@ class Admin::ApplicationController < ApplicationController
   layout 'admin'
 
   def authenticate_admin!
-    return render_404 unless current_user.is_admin?
-  end
-
-  def authorize_impersonator!
-    if session[:impersonator_id]
-      User.find_by!(username: session[:impersonator_id]).admin?
-    end
+    render_404 unless current_user.is_admin?
   end
 end

app/controllers/admin/hooks_controller.rb

@@ -39,6 +39,12 @@ class Admin::HooksController < Admin::ApplicationController
   end
 
   def hook_params
-    params.require(:hook).permit(:url, :enable_ssl_verification, :push_events, :tag_push_events)
+    params.require(:hook).permit(
+      :enable_ssl_verification,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
   end
 end

app/controllers/admin/impersonation_controller.rb

-class Admin::ImpersonationController < Admin::ApplicationController
-  skip_before_action :authenticate_admin!, only: :destroy
-
-  before_action :user
-  before_action :authorize_impersonator!
-
-  def create
-    if @user.blocked?
-      flash[:alert] = "You cannot impersonate a blocked user"
-
-      redirect_to admin_user_path(@user)
-    else
-      session[:impersonator_id] = current_user.username
-      session[:impersonator_return_to] = admin_user_path(@user)
-
-      warden.set_user(user, scope: 'user')
-
-      flash[:alert] = "You are impersonating #{user.username}."
-
-      redirect_to root_path
-    end
-  end
-
-  def destroy
-    redirect = session[:impersonator_return_to]
-
-    warden.set_user(user, scope: 'user')
-
-    session[:impersonator_return_to] = nil
-    session[:impersonator_id] = nil
-
-    redirect_to redirect || root_path
-  end
-
-  def user
-    @user ||= User.find_by!(username: params[:id] || session[:impersonator_id])
-  end
-end

app/controllers/admin/impersonations_controller.rb

+class Admin::ImpersonationsController < Admin::ApplicationController
+  skip_before_action :authenticate_admin!
+  before_action :authenticate_impersonator!
+
+  def destroy
+    original_user = current_user
+
+    warden.set_user(impersonator, scope: :user)
+
+    session[:impersonator_id] = nil
+
+    redirect_to admin_user_path(original_user)
+  end
+
+  private
+
+  def impersonator
+    @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id]
+  end
+
+  def authenticate_impersonator!
+    render_404 unless impersonator && impersonator.is_admin? && !impersonator.blocked?
+  end
+end

app/controllers/admin/users_controller.rb

@@ -31,6 +31,22 @@ class Admin::UsersController < Admin::ApplicationController
     user
   end
 
+  def impersonate
+    if user.blocked?
+      flash[:alert] = "You cannot impersonate a blocked user"
+
+      redirect_to admin_user_path(user)
+    else
+      session[:impersonator_id] = current_user.id
+
+      warden.set_user(user, scope: :user)
+
+      flash[:alert] = "You are now impersonating #{user.username}"
+
+      redirect_to root_path
+    end
+  end
+
   def block
     if user.block
       redirect_back_or_admin_user(notice: "Successfully blocked")

app/controllers/application_controller.rb

@@ -120,7 +120,7 @@ class ApplicationController < ActionController::Base
     if Gitlab::Geo.secondary?
       Gitlab::Geo.primary_node.url
     else
-      current_application_settings.after_sign_out_path || new_user_session_path
+      current_application_settings.after_sign_out_path.presence || new_user_session_path
     end
   end
 

app/controllers/projects/commits_controller.rb

@@ -15,7 +15,7 @@ class Projects::CommitsController < Projects::ApplicationController
       if search.present?
         @repository.find_commits_by_message(search, @ref, @path, @limit, @offset).compact
       else
-        @repository.commits(@ref, @path, @limit, @offset)
+        @repository.commits(@ref, path: @path, limit: @limit, offset: @offset)
       end
 
     @note_counts = project.notes.where(commit_id: @commits.map(&:id)).

app/controllers/projects/deploy_keys_controller.rb

@@ -7,25 +7,18 @@ class Projects::DeployKeysController < Projects::ApplicationController
   layout "project_settings"
 
   def index
-    @enabled_keys = @project.deploy_keys
-
-    @available_keys         = accessible_keys - @enabled_keys
-    @available_project_keys = current_user.project_deploy_keys - @enabled_keys
-    @available_public_keys  = DeployKey.are_public - @enabled_keys
-
-    # Public keys that are already used by another accessible project are already
-    # in @available_project_keys.
-    @available_public_keys -= @available_project_keys
+    @key = DeployKey.new
+    set_index_vars
   end
 
   def new
-    @key = @project.deploy_keys.new
-
-    respond_with(@key)
+    redirect_to namespace_project_deploy_keys_path(@project.namespace,
+                                                   @project)
   end
 
   def create
     @key = DeployKey.new(deploy_key_params)
+    set_index_vars
 
     if @key.valid? && @project.deploy_keys << @key
       log_audit_event(@key.title, action: :create)
@@ -33,7 +26,7 @@ class Projects::DeployKeysController < Projects::ApplicationController
       redirect_to namespace_project_deploy_keys_path(@project.namespace,
                                                      @project)
     else
-      render "new"
+      render "index"
     end
   end
 
@@ -56,6 +49,18 @@ class Projects::DeployKeysController < Projects::ApplicationController
 
   protected
 
+  def set_index_vars
+    @enabled_keys ||= @project.deploy_keys
+
+    @available_keys         ||= accessible_keys - @enabled_keys
+    @available_project_keys ||= current_user.project_deploy_keys - @enabled_keys
+    @available_public_keys  ||= DeployKey.are_public - @enabled_keys
+
+    # Public keys that are already used by another accessible project are already
+    # in @available_project_keys.
+    @available_public_keys -= @available_project_keys
+  end
+
   def accessible_keys
     @accessible_keys ||= current_user.accessible_deploy_keys
   end

app/controllers/projects/graphs_controller.rb

@@ -17,7 +17,7 @@ class Projects::GraphsController < Projects::ApplicationController
   end
 
   def commits
-    @commits = @project.repository.commits(@ref, nil, 2000, 0, true)
+    @commits = @project.repository.commits(@ref, limit: 2000, skip_merges: true)
     @commits_graph = Gitlab::Graphs::Commits.new(@commits)
     @commits_per_week_days = @commits_graph.commits_per_week_days
     @commits_per_time = @commits_graph.commits_per_time
@@ -55,7 +55,7 @@ class Projects::GraphsController < Projects::ApplicationController
   private
 
   def fetch_graph
-    @commits = @project.repository.commits(@ref, nil, 6000, 0, true)
+    @commits = @project.repository.commits(@ref, limit: 6000, skip_merges: true)
     @log = []
 
     @commits.each do |commit|

app/controllers/projects/hooks_controller.rb

@@ -52,8 +52,16 @@ class Projects::HooksController < Projects::ApplicationController
   end
 
   def hook_params
-    params.require(:hook).permit(:url, :push_events, :issues_events,
-      :merge_requests_events, :tag_push_events, :note_events,
-      :build_events, :enable_ssl_verification)
+    params.require(:hook).permit(
+      :build_events,
+      :enable_ssl_verification,
+      :issues_events,
+      :merge_requests_events,
+      :note_events,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
   end
 end

app/controllers/projects/issues_controller.rb

@@ -3,8 +3,8 @@ class Projects::IssuesController < Projects::ApplicationController
   include IssuableActions
 
   before_action :module_enabled
-  before_action :issue,
-    only: [:edit, :update, :show, :referenced_merge_requests, :related_branches]
+  before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
+                               :related_branches, :can_create_branch]
 
   # Allow read any issue
   before_action :authorize_read_issue!, only: [:show]
@@ -102,6 +102,8 @@ class Projects::IssuesController < Projects::ApplicationController
 
     if params[:move_to_project_id].to_i > 0
       new_project = Project.find(params[:move_to_project_id])
+      return render_404 unless issue.can_move?(current_user, new_project)
+
       move_service = Issues::MoveService.new(project, current_user)
       @issue = move_service.execute(@issue, new_project)
     end
@@ -145,6 +147,18 @@ class Projects::IssuesController < Projects::ApplicationController
     end
   end
 
+  def can_create_branch
+    can_create = current_user &&
+      can?(current_user, :push_code, @project) &&
+      @issue.can_be_worked_on?(current_user)
+
+    respond_to do |format|
+      format.json do
+        render json: { can_create_branch: can_create }
+      end
+    end
+  end
+
   def bulk_update
     result = Issues::BulkUpdateService.new(project, current_user, bulk_update_params).execute
     redirect_back_or_default(default: { action: 'index' }, options: { notice: "#{result[:count]} issues updated" })

app/controllers/projects/wikis_controller.rb

@@ -40,10 +40,10 @@ class Projects::WikisController < Projects::ApplicationController
   end
 
   def update
-    @page = @project_wiki.find_page(params[:id])
-
     return render('empty') unless can?(current_user, :create_wiki, @project)
 
+    @page = @project_wiki.find_page(params[:id])
+
     if @page = WikiPages::UpdateService.new(@project, current_user, wiki_params).execute(@page)
       # Triggers repository update on secondary nodes when Geo is enabled
       Gitlab::Geo.notify_wiki_update(@project) if Gitlab::Geo.primary?

app/controllers/registrations_controller.rb

@@ -8,6 +8,13 @@ class RegistrationsController < Devise::RegistrationsController
 
   def create
     if !Gitlab::Recaptcha.load_configurations! || verify_recaptcha
+      # To avoid duplicate form fields on the login page, the registration form
+      # names fields using `new_user`, but Devise still wants the params in
+      # `user`.
+      if params["new_#{resource_name}"].present? && params[resource_name].blank?
+        params[resource_name] = params.delete(:"new_#{resource_name}")
+      end
+
       super
     else
       flash[:alert] = "There was an error with the reCAPTCHA code below. Please re-enter the code."

app/finders/snippets_finder.rb

@@ -51,7 +51,7 @@ class SnippetsFinder
     snippets = project.snippets.fresh
 
     if current_user
-      if project.team.member?(current_user.id)
+      if project.team.member?(current_user.id) || current_user.admin?
         snippets
       else
         snippets.public_and_internal

app/helpers/blob_helper.rb

@@ -3,8 +3,8 @@ module BlobHelper
     Gitlab::Highlight.new(blob_name, blob_content, nowrap: nowrap)
   end
 
-  def highlight(blob_name, blob_content, nowrap: false)
-    Gitlab::Highlight.highlight(blob_name, blob_content, nowrap: nowrap)
+  def highlight(blob_name, blob_content, nowrap: false, plain: false)
+    Gitlab::Highlight.highlight(blob_name, blob_content, nowrap: nowrap, plain: plain)
   end
 
   def no_highlight_files

app/helpers/ci_badge_helper.rb

-module CiBadgeHelper
-  def markdown_badge_code(project, ref)
-    url = status_ci_project_url(project, ref: ref, format: 'png')
-    link = namespace_project_commits_path(project.namespace, project, ref)
-    "[![build status](#{url})](#{link})"
-  end
-
-  def html_badge_code(project, ref)
-    url = status_ci_project_url(project, ref: ref, format: 'png')
-    link = namespace_project_commits_path(project.namespace, project, ref)
-    "<a href='#{link}'><img src='#{url}' /></a>"
-  end
-end

app/helpers/issues_helper.rb

@@ -16,31 +16,49 @@ module IssuesHelper
   def url_for_project_issues(project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.project_path
-    else
-      project.issues_tracker.project_url
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.project_path
+      else
+        project.issues_tracker.project_url
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def url_for_new_issue(project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.new_issue_path
-    else
-      project.issues_tracker.new_issue_url
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.new_issue_path
+      else
+        project.issues_tracker.new_issue_url
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def url_for_issue(issue_iid, project = @project, options = {})
     return '' if project.nil?
 
-    if options[:only_path]
-      project.issues_tracker.issue_path(issue_iid)
-    else
-      project.issues_tracker.issue_url(issue_iid)
-    end
+    url =
+      if options[:only_path]
+        project.issues_tracker.issue_path(issue_iid)
+      else
+        project.issues_tracker.issue_url(issue_iid)
+      end
+
+    # Ensure we return a valid URL to prevent possible XSS.
+    URI.parse(url).to_s
+  rescue URI::InvalidURIError
+    ''
   end
 
   def bulk_update_milestone_options

app/helpers/labels_helper.rb

@@ -37,7 +37,7 @@ module LabelsHelper
     link = send("namespace_project_#{type.to_s.pluralize}_path",
                 project.namespace,
                 project,
-                label_name: label.name)
+                label_name: [label.name])
 
     if block_given?
       link_to link, &block

app/mailers/emails/notes.rb

@@ -28,6 +28,14 @@ module Emails
       mail_answer_thread(@merge_request, note_thread_options(recipient_id))
     end
 
+    def note_snippet_email(recipient_id, note_id)
+      setup_note_mail(note_id, recipient_id)
+
+      @snippet = @note.noteable
+      @target_url = namespace_project_snippet_url(*note_target_url_options)
+      mail_answer_thread(@snippet, note_thread_options(recipient_id))
+    end
+
     private
 
     def note_target_url_options

app/models/blob.rb

@@ -19,6 +19,14 @@ class Blob < SimpleDelegator
     new(blob)
   end
 
+  def no_highlighting?
+    size && size > 1.megabyte
+  end
+
+  def only_display_raw?
+    size && size > 5.megabytes
+  end
+
   def svg?
     text? && language && language.name == 'SVG'
   end

app/models/concerns/milestoneish.rb

@@ -8,7 +8,7 @@ module Milestoneish
   end
 
   def complete?(user = nil)
-    total_items_count(user) == closed_items_count(user)
+    total_items_count(user) > 0 && total_items_count(user) == closed_items_count(user)
   end
 
   def percent_complete(user = nil)

app/models/concerns/statuseable.rb

@@ -18,7 +18,7 @@ module Statuseable
         WHEN (#{builds})=0 THEN NULL
         WHEN (#{builds})=(#{success})+(#{ignored}) THEN 'success'
         WHEN (#{builds})=(#{pending}) THEN 'pending'
-        WHEN (#{builds})=(#{canceled}) THEN 'canceled'
+        WHEN (#{builds})=(#{canceled})+(#{success})+(#{ignored}) THEN 'canceled'
         WHEN (#{builds})=(#{skipped}) THEN 'skipped'
         WHEN (#{running})+(#{pending})>0 THEN 'running'
         ELSE 'failed'

app/models/project.rb

@@ -862,19 +862,17 @@ class Project < ActiveRecord::Base
   end
 
   def open_branches
-    all_branches = repository.branches
+    # We're using a Set here as checking values in a large Set is faster than
+    # checking values in a large Array.
+    protected_set = Set.new(protected_branch_names)
 
-    if protected_branches.present?
-      all_branches.reject! do |branch|
-        protected_branches_names.include?(branch.name)
-      end
+    repository.branches.reject do |branch|
+      protected_set.include?(branch.name)
     end
-
-    all_branches
   end
 
-  def protected_branches_names
-    @protected_branches_names ||= protected_branches.map(&:name)
+  def protected_branch_names
+    @protected_branch_names ||= protected_branches.pluck(:name)
   end
 
   def root_ref?(branch)
@@ -896,7 +894,7 @@ class Project < ActiveRecord::Base
 
   # Check if current branch name is marked as protected in the system
   def protected_branch?(branch_name)
-    protected_branches_names.include?(branch_name)
+    protected_branches.where(name: branch_name).any?
   end
 
   def developers_can_push_to_protected_branch?(branch_name)
@@ -1034,6 +1032,7 @@ class Project < ActiveRecord::Base
     repository.rugged.references.create('HEAD',
                                         "refs/heads/#{branch}",
                                         force: true)
+    repository.copy_gitattributes(branch)
     reload_default_branch
   end
 

app/models/project_services/buildkite_service.rb

@@ -26,7 +26,7 @@ class BuildkiteService < CiService
 
   prop_accessor :project_url, :token, :enable_ssl_verification
 
-  validates :project_url, presence: true, if: :activated?
+  validates :project_url, presence: true, url: true, if: :activated?
   validates :token, presence: true, if: :activated?
 
   after_save :compose_service_hook, if: :activated?
@@ -91,7 +91,7 @@ class BuildkiteService < CiService
       { type: 'text',
         name: 'project_url',
         placeholder: "#{ENDPOINT}/example/project" },
-      
+
       { type: 'checkbox',
         name: 'enable_ssl_verification',
         title: "Enable SSL verification" }

app/models/project_services/issue_tracker_service.rb

@@ -21,7 +21,7 @@
 
 class IssueTrackerService < Service
 
-  validates :project_url, :issues_url, :new_issue_url, presence: true, if: :activated?
+  validates :project_url, :issues_url, :new_issue_url, presence: true, url: true, if: :activated?
 
   default_value_for :category, 'issue_tracker'
 

app/models/project_services/jira_service.rb

@@ -28,6 +28,8 @@ class JiraService < IssueTrackerService
   prop_accessor :username, :password, :api_url, :jira_issue_transition_id,
                 :title, :description, :project_url, :issues_url, :new_issue_url
 
+  validates :api_url, presence: true, url: true, if: :activated?
+
   before_validation :set_api_url, :set_jira_issue_transition_id
 
   before_update :reset_password

app/models/project_services/slack_service.rb

@@ -22,7 +22,7 @@
 class SlackService < Service
   prop_accessor :webhook, :username, :channel
   boolean_accessor :notify_only_broken_builds
-  validates :webhook, presence: true, if: :activated?
+  validates :webhook, presence: true, url: true, if: :activated?
 
   def initialize_properties
     if properties.nil?

app/models/project_snippet.rb

@@ -27,4 +27,6 @@ class ProjectSnippet < Snippet
 
   # Scopes
   scope :fresh, -> { order("created_at DESC") }
+
+  participant :author, :notes
 end

app/models/repository.rb

@@ -95,13 +95,15 @@ class Repository
     nil
   end
 
-  def commits(ref, path = nil, limit = nil, offset = nil, skip_merges = false)
+  def commits(ref, path: nil, limit: nil, offset: nil, skip_merges: false, after: nil, before: nil)
     options = {
       repo: raw_repository,
       ref: ref,
       path: path,
       limit: limit,
       offset: offset,
+      after: after,
+      before: before,
       # --follow doesn't play well with --skip. See:
       # https://gitlab.com/gitlab-org/gitlab-ce/issues/3574#note_3040520
       follow: false,
@@ -160,10 +162,20 @@ class Repository
     find_branch(branch_name)
   end
 
-  def add_tag(tag_name, ref, message = nil)
-    before_push_tag
+  def add_tag(user, tag_name, target, message = nil)
+    oldrev = Gitlab::Git::BLANK_SHA
+    ref    = Gitlab::Git::TAG_REF_PREFIX + tag_name
+    target = commit(target).try(:id)
+
+    return false unless target
+
+    options = { message: message, tagger: user_to_committer(user) } if message
+
+    GitHooksService.new.execute(user, path_to_repo, oldrev, target, ref) do
+      rugged.tags.create(tag_name, target, options)
+    end
 
-    gitlab_shell.add_tag(path_with_namespace, tag_name, ref, message)
+    find_tag(tag_name)
   end
 
   def rm_branch(user, branch_name)
@@ -629,7 +641,7 @@ class Repository
   end
 
   def contributors
-    commits = self.commits(nil, nil, 2000, 0, true)
+    commits = self.commits(nil, limit: 2000, offset: 0, skip_merges: true)
 
     commits.group_by(&:author_email).map do |email, commits|
       contributor = Gitlab::Contributor.new
@@ -1117,6 +1129,16 @@ class Repository
     raw_repository.ls_files(actual_ref)
   end
 
+  def copy_gitattributes(ref)
+    actual_ref = ref || root_ref
+    begin
+      raw_repository.copy_gitattributes(actual_ref)
+      true
+    rescue Gitlab::Git::Repository::InvalidRef
+      false
+    end
+  end
+
   def main_language
     return if empty? || rugged.head_unborn?
 

app/models/snippet.rb

@@ -113,6 +113,10 @@ class Snippet < ActiveRecord::Base
     visibility_level
   end
 
+  def no_highlighting?
+    content.lines.count > 1000
+  end
+
   class << self
     # Searches for snippets with a matching title or file name.
     #

app/models/user.rb

@@ -91,7 +91,7 @@ class User < ActiveRecord::Base
   devise :two_factor_backupable, otp_number_of_backup_codes: 10
   serialize :otp_backup_codes, JSON
 
-  devise :lockable, :recoverable, :rememberable, :trackable,
+  devise :lockable, :async, :recoverable, :rememberable, :trackable,
     :validatable, :omniauthable, :confirmable, :registerable
 
   attr_accessor :force_random_password

app/services/create_branch_service.rb

@@ -43,9 +43,4 @@ class CreateBranchService < BaseService
     out[:branch] = branch
     out
   end
-
-  def build_push_data(project, user, branch)
-    Gitlab::PushDataBuilder.
-      build(project, user, Gitlab::Git::BLANK_SHA, branch.target, "#{Gitlab::Git::BRANCH_REF_PREFIX}#{branch.name}", [])
-  end
 end

app/services/create_tag_service.rb

 require_relative 'base_service'
 
 class CreateTagService < BaseService
-  def execute(tag_name, ref, message, release_description = nil)
+  def execute(tag_name, target, message, release_description = nil)
     valid_tag = Gitlab::GitRefValidator.validate(tag_name)
-    if valid_tag == false
-      return error('Tag name invalid')
-    end
+    return error('Tag name invalid') unless valid_tag
 
     repository = project.repository
-    existing_tag = repository.find_tag(tag_name)
-    if existing_tag
-      return error('Tag already exists')
-    end
-
     message.strip! if message
 
-    repository.add_tag(tag_name, ref, message)
-    new_tag = repository.find_tag(tag_name)
+    new_tag = nil
+    begin
+      new_tag = repository.add_tag(current_user, tag_name, target, message)
+    rescue Rugged::TagError
+      return error("Tag #{tag_name} already exists")
+    rescue GitHooksService::PreReceiveError
+      return error('Tag creation was rejected by Git hook')
+    end
 
     if new_tag
-      push_data = create_push_data(project, current_user, new_tag)
-      EventCreateService.new.push(project, current_user, push_data)
-      project.execute_hooks(push_data.dup, :tag_push_hooks)
-      project.execute_services(push_data.dup, :tag_push_hooks)
-      CreateCommitBuildsService.new.execute(project, current_user, push_data)
-
       if release_description
         CreateReleaseService.new(@project, @current_user).
           execute(tag_name, release_description)
       end
-
-      success(new_tag)
+      success.merge(tag: new_tag)
     else
-      error('Invalid reference name')
+      error("Target #{target} is invalid")
     end
   end
-
-  def success(branch)
-    out = super()
-    out[:tag] = branch
-    out
-  end
-
-  def create_push_data(project, user, tag)
-    commits = [project.commit(tag.target)].compact
-    Gitlab::PushDataBuilder.
-      build(project, user, Gitlab::Git::BLANK_SHA, tag.target, "#{Gitlab::Git::TAG_REF_PREFIX}#{tag.name}", commits, tag.message)
-  end
 end

app/services/git_push_service.rb

@@ -42,7 +42,12 @@ class GitPushService < BaseService
       # Collect data for this git push
       @push_commits = @project.repository.commits_between(params[:oldrev], params[:newrev])
       process_commit_messages
+
+      # Update the bare repositories info/attributes file using the contents of the default branches
+      # .gitattributes file
+      update_gitattributes if is_default_branch?
     end
+
     # Update merge requests that may be affected by this push. A new branch
     # could cause the last commit of a merge request to change.
     update_merge_requests
@@ -54,6 +59,10 @@ class GitPushService < BaseService
     perform_housekeeping
   end
 
+  def update_gitattributes
+    @project.repository.copy_gitattributes(params[:ref])
+  end
+
   def update_main_language
     # Performance can be bad so for now only check main_language once
     # See https://gitlab.com/gitlab-org/gitlab-ce/issues/14937

app/services/merge_requests/build_service.rb

@@ -7,6 +7,9 @@ module MergeRequests
       merge_request.can_be_created = false
       merge_request.compare_commits = []
       merge_request.source_project = project unless merge_request.source_project
+
+      merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
       merge_request.target_project ||= (project.forked_from_project || project)
       merge_request.target_branch ||= merge_request.target_project.default_branch
 

app/services/notes/create_service.rb

@@ -5,6 +5,8 @@ module Notes
       note.author = current_user
       note.system = false
 
+      return unless valid_project?(note)
+
       if note.save
         # Finish the harder work in the background
         NewNoteWorker.perform_in(2.seconds, note.id, params)
@@ -13,5 +15,14 @@ module Notes
 
       note
     end
+
+    private
+
+    def valid_project?(note)
+      return false unless project
+      return true if note.for_commit?
+
+      note.noteable.try(:project) == project
+    end
   end
 end

app/services/wiki_pages/create_service.rb

 module WikiPages
   class CreateService < WikiPages::BaseService
     def execute
-      page = WikiPage.new(@project.wiki)
+      project_wiki = ProjectWiki.new(@project, current_user)
+      page = WikiPage.new(project_wiki)
 
       if page.create(@params)
         execute_hooks(page, 'create')

app/views/admin/hooks/index.html.haml

@@ -13,9 +13,15 @@
   = form_errors(@hook)
 
   .form-group
-    = f.label :url, "URL:", class: 'control-label'
+    = f.label :url, 'URL', class: 'control-label'
     .col-sm-10
-      = f.text_field :url, class: "form-control"
+      = f.text_field :url, class: 'form-control'
+  .form-group
+    = f.label :token, 'Secret Token', class: 'control-label'
+    .col-sm-10
+      = f.text_field :token, class: 'form-control'
+      %p.help-block
+        Use this token to validate received payloads
   .form-group
     = f.label :url, "Trigger", class: 'control-label'
     .col-sm-10.prepend-top-10

app/views/devise/sessions/two_factor.html.haml

@@ -4,7 +4,7 @@
       %h3 Two-factor Authentication
     .login-body
       = form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
-        = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-factor authentication code', required: true, autofocus: true
-        %p.help-block.hint If you've lost your phone, you may enter one of your recovery codes.
+        = f.text_field :otp_attempt, class: 'form-control', placeholder: 'Two-factor Authentication code', required: true, autofocus: true
+        %p.help-block.hint Enter the code from the two-factor app on your mobile device. If you've lost your device, you may enter one of your recovery codes.
         .prepend-top-20
           = f.submit "Verify code", class: "btn btn-save"

app/views/devise/shared/_signup_box.html.haml

@@ -6,7 +6,7 @@
     .login-heading
       %h3 Create an account
   .login-body
-    = form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f|
+    = form_for(resource, as: "new_#{resource_name}", url: registration_path(resource_name)) do |f|
       .devise-errors
         = devise_error_messages!
       %div
@@ -16,7 +16,7 @@
       %div
         = f.email_field :email, class: "form-control middle", placeholder: "Email", required: true
       .form-group.append-bottom-20#password-strength
-        = f.password_field :password, class: "form-control bottom", id: "user_password_sign_up", placeholder: "Password", required: true
+        = f.password_field :password, class: "form-control bottom", placeholder: "Password", required: true
       %div
       - if current_application_settings.recaptcha_enabled
         = recaptcha_tags

app/views/doorkeeper/applications/index.html.haml

@@ -44,7 +44,7 @@
                         = icon('pencil')
                       = render 'delete_form', application: application, small: true
         - else
-          .profile-settings-message.text-center
+          .settings-message.text-center
             You don't have any applications
     .oauth-authorized-applications.prepend-top-20.append-bottom-default
       - if user_oauth_applications?
@@ -78,5 +78,5 @@
                   %td= token.scopes
                   %td= render 'doorkeeper/authorized_applications/delete_form', token: token
       - else
-        .profile-settings-message.text-center
+        .settings-message.text-center
           You don't have any authorized applications

app/views/events/_event.html.haml

@@ -5,7 +5,7 @@
 
     = cache [event, current_application_settings, "v2.2"] do
       - if event.author
-        = link_to user_path(event.author.username) do
+        = link_to user_path(event.author) do
           = image_tag avatar_icon(event.author_email, 40), class: "avatar s40", alt:''
       - else
         = image_tag avatar_icon(event.author_email, 40), class: "avatar s40", alt:''

app/views/layouts/_page.html.haml

@@ -22,13 +22,13 @@
         = image_tag avatar_icon(current_user, 60), alt: 'Profile', class: 'avatar avatar s36'
         .username
           = current_user.username
+  - if defined?(nav) && nav
+    .layout-nav
+      .container-fluid
+        = render "layouts/nav/#{nav}"
   .content-wrapper
     = render "layouts/flash"
     = yield :flash_message
-    - if defined?(nav) && nav
-      .layout-nav
-        %div{ class: container_class }
-          = render "layouts/nav/#{nav}"
     %div{ class: (container_class unless @no_container) }
       .content
         .clearfix

app/views/layouts/header/_default.html.haml

@@ -15,7 +15,7 @@
           - if current_user
             - if session[:impersonator_id]
               %li.impersonation
-                = link_to stop_impersonation_admin_users_path, method: :delete, title: 'Stop Impersonation', data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
+                = link_to admin_impersonation_path, method: :delete, title: 'Stop Impersonation', data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
                   = icon('user-secret fw')
             - if current_user.is_admin?
               %li

app/views/notify/note_snippet_email.html.haml

+= render 'note_message'

app/views/notify/note_snippet_email.text.erb

+New comment for Snippet <%= @snippet.id %>
+
+<%= url_for(namespace_project_snippet_url(@snippet.project.namespace, @snippet.project, @snippet, anchor: "note_#{@note.id}")) %>
+
+
+Author: <%= @note.author_name %>
+
+<%= @note.note %>

app/views/profiles/emails/index.html.haml

@@ -45,4 +45,4 @@
               %span.label.label-info Public Email
             - if email.email === current_user.notification_email
               %span.label.label-info Notification Email
-          = link_to 'Remove', profile_email_path(email), data: { confirm: 'Are you sure?'}, method: :delete, class: 'btn btn-sm btn-remove pull-right'
+            = link_to 'Remove', profile_email_path(email), data: { confirm: 'Are you sure?'}, method: :delete, class: 'btn btn-sm btn-warning prepend-left-10'

app/views/profiles/keys/_key.html.haml

 %li.key-list-item
   .pull-left.append-right-10
-    = icon 'key', class: "key-icon hidden-xs"
+    = icon 'key', class: "settings-list-icon hidden-xs"
   .key-list-item-info
     = link_to path_to_key(key, is_admin), class: "title" do
       = key.title

app/views/profiles/keys/_key_table.html.haml

@@ -4,7 +4,7 @@
   %ul.well-list
     = render partial: 'profiles/keys/key', collection: @keys, locals: { is_admin: is_admin }
 - else
-  %p.profile-settings-message.text-center
+  %p.settings-message.text-center
     - if is_admin
       There are no SSH keys associated with this account.
     - else

app/views/projects/blob/_text.html.haml

-- blob.load_all_data!(@repository)
-- if markup?(blob.name)
-  .file-content.wiki
-    = render_markup(blob.name, blob.data)
+- if blob.only_display_raw?
+  .file-content.code
+    .nothing-here-block
+      File too large, you can
+      = succeed '.' do
+        = link_to 'view the raw file', namespace_project_raw_path(@project.namespace, @project, @id), target: '_blank'
+
 - else
-  - unless blob.empty?
-    = render 'shared/file_highlight', blob: blob
+  - blob.load_all_data!(@repository)
+
+  - if markup?(blob.name)
+    .file-content.wiki
+      = render_markup(blob.name, blob.data)
   - else
-    .file-content.code
-      .nothing-here-block Empty file
+    - if blob.empty?
+      .file-content.code
+        .nothing-here-block Empty file
+    - else
+      = render 'shared/file_highlight', blob: blob

app/views/projects/deploy_keys/_deploy_key.html.haml

 %li
-  .pull-right
+  .pull-left.append-right-10.hidden-xs
+    = icon "key", class: "key-icon"
+  .deploy-key-content.key-list-item-info
+    %strong.title
+      = deploy_key.title
+    .description
+      = deploy_key.fingerprint
+  .deploy-key-content.prepend-left-default.deploy-key-projects
+    - deploy_key.projects.each do |project|
+      - if can?(current_user, :read_project, project)
+        = link_to namespace_project_path(project.namespace, project), class: "label deploy-project-label" do
+          = project.name_with_namespace
+  .deploy-key-content
+    %span.key-created-at
+      created #{time_ago_with_tooltip(deploy_key.created_at)}
+    .visible-xs-block.visible-sm-block
     - if @available_keys.include?(deploy_key)
-      = link_to enable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), class: 'btn btn-sm', method: :put do
-        = icon('plus')
+      = link_to enable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), class: "btn btn-sm prepend-left-10", method: :put do
         Enable
     - else
       - if deploy_key.destroyed_when_orphaned? && deploy_key.almost_orphaned?
-        = link_to 'Remove', disable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), data: { confirm: 'You are going to remove deploy key. Are you sure?'}, method: :put, class: "btn btn-remove delete-key btn-sm pull-right"
+        = link_to disable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), data: { confirm: "You are going to remove deploy key. Are you sure?" }, method: :put, class: "btn btn-warning btn-sm prepend-left-10" do
+          Remove
       - else
-        = link_to disable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), class: 'btn btn-sm', method: :put do
-          = icon('power-off')
+        = link_to disable_namespace_project_deploy_key_path(@project.namespace, @project, deploy_key), class: "btn btn-warning btn-sm prepend-left-10", method: :put do
           Disable
-
-  = icon('key')
-  %strong= deploy_key.title
-  %br
-  %code.key-fingerprint= deploy_key.fingerprint
-
-  %p.light.prepend-top-10
-    - if deploy_key.public?
-      %span.label.label-info.deploy-project-label
-        Public deploy key
-
-    - deploy_key.projects.each do |project|
-      - if can?(current_user, :read_project, project)
-        %span.label.label-gray.deploy-project-label
-          = link_to namespace_project_path(project.namespace, project) do
-            = project.name_with_namespace
-
-    %small.pull-right
-      Created #{time_ago_with_tooltip(deploy_key.created_at)}

app/views/projects/deploy_keys/_form.html.haml

-%div
-  = form_for [@project.namespace.becomes(Namespace), @project, @key], url: namespace_project_deploy_keys_path, html: { class: 'deploy-key-form form-horizontal js-requires-input' } do |f|
-    = form_errors(@key)
-
-    .form-group
-      = f.label :title, class: "control-label"
-      .col-sm-10= f.text_field :title, class: 'form-control', autofocus: true, required: true
-    .form-group
-      = f.label :key, class: "control-label"
-      .col-sm-10
-        %p.light
-          Paste a machine public key here. Read more about how to generate it
-          = link_to "here", help_page_path("ssh", "README")
-        = f.text_area :key, class: "form-control thin_area", rows: 5, required: true
-
-    .form-actions
-      = f.submit 'Create Deploy Key', class: "btn-create btn"
-      = link_to "Cancel", namespace_project_deploy_keys_path(@project.namespace, @project), class: "btn btn-cancel"
+= form_for [@project.namespace.becomes(Namespace), @project, @key], url: namespace_project_deploy_keys_path, html: { class: "js-requires-input" } do |f|
+  = form_errors(@key)
+  .form-group
+    = f.label :title, class: "label-light"
+    = f.text_field :title, class: 'form-control', autofocus: true, required: true
+  .form-group
+    = f.label :key, class: "label-light"
+    = f.text_area :key, class: "form-control", rows: 5, required: true
+  .form-group
+    %p.light.append-bottom-0
+      Paste a machine public key here. Read more about how to generate it
+      = link_to "here", help_page_path("ssh", "README")
+  = f.submit "Add key", class: "btn-create btn"

app/views/projects/deploy_keys/index.html.haml

 - page_title "Deploy Keys"
 
-%h3.page-title
-  Deploy keys allow read-only access to the repository
-
-  = link_to new_namespace_project_deploy_key_path(@project.namespace, @project), class: "btn btn-new pull-right", title: "New Deploy Key" do
-    %i.fa.fa-plus
-    New Deploy Key
-
-%p.light
-  Deploy keys can be used for CI, staging or production servers.
-  You can create a deploy key or add an existing one
-
-%hr.clearfix
-
-.row
-  .col-md-6.enabled-keys
-    %h5
-      %strong.cgreen Enabled deploy keys
-      for this project
-    %ul.bordered-list
-      = render @enabled_keys
-      - if @enabled_keys.blank?
-        .light-well
-          .nothing-here-block Create a #{link_to 'new deploy key', new_namespace_project_deploy_key_path(@project.namespace, @project)} or add an existing one
-  .col-md-6.available-keys
-    - # If there are available public deploy keys but no available project deploy keys, only public deploy keys are shown.
-    - if @available_project_keys.any? || @available_public_keys.blank?
-      %h5
-        %strong Deploy keys
-        from projects you have access to
-      %ul.bordered-list
+.row.prepend-top-default
+  .col-lg-3.profile-settings-sidebar
+    %h4.prepend-top-0
+      = page_title
+    %p
+      Deploy keys allow read-only access to your repository. Deploy keys can be used for CI, staging or production servers. You can create a deploy key or add an existing one.
+  .col-lg-9
+    %h5.prepend-top-0
+      Create a new deploy key for this project
+    = render "form"
+  .col-lg-9.col-lg-offset-3
+    %hr
+  .col-lg-9.col-lg-offset-3.append-bottom-default.deploy-keys
+    %h5.prepend-top-0
+      Enabled deploy keys for this project (#{@enabled_keys.size})
+    - if @enabled_keys.any?
+      %ul.well-list
+        = render @enabled_keys
+    - else
+      .profile-settings-message.text-center
+        No deploy keys found. Create one with the form above or add existing one below.
+    %h5.prepend-top-default
+      Deploy keys from projects you have access to (#{@available_project_keys.size})
+    - if @available_project_keys.any?
+      %ul.well-list
         = render @available_project_keys
-        - if @available_project_keys.blank?
-          .light-well
-            .nothing-here-block Deploy keys from projects you have access to will be displayed here
-
+    - else
+      .profile-settings-message.text-center
+        No deploy keys from your projects could be found. Create one with the form above or add existing one below.
     - if @available_public_keys.any?
-      %h5
-        %strong Public deploy keys
-        available to any project
-      %ul.bordered-list
+      %h5.prepend-top-default
+        Public deploy keys available to any project (#{@available_public_keys.size})
+      %ul.well-list
         = render @available_public_keys

app/views/projects/diffs/_file.html.haml

@@ -40,19 +40,19 @@
         = view_file_btn(diff_commit.id, diff_file, project)
 
   .diff-content.diff-wrap-lines
-    -# Skipp all non non-supported blobs
+    - # Skip all non non-supported blobs
     - return unless blob.respond_to?('text?')
     - if diff_file.too_large?
-      .nothing-here-block
-        This diff could not be displayed because it is too large.
-    - else
-      - if blob_text_viewable?(blob)
-        - if diff_view == 'parallel'
-          = render "projects/diffs/parallel_view", diff_file: diff_file, project: project, blob: blob, index: i
-        - else
-          = render "projects/diffs/text_file", diff_file: diff_file, index: i
-      - elsif blob.image?
-        - old_file = project.repository.prev_blob_for_diff(diff_commit, diff_file)
-        = render "projects/diffs/image", diff_file: diff_file, old_file: old_file, file: blob, index: i, diff_refs: diff_refs
+      .nothing-here-block This diff could not be displayed because it is too large.
+    - elsif blob_text_viewable?(blob) && !project.repository.diffable?(blob)
+      .nothing-here-block This diff was suppressed by a .gitattributes entry.
+    - elsif blob_text_viewable?(blob)
+      - if diff_view == 'parallel'
+        = render "projects/diffs/parallel_view", diff_file: diff_file, project: project, blob: blob, index: i
       - else
-        .nothing-here-block No preview for this file type
+        = render "projects/diffs/text_file", diff_file: diff_file, index: i
+    - elsif blob.image?
+      - old_file = project.repository.prev_blob_for_diff(diff_commit, diff_file)
+      = render "projects/diffs/image", diff_file: diff_file, old_file: old_file, file: blob, index: i, diff_refs: diff_refs
+    - else
+      .nothing-here-block No preview for this file type

app/views/projects/group_links/index.html.haml

 - page_title "Groups"
-%h3.page_title Share project with other groups
-%p.light
-  Projects can be stored in only one group at once. However you can share a project with other groups here.
-%hr
-- if @group_links.present?
-  .enabled-groups.panel.panel-default
-    .panel-heading
-      Already shared with
-    %ul.well-list
-      - @group_links.each do |group_link|
-        - group = group_link.group
-        %li
-          .pull-right
-            = link_to namespace_project_group_link_path(@project.namespace, @project, group_link), method: :delete, class: 'btn btn-sm' do
-              %i.icon-remove
-              disable sharing
-          = link_to group do
-            %strong
-              %i.icon-folder-open
-              = group.name
-          %br
-          .light up to #{group_link.human_access}
-
-
-.available-groups
-  %h4
-    Can be shared with
-  %div
-    = form_tag namespace_project_group_links_path(@project.namespace, @project), method: :post, class: 'form-horizontal' do
+.row.prepend-top-default
+  .col-lg-3.settings-sidebar
+    %h4.prepend-top-0
+      Share project with other groups
+    %p
+      Projects can be stored in only one group at once. However you can share a project with other groups here.
+  .col-lg-9
+    %h5.prepend-top-0
+      Set a group to share
+    = form_tag namespace_project_group_links_path(@project.namespace, @project), method: :post do
       .form-group
-        = label_tag :link_group_id, 'Group', class: 'control-label'
-        .col-sm-10
-          = groups_select_tag(:link_group_id, skip_group: @project.group.try(:path))
+        = label_tag :link_group_id, "Group", class: "label-light"
+        = groups_select_tag(:link_group_id, skip_group: @project.group.try(:path))
       .form-group
-        = label_tag :link_group_access, 'Max access level', class: 'control-label'
-        .col-sm-10
-          = select_tag :link_group_access, options_for_select(ProjectGroupLink.access_options, ProjectGroupLink.default_access), class: "form-control"
-      .form-actions
-        = submit_tag "Share", class: "btn btn-create"
-
+        = label_tag :link_group_access, "Max access level", class: "label-light"
+        .select-wrapper
+          = select_tag :link_group_access, options_for_select(ProjectGroupLink.access_options, ProjectGroupLink.default_access), class: "form-control select-control"
+          %span.caret
+      = submit_tag "Share", class: "btn btn-create"
+  .col-lg-9.col-lg-offset-3
+    %hr
+  .col-lg-9.col-lg-offset-3.append-bottom-default.enabled-groups
+    %h5.prepend-top-0
+      Groups you share with (#{@group_links.size})
+    - if @group_links.present?
+      %ul.well-list
+        - @group_links.each do |group_link|
+          - group = group_link.group
+          %li
+            .pull-left.append-right-10.hidden-xs
+              = icon("folder-open-o", class: "settings-list-icon")
+            .pull-left
+              = link_to group do
+                = group.name
+              %br
+              up to #{group_link.human_access}
+            .pull-right
+              = link_to namespace_project_group_link_path(@project.namespace, @project, group_link), method: :delete, class: "btn btn-transparent" do
+                %span.sr-only disable sharing
+                = icon("trash")
+    - else
+      .settings-message.text-center
+        There are no groups with access to your project, add one in the form above

app/views/projects/hooks/_project_hook.html.haml

+%li
+  .row
+    .col-md-8.col-lg-7
+      %strong.light-header= hook.url
+      %div
+        - %w(push_events tag_push_events issues_events note_events merge_requests_events build_events).each do |trigger|
+          - if hook.send(trigger)
+            %span.label.label-gray.deploy-project-label= trigger.titleize
+    .col-md-4.col-lg-5.text-right-lg.prepend-top-5
+      %span.append-right-10.inline
+        SSL Verification: #{hook.enable_ssl_verification ? "enabled" : "disabled"}
+      = link_to "Test", test_namespace_project_hook_path(@project.namespace, @project, hook), class: "btn btn-sm"
+      = link_to namespace_project_hook_path(@project.namespace, @project, hook), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-transparent" do
+        %span.sr-only Remove
+        = icon('trash')

app/views/projects/hooks/index.html.haml

-= render 'shared/web_hooks/form', hook: @hook, hooks: @hooks, url_components: [@project.namespace.becomes(Namespace), @project]
+= render 'shared/web_hooks/form', hook: @hook, hooks: @hooks, url_components: [@project.namespace.becomes(Namespace), @project]
\ No newline at end of file

app/views/projects/issues/_new_branch.html.haml

-- if current_user && can?(current_user, :push_code, @project) && @issue.can_be_worked_on?(current_user)
+- if can?(current_user, :push_code, @project)
   .pull-right
-    = link_to namespace_project_branches_path(@project.namespace, @project, branch_name: @issue.to_branch_name, issue_iid: @issue.iid), method: :post, class: 'btn has-tooltip', title: @issue.to_branch_name do
-      = icon('code-fork')
-      New Branch
+    #new-branch{'data-path' => can_create_branch_namespace_project_issue_path(@project.namespace, @project, @issue)}
+      = link_to namespace_project_branches_path(@project.namespace, @project, branch_name: @issue.to_branch_name, issue_iid: @issue.iid), method: :post, class: 'btn has-tooltip', title: @issue.to_branch_name, disabled: 'disabled' do
+        .checking
+          %i.fa.fa-spinner.fa-spin
+          Checking branches
+        .available(style="display: none")
+          %i.fa.fa-code-fork
+          New branch
+        .unavailable(style="display: none")
+          %i.fa.fa-exclamation-triangle
+          New branch unavailable

app/views/projects/milestones/show.html.haml

@@ -42,9 +42,12 @@
           = preserve do
             = markdown @milestone.description
 
-- if @milestone.complete?(current_user) && @milestone.active?
+- if @milestone.total_items_count(current_user).zero?
   .alert.alert-success.prepend-top-default
-    %span All issues for this milestone are closed. You may close milestone now.
+    %span Assign some issues to this milestone.
+- elsif @milestone.complete?(current_user) && @milestone.active?
+  .alert.alert-success.prepend-top-default
+    %span All issues for this milestone are closed. You may close this milestone now.
 
 = render 'shared/milestones/summary', milestone: @milestone, project: @project
 = render 'shared/milestones/tabs', milestone: @milestone

app/views/projects/protected_branches/_branches_list.html.haml

-- unless @branches.empty?
-  %br
-  %h4 Already Protected:
-  .table-holder
+%h5.prepend-top-0
+  Already Protected (#{@branches.size})
+- if @branches.empty?
+  %p.profile-settings-message.text-center
+    No branches are protected, protect a branch with the form above.
+- else
+  - can_admin_project = can?(current_user, :admin_project, @project)
+  .table-responsive
     %table.table.protected-branches-list
+      %colgroup
+        %col{ width: "30%" }
+        %col{ width: "30%" }
+        %col{ width: "25%" }
+        - if can_admin_project
+          %col
       %thead
-        %tr.no-border
+        %tr
           %th Branch
-          %th Developers can push
           %th Last commit
-          %th
-
+          %th Developers can push
+          - if can_admin_project
+            %th
       %tbody
         - @branches.each do |branch|
           - @url = namespace_project_protected_branch_path(@project.namespace, @project, branch)
           %tr
             %td
-              = link_to namespace_project_commits_path(@project.namespace, @project, branch.name) do
-                %strong= branch.name
-                - if @project.root_ref?(branch.name)
-                  %span.label.label-info default
-              %td
-                = check_box_tag "developers_can_push", branch.id, branch.developers_can_push, "data-url" => @url
-              %td
-                - if commit = branch.commit
-                  = link_to namespace_project_commit_path(@project.namespace, @project, commit.id), class: 'commit_short_id' do
-                    = commit.short_id
-                  ·
-                  #{time_ago_with_tooltip(commit.committed_date)}
-                - else
-                  (branch was removed from repository)
+              = link_to(branch.name, namespace_project_commits_path(@project.namespace, @project, branch.name))
+              - if @project.root_ref?(branch.name)
+                %span.label.label-info.prepend-left-5 default
+            %td
+              - if commit = branch.commit
+                = link_to(commit.short_id, namespace_project_commit_path(@project.namespace, @project, commit.id), class: 'commit_short_id')
+                #{time_ago_with_tooltip(commit.committed_date)}
+              - else
+                (branch was removed from repository)
+            %td
+              = check_box_tag("developers_can_push", branch.id, branch.developers_can_push, data: { url: @url })
+            - if can_admin_project
               %td
-                .pull-right
-                  - if can? current_user, :admin_project, @project
-                    = link_to 'Unprotect', [@project.namespace.becomes(Namespace), @project, branch], data: { confirm: 'Branch will be writable for developers. Are you sure?' }, method: :delete, class: "btn btn-remove btn-sm"
+                = link_to 'Unprotect', [@project.namespace.becomes(Namespace), @project, branch], data: { confirm: 'Branch will be writable for developers. Are you sure?' }, method: :delete, class: "btn btn-warning btn-sm"

app/views/projects/protected_branches/index.html.haml

 - page_title "Protected branches"
-%h3.page-title Protected branches
-%p.light Keep stable branches secure and force developers to use Merge Requests
-%hr
 
-.well
-  %p Protected branches are designed to
-  %ul
-    %li prevent pushes from everybody except #{link_to "masters", help_page_path("permissions", "permissions"), class: "vlink"}
-    %li prevent anyone from force pushing to the branch
-    %li prevent anyone from deleting the branch
-  %p Read more about #{link_to "project permissions", help_page_path("permissions", "permissions"), class: "underlined-link"}
+.row.prepend-top-default.append-bottom-default
+  .col-lg-3
+    %h4.prepend-top-0
+      = page_title
+    %p Keep stable branches secure and force developers to use Merge Requests
+  .col-lg-9
+    %h5.prepend-top-0
+      Protect a branch
+    .account-well.append-bottom-default
+      %p.light-header.append-bottom-0 Protected branches are designed to
+      %ul
+        %li prevent pushes from everybody except #{link_to "masters", help_page_path("permissions", "permissions"), class: "vlink"}
+        %li prevent anyone from force pushing to the branch
+        %li prevent anyone from deleting the branch
+      %p.append-bottom-0 Read more about #{link_to "project permissions", help_page_path("permissions", "permissions"), class: "underlined-link"}
+    - if can? current_user, :admin_project, @project
+      = form_for [@project.namespace.becomes(Namespace), @project, @protected_branch] do |f|
+        = form_errors(@protected_branch)
 
-- if can? current_user, :admin_project, @project
-  = form_for [@project.namespace.becomes(Namespace), @project, @protected_branch], html: { class: 'form-horizontal' } do |f|
-    = form_errors(@protected_branch)
-
-    .form-group
-      = f.label :name, "Branch", class: 'control-label'
-      .col-sm-10
-        = f.select(:name, @project.open_branches.map { |br| [br.name, br.name] } , {include_blank: true}, {class: "select2", data: {placeholder: "Select branch"}})
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :developers_can_push do
-            = f.check_box :developers_can_push
-            %strong Developers can push
-          .help-block Allow developers to push to this branch
-    .form-actions
-      = f.submit 'Protect', class: "btn-create btn"
-= render 'branches_list'
+        .form-group
+          = f.label :name, "Branch", class: "label-light"
+          = f.select(:name, @project.open_branches.map { |br| [br.name, br.name] } , {include_blank: true}, {class: "select2", data: {placeholder: "Select branch"}})
+        .form-group
+          = f.check_box :developers_can_push, class: "pull-left"
+          .prepend-left-20
+            = f.label :developers_can_push, "Developers can push", class: "label-light append-bottom-0"
+            %p.light.append-bottom-0
+              Allow developers to push to this branch
+        = f.submit "Protect", class: "btn-create btn"
+    %hr
+    = render "branches_list"

app/views/projects/triggers/_trigger.html.haml

 %tr
   %td
-    .clearfix
-      %span.monospace= trigger.token
+    %span.monospace= trigger.token
 
   %td
     - if trigger.last_trigger_request
@@ -9,6 +8,5 @@
     - else
       Never
 
-  %td
-    .pull-right
-      = link_to 'Revoke', namespace_project_trigger_path(@project.namespace, @project, trigger), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-danger btn-sm btn-grouped"
+  %td.text-right
+    = link_to 'Revoke', namespace_project_trigger_path(@project.namespace, @project, trigger), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-warning btn-sm"

app/views/projects/triggers/index.html.haml

 - page_title "Triggers"
-%h3.page-title
-  Triggers
 
-%p.light
-  Triggers can be used to force a rebuild of a specific branch or tag with an API call.
+.row.prepend-top-default.append-bottom-default
+  .col-lg-3
+    %h4.prepend-top-0
+      = page_title
+    %p
+      Triggers can be used to force a rebuild of a specific branch or tag with an API call.
+  .col-lg-9
+    %h5.prepend-top-0
+      Your triggers
+    - if @triggers.any?
+      .table-responsive
+        %table.table
+          %thead
+            %th Token
+            %th Last used
+            %th
+          = render partial: 'trigger', collection: @triggers, as: :trigger
+    - else
+      %p.profile-settings-message.text-center.append-bottom-default
+        There are no triggers to use, add one by the button below.
 
-%hr.clearfix
+    = form_for @trigger, url: url_for(controller: 'projects/triggers', action: 'create') do |f|
+      = f.submit "Add Trigger", class: 'btn btn-success'
 
--if @triggers.any?
-  .table-holder
-    %table.table
-      %thead
-        %th Token
-        %th Last used
-        %th
-      = render partial: 'trigger', collection: @triggers, as: :trigger
-- else
-  %h4 No triggers
+    %h5.prepend-top-default
+      Use CURL
 
-= form_for @trigger, url: url_for(controller: 'projects/triggers', action: 'create'), html: { class: 'form-horizontal' } do |f|
-  .clearfix
-    = f.submit "Add Trigger", class: 'btn btn-success pull-right'
+    %p.light
+      Copy the token above and set your branch or tag name. This is the reference that will be rebuild.
 
-%hr.clearfix
 
--if @triggers.any?
-  %h3
-    Use CURL
+    %pre
+      :plain
+        curl -X POST \
+             -F token=TOKEN \
+             -F ref=REF_NAME \
+             #{builds_trigger_url(@project.id)}
+    %h5.prepend-top-default
+      Use .gitlab-ci.yml
 
-  %p.light
-    Copy the token above and set your branch or tag name. This is the reference that will be rebuild.
+    %p.light
+      Copy the snippet to
+      %i .gitlab-ci.yml
+      of dependent project.
+      At the end of your build it will trigger this project to rebuilt.
 
+    %pre
+      :plain
+        trigger:
+          type: deploy
+          script:
+            - "curl -X POST -F token=TOKEN -F ref=REF_NAME #{builds_trigger_url(@project.id)}"
+    %h5.prepend-top-default
+      Pass build variables
 
-  %pre
-    :plain
-      curl -X POST \
-           -F token=TOKEN \
-           -F ref=REF_NAME \
-           #{builds_trigger_url(@project.id)}
-  %h3
-    Use .gitlab-ci.yml
+    %p.light
+      Add
+      %strong variables[VARIABLE]=VALUE
+      to API request.
+      The value of variable could then be used to distinguish triggered build from normal one.
 
-  %p.light
-    Copy the snippet to
-    %i .gitlab-ci.yml
-    of dependent project.
-    At the end of your build it will trigger this project to rebuilt.
-
-  %pre
-    :plain
-      trigger:
-        type: deploy
-        script:
-          - "curl -X POST -F token=TOKEN -F ref=REF_NAME #{builds_trigger_url(@project.id)}"
-  %h3
-    Pass build variables
-
-  %p.light
-    Add
-    %strong variables[VARIABLE]=VALUE
-    to API request.
-    The value of variable could then be used to distinguish triggered build from normal one.
-
-  %pre
-    :plain
-      curl -X POST \
-           -F token=TOKEN \
-           -F "ref=REF_NAME" \
-           -F "variables[RUN_NIGHTLY_BUILD]=true" \
-           #{builds_trigger_url(@project.id)}
+    %pre.append-bottom-0
+      :plain
+        curl -X POST \
+             -F token=TOKEN \
+             -F "ref=REF_NAME" \
+             -F "variables[RUN_NIGHTLY_BUILD]=true" \
+             #{builds_trigger_url(@project.id)}

app/views/shared/_confirm_modal.html.haml

@@ -7,7 +7,7 @@
           Confirmation required
 
       .modal-body
-        %p.cred.lead.js-confirm-text
+        %p.text-danger.js-confirm-text
 
         %p
           %span.js-warning-text

app/views/shared/_file_highlight.html.haml

 .file-content.code.js-syntax-highlight
   .line-numbers
     - if blob.data.present?
+      - link_icon = icon('link')
       - blob.data.each_line.each_with_index do |_, index|
         - offset = defined?(first_line_number) ? first_line_number : 1
         - i = index + offset
         -# We're not using `link_to` because it is too slow once we get to thousands of lines.
         %a.diff-line-num{href: "#L#{i}", id: "L#{i}", 'data-line-number' => i}
-          %i.fa.fa-link
+          = link_icon
           = i
   .blob-content{data: {blob_id: blob.id}}
-    = highlight(blob.name, blob.data)
+    = highlight(blob.name, blob.data, plain: blob.no_highlighting?)

app/views/shared/web_hooks/_form.html.haml

@@ -18,6 +18,11 @@
     = f.label :url, "URL", class: 'control-label'
     .col-sm-10
       = f.text_field :url, class: "form-control", placeholder: 'http://example.com/trigger-ci.json'
+  .form-group
+    = f.label :token, "Secret Token", class: 'label-light'
+    = f.text_field :token, class: "form-control", placeholder: ''
+    %p.help-block
+      Use this token to validate received payloads
   .form-group
     = f.label :url, "Trigger", class: 'control-label'
     .col-sm-10.prepend-top-10

app/views/users/show.html.haml

@@ -69,13 +69,13 @@
           = @user.location
 
     %ul.nav-links.center.user-profile-nav
-      %li.activity-tab
+      %li.js-activity-tab
         = link_to user_calendar_activities_path, data: {target: 'div#activity', action: 'activity', toggle: 'tab'} do
           Activity
-      %li.groups-tab
+      %li.js-groups-tab
         = link_to user_groups_path, data: {target: 'div#groups', action: 'groups', toggle: 'tab'} do
           Groups
-      %li.contributed-tab
+      %li.js-contributed-tab
         = link_to user_contributed_projects_path, data: {target: 'div#contributed', action: 'contributed', toggle: 'tab'} do
           Contributed projects
       %li.projects-tab

app/views/votes/_votes_block.html.haml

@@ -15,16 +15,16 @@
 
 - if current_user
   :javascript
-    var get_emojis_url = "#{emojis_path}";
-    var post_emoji_url = "#{award_toggle_namespace_project_notes_path(@project.namespace, @project)}";
-    var noteable_type = "#{votable.class.name.underscore}";
-    var noteable_id = "#{votable.id}";
+    var getEmojisUrl = "#{emojis_path}";
+    var postEmojiUrl = "#{award_toggle_namespace_project_notes_path(@project.namespace, @project)}";
+    var noteableType = "#{votable.class.name.underscore}";
+    var noteableId = "#{votable.id}";
     var unicodes = #{AwardEmoji.unicode.to_json};
 
-    window.awards_handler = new AwardsHandler(
-      get_emojis_url,
-      post_emoji_url,
-      noteable_type,
-      noteable_id,
+    window.awardsHandler = new AwardsHandler(
+      getEmojisUrl,
+      postEmojiUrl,
+      noteableType,
+      noteableId,
       unicodes
     );

app/workers/repository_check/single_repository_worker.rb

 module RepositoryCheck
   class SingleRepositoryWorker
     include Sidekiq::Worker
-  
+
     sidekiq_options retry: false
-  
+
     def perform(project_id)
       project = Project.find(project_id)
       project.update_columns(
@@ -11,20 +11,32 @@ module RepositoryCheck
         last_repository_check_at: Time.now,
       )
     end
-  
+
     private
-  
+
     def check(project)
-      repositories = [project.repository]
-      repositories << project.wiki.repository if project.wiki_enabled?
-      # Use 'map do', not 'all? do', to prevent short-circuiting
-      repositories.map { |repository| git_fsck(repository.path_to_repo) }.all?
+      if !git_fsck(project.repository)
+        false
+      elsif project.wiki_enabled?
+        # Historically some projects never had their wiki repos initialized;
+        # this happens on project creation now. Let's initialize an empty repo
+        # if it is not already there.
+        begin
+          project.create_wiki
+        rescue Rugged::RepositoryError
+        end
+
+        git_fsck(project.wiki.repository)
+      else
+        true
+      end
     end
-  
-    def git_fsck(path)
+
+    def git_fsck(repository)
+      path = repository.path_to_repo
       cmd = %W(nice git --git-dir=#{path} fsck)
       output, status = Gitlab::Popen.popen(cmd)
-  
+
       if status.zero?
         true
       else

bin/background_jobs

@@ -37,7 +37,7 @@ start_no_deamonize()
 
 start_sidekiq()
 {
-  bundle exec sidekiq -q post_receive -q mailers -q archive_repo -q system_hook -q project_web_hook -q gitlab_shell -q incoming_email -q runner -q common -q pages -q default -q elasticsearch -e $RAILS_ENV -P $sidekiq_pidfile "$@"
+  exec bundle exec sidekiq -q post_receive -q mailers -q archive_repo -q system_hook -q project_web_hook -q gitlab_shell -q incoming_email -q runner -q common -q pages -q default -q elasticsearch -e $RAILS_ENV -P $sidekiq_pidfile "$@"
 }
 
 load_ok()

bin/web

@@ -19,12 +19,12 @@ get_unicorn_pid()
 
 start()
 {
-  $unicorn_cmd -D
+  exec $unicorn_cmd -D
 }
 
 start_foreground()
 {
-  $unicorn_cmd
+  exec $unicorn_cmd
 }
 
 stop()

config/application.rb

@@ -33,7 +33,30 @@ module Gitlab
     config.encoding = "utf-8"
 
     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters.push(:password, :password_confirmation, :private_token, :otp_attempt, :variables, :import_url)
+    # 
+    # Parameters filtered:
+    # - Password (:password, :password_confirmation)
+    # - Private tokens (:private_token)
+    # - Two-factor tokens (:otp_attempt)
+    # - Repo/Project Import URLs (:import_url)
+    # - Build variables (:variables)
+    # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
+    # - Webhook URLs (:hook)
+    # - Sentry DSN (:sentry_dsn)
+    # - Deploy keys (:key)
+    config.filter_parameters += %i(
+      certificate
+      encrypted_key
+      hook
+      import_url
+      key
+      otp_attempt
+      password
+      password_confirmation
+      private_token
+      sentry_dsn
+      variables
+    )
 
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true