Merge branch 'master' into feature/svg-badge-template

* master: (52 commits)
  remove offending empty line
  Namespace EnableDeployKeyService under Projects
  Update version_sorter and use new interface for faster tag sorting
  Avoid to show the original password field when password is automatically seted
  Support pending invitation project members importing projects
  Added concern for a faster "cache_key" method
  Update templates
  "This file is managed by gitlab-ctl. Manual changes will be erased!"
  Remove legacy Ci::StaticModel we do not use anymore
  Revert "Defend against 'Host' header injection"
  Simplify feature introduction note
  Add migration-related tips to the "Merge Request Guidelines" doc
  Enable Style/SpaceAroundEqualsInParameterDefault cop
  Enable Style/EmptyLinesAroundClassBody cop
  Enable Style/EmptyLinesAroundModuleBody cop
  Ensure we are looking for the right dropdown inside the form wrapper
  Set for for labels and ID for dropdowns on create form
  Fix .panel-title style
  Refine selector for form submit button
  Fix spelling. `braches` to `branches`
  ...

.rubocop.yml

@@ -149,19 +149,19 @@ Style/EmptyLinesAroundAccessModifier:
 
 # Keeps track of empty lines around block bodies.
 Style/EmptyLinesAroundBlockBody:
-  Enabled: false
+  Enabled: true
 
 # Keeps track of empty lines around class bodies.
 Style/EmptyLinesAroundClassBody:
-  Enabled: false
+  Enabled: true
 
 # Keeps track of empty lines around module bodies.
 Style/EmptyLinesAroundModuleBody:
-  Enabled: false
+  Enabled: true
 
 # Keeps track of empty lines around method bodies.
 Style/EmptyLinesAroundMethodBody:
-  Enabled: false
+  Enabled: true
 
 # Avoid the use of END blocks.
 Style/EndBlock:
@@ -373,6 +373,10 @@ Style/SpaceAfterNot:
 Style/SpaceAfterSemicolon:
   Enabled: true
 
+# Use space around equals in parameter default
+Style/SpaceAroundEqualsInParameterDefault:
+  Enabled: true
+
 # Use a space around keywords if appropriate.
 Style/SpaceAroundKeyword:
   Enabled: true

.rubocop_todo.yml

@@ -339,13 +339,6 @@ Style/SingleLineBlockParams:
 Style/SingleLineMethods:
   Enabled: false
 
-# Offense count: 14
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-# SupportedStyles: space, no_space
-Style/SpaceAroundEqualsInParameterDefault:
-  Enabled: false
-
 # Offense count: 119
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedStyle, SupportedStyles.

CHANGELOG

@@ -6,6 +6,7 @@ v 8.11.0 (unreleased)
   - Fix the title of the toggle dropdown button. !5515 (herminiotorres)
   - Improve diff performance by eliminating redundant checks for text blobs
   - Convert switch icon into icon font (ClemMakesApps)
+  - API: Endpoints for enabling and disabling deploy keys
   - Remove magic comments (`# encoding: UTF-8`) from Ruby files. !5456 (winniehell)
   - Add support for relative links starting with ./ or / to RelativeLinkFilter (winniehell)
   - Ignore URLs starting with // in Markdown links !5677 (winniehell)
@@ -24,21 +25,26 @@ v 8.11.0 (unreleased)
   - Remove unused images (ClemMakesApps)
   - Limit git rev-list output count to one in forced push check
   - Clean up unused routes (Josef Strzibny)
+  - Fix issue on empty project to allow developers to only push to protected branches if given permission
   - Add green outline to New Branch button. !5447 (winniehell)
+  - Optimize generating of cache keys for issues and notes
   - Improve performance of syntax highlighting Markdown code blocks
   - Update to gitlab_git 10.4.1 and take advantage of preserved Ref objects
   - Remove delay when hitting "Reply..." button on page with a lot of discussions
   - Retrieve rendered HTML from cache in one request
   - Fix renaming repository when name contains invalid chararacters under project settings
   - Fix devise deprecation warnings.
+  - Update version_sorter and use new interface for faster tag sorting
   - Optimize checking if a user has read access to a list of issues !5370
   - Nokogiri's various parsing methods are now instrumented
   - Add simple identifier to public SSH keys (muteor)
+  - Admin page now references docs instead of a specific file !5600 (AnAverageHuman)
   - Add a way to send an email and create an issue based on private personal token. Find the email address from issues page. !3363
   - Fix filter input alignment (ClemMakesApps)
   - Include old revision in merge request update hooks (Ben Boeckel)
   - Add build event color in HipChat messages (David Eisner)
   - Make fork counter always clickable. !5463 (winniehell)
+  - Document that webhook secret token is sent in X-Gitlab-Token HTTP header !5664 (lycoperdon)
   - Gitlab::Highlight is now instrumented
   - All created issues, API or WebUI, can be submitted to Akismet for spam check !5333
   - The overhead of instrumented method calls has been reduced
@@ -73,6 +79,9 @@ v 8.11.0 (unreleased)
   - Add description to new_issue email and new_merge_request_email in text/plain content type. !5663 (dixpac)
   - Speed up and reduce memory usage of Commit#repo_changes, Repository#expire_avatar_cache and IrkerWorker
   - Add unfold links for Side-by-Side view. !5415 (Tim Masliuchenko)
+  - Adds support for pending invitation project members importing projects
+  - Update devise initializer to turn on changed password notification emails. !5648 (tombell)
+  - Avoid to show the original password field when password is automatically set. !5712 (duduribeiro)
 
 v 8.10.5 (unreleased)
 

CONTRIBUTING.md

@@ -336,6 +336,10 @@ request is as follows:
 1. If your code creates new files on disk please read the
    [shared files guidelines](doc/development/shared_files.md).
 1. When writing commit messages please follow [these](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) [guidelines](http://chris.beams.io/posts/git-commit/).
+1. If your merge request adds one or more migrations, make sure to execute all
+   migrations on a fresh database before the MR is reviewed. If the review leads
+   to large changes in the MR, do this again once the review is complete.
+1. For more complex migrations, write tests.
 
 The **official merge window** is in the beginning of the month from the 1st to
 the 7th day of the month. This is the best time to submit an MR and get
@@ -461,6 +465,7 @@ merge request:
     - multi-line method chaining style **Option B**: dot `.` on previous line
     - string literal quoting style **Option A**: single quoted by default
 1.  [Rails](https://github.com/bbatsov/rails-style-guide)
+1.  [Newlines styleguide][newlines-styleguide]
 1.  [Testing](doc/development/testing.md)
 1.  [JavaScript (ES6)](https://github.com/airbnb/javascript)
 1.  [JavaScript (ES5)](https://github.com/airbnb/javascript/tree/master/es5)
@@ -533,6 +538,7 @@ available at [http://contributor-covenant.org/version/1/1/0/](http://contributor
 [rss-naming]: https://github.com/bbatsov/ruby-style-guide/blob/master/README.md#naming
 [doc-styleguide]: doc/development/doc_styleguide.md "Documentation styleguide"
 [scss-styleguide]: doc/development/scss_styleguide.md "SCSS styleguide"
+[newlines-styleguide]: doc/development/newlines_styleguide.md "Newlines styleguide"
 [gitlab-design]: https://gitlab.com/gitlab-org/gitlab-design
 [free Antetype viewer (Mac OSX only)]: https://itunes.apple.com/us/app/antetype-viewer/id824152298?mt=12
 [`gitlab8.atype` file]: https://gitlab.com/gitlab-org/gitlab-design/tree/master/current/

Gemfile

@@ -154,7 +154,7 @@ gem 'settingslogic', '~> 2.0.9'
 
 # Misc
 
-gem 'version_sorter', '~> 2.0.0'
+gem 'version_sorter', '~> 2.1.0'
 
 # Cache
 gem 'redis-rails', '~> 4.0.0'

Gemfile.lock

@@ -778,7 +778,7 @@ GEM
     uniform_notifier (1.10.0)
     uuid (2.3.8)
       macaddr (~> 1.0)
-    version_sorter (2.0.0)
+    version_sorter (2.1.0)
     virtus (1.0.5)
       axiom-types (~> 0.1)
       coercible (~> 1.0)
@@ -989,7 +989,7 @@ DEPENDENCIES
   unf (~> 0.1.4)
   unicorn (~> 4.9.0)
   unicorn-worker-killer (~> 0.4.2)
-  version_sorter (~> 2.0.0)
+  version_sorter (~> 2.1.0)
   virtus (~> 1.0.1)
   vmstat (~> 2.1.1)
   web-console (~> 2.0)

app/assets/javascripts/dispatcher.js

@@ -173,8 +173,8 @@
           new Search();
           break;
         case 'projects:protected_branches:index':
-          new ProtectedBranchesAccessSelect($(".new_protected_branch"), false, true);
-          new ProtectedBranchesAccessSelect($(".protected-branches-list"), true, false);
+          new gl.ProtectedBranchCreate();
+          new gl.ProtectedBranchEditList();
           break;
       }
       switch (path.first()) {

app/assets/javascripts/gl_dropdown.js

@@ -607,7 +607,7 @@
       return this.dropdown.before($input);
     };
 
-    GitLabDropdown.prototype.selectRowAtIndex = function(e, index) {
+    GitLabDropdown.prototype.selectRowAtIndex = function(index) {
       var $el, selector;
       selector = ".dropdown-content li:not(.divider,.dropdown-header,.separator):eq(" + index + ") a";
       if (this.dropdown.find(".dropdown-toggle-page").length) {
@@ -615,8 +615,6 @@
       }
       $el = $(selector, this.dropdown);
       if ($el.length) {
-        e.preventDefault();
-        e.stopImmediatePropagation();
         return $el.first().trigger('click');
       }
     };
@@ -653,7 +651,7 @@
             return false;
           }
           if (currentKeyCode === 13 && currentIndex !== -1) {
-            return _this.selectRowAtIndex(e, $('.is-focused', _this.dropdown).closest('li').index() - 1);
+            return _this.selectRowAtIndex($('.is-focused', _this.dropdown).closest('li').index() - 1);
           }
         };
       })(this));

app/assets/javascripts/protected_branch_access_dropdown.js.es6

+(global => {
+  global.gl = global.gl || {};
+
+  gl.ProtectedBranchAccessDropdown = class {
+    constructor(options) {
+      const { $dropdown, data, onSelect } = options;
+
+      $dropdown.glDropdown({
+        data: data,
+        selectable: true,
+        inputId: $dropdown.data('input-id'),
+        fieldName: $dropdown.data('field-name'),
+        toggleLabel(item) {
+          return item.text;
+        },
+        clicked(item, $el, e) {
+          e.preventDefault();
+          onSelect();
+        }
+      });
+    }
+  }
+
+})(window);

app/assets/javascripts/protected_branch_create.js.es6

+(global => {
+  global.gl = global.gl || {};
+
+  gl.ProtectedBranchCreate = class {
+    constructor() {
+      this.$wrap = this.$form = $('#new_protected_branch');
+      this.buildDropdowns();
+    }
+
+    buildDropdowns() {
+      const $allowedToMergeDropdown = this.$wrap.find('.js-allowed-to-merge');
+      const $allowedToPushDropdown = this.$wrap.find('.js-allowed-to-push');
+
+      // Cache callback
+      this.onSelectCallback = this.onSelect.bind(this);
+
+      // Allowed to Merge dropdown
+      new gl.ProtectedBranchAccessDropdown({
+        $dropdown: $allowedToMergeDropdown,
+        data: gon.merge_access_levels,
+        onSelect: this.onSelectCallback
+      });
+
+      // Allowed to Push dropdown
+      new gl.ProtectedBranchAccessDropdown({
+        $dropdown: $allowedToPushDropdown,
+        data: gon.push_access_levels,
+        onSelect: this.onSelectCallback
+      });
+
+      // Select default
+      $allowedToPushDropdown.data('glDropdown').selectRowAtIndex(0);
+      $allowedToMergeDropdown.data('glDropdown').selectRowAtIndex(0);
+
+      // Protected branch dropdown
+      new ProtectedBranchDropdown({
+        $dropdown: this.$wrap.find('.js-protected-branch-select'),
+        onSelect: this.onSelectCallback
+      });
+    }
+
+    // This will run after clicked callback
+    onSelect() {
+
+      // Enable submit button
+      const $branchInput = this.$wrap.find('input[name="protected_branch[name]"]');
+      const $allowedToMergeInput = this.$wrap.find('input[name="protected_branch[merge_access_level_attributes][access_level]"]');
+      const $allowedToPushInput = this.$wrap.find('input[name="protected_branch[push_access_level_attributes][access_level]"]');
+
+      if ($branchInput.val() && $allowedToMergeInput.val() && $allowedToPushInput.val()){
+        this.$form.find('input[type="submit"]').removeAttr('disabled');
+      }
+    }
+  }
+
+})(window);

app/assets/javascripts/protected_branch_dropdown.js.es6

+class ProtectedBranchDropdown {
+  constructor(options) {
+    this.onSelect = options.onSelect;
+    this.$dropdown = options.$dropdown;
+    this.$dropdownContainer = this.$dropdown.parent();
+    this.$dropdownFooter = this.$dropdownContainer.find('.dropdown-footer');
+    this.$protectedBranch = this.$dropdownContainer.find('.create-new-protected-branch');
+
+    this.buildDropdown();
+    this.bindEvents();
+
+    // Hide footer
+    this.$dropdownFooter.addClass('hidden');
+  }
+
+  buildDropdown() {
+    this.$dropdown.glDropdown({
+      data: this.getProtectedBranches.bind(this),
+      filterable: true,
+      remote: false,
+      search: {
+        fields: ['title']
+      },
+      selectable: true,
+      toggleLabel(selected) {
+        return (selected && 'id' in selected) ? selected.title : 'Protected Branch';
+      },
+      fieldName: 'protected_branch[name]',
+      text(protectedBranch) {
+        return _.escape(protectedBranch.title);
+      },
+      id(protectedBranch) {
+        return _.escape(protectedBranch.id);
+      },
+      onFilter: this.toggleCreateNewButton.bind(this),
+      clicked: (item, $el, e) => {
+        e.preventDefault();
+        this.onSelect();
+      }
+    });
+  }
+
+  bindEvents() {
+    this.$protectedBranch.on('click', this.onClickCreateWildcard.bind(this));
+  }
+
+  onClickCreateWildcard() {
+    this.$dropdown.data('glDropdown').remote.execute();
+    this.$dropdown.data('glDropdown').selectRowAtIndex(0);
+  }
+
+  getProtectedBranches(term, callback) {
+    if (this.selectedBranch) {
+      callback(gon.open_branches.concat(this.selectedBranch));
+    } else {
+      callback(gon.open_branches);
+    }
+  }
+
+  toggleCreateNewButton(branchName) {
+    this.selectedBranch = {
+      title: branchName,
+      id: branchName,
+      text: branchName
+    };
+
+    if (branchName) {
+      this.$dropdownContainer
+        .find('.create-new-protected-branch code')
+        .text(branchName);
+    }
+
+    this.$dropdownFooter.toggleClass('hidden', !branchName);
+  }
+}

app/assets/javascripts/protected_branch_edit.js.es6

+(global => {
+  global.gl = global.gl || {};
+
+  gl.ProtectedBranchEdit = class {
+    constructor(options) {
+      this.$wrap = options.$wrap;
+      this.$allowedToMergeDropdown = this.$wrap.find('.js-allowed-to-merge');
+      this.$allowedToPushDropdown = this.$wrap.find('.js-allowed-to-push');
+
+      this.buildDropdowns();
+    }
+
+    buildDropdowns() {
+
+      // Allowed to merge dropdown
+      new gl.ProtectedBranchAccessDropdown({
+        $dropdown: this.$allowedToMergeDropdown,
+        data: gon.merge_access_levels,
+        onSelect: this.onSelect.bind(this)
+      });
+
+      // Allowed to push dropdown
+      new gl.ProtectedBranchAccessDropdown({
+        $dropdown: this.$allowedToPushDropdown,
+        data: gon.push_access_levels,
+        onSelect: this.onSelect.bind(this)
+      });
+    }
+
+    onSelect() {
+      const $allowedToMergeInput = this.$wrap.find(`input[name="${this.$allowedToMergeDropdown.data('fieldName')}"]`);
+      const $allowedToPushInput = this.$wrap.find(`input[name="${this.$allowedToPushDropdown.data('fieldName')}"]`);
+
+      $.ajax({
+        type: 'POST',
+        url: this.$wrap.data('url'),
+        dataType: 'json',
+        data: {
+          _method: 'PATCH',
+          id: this.$wrap.data('banchId'),
+          protected_branch: {
+            merge_access_level_attributes: {
+              access_level: $allowedToMergeInput.val()
+            },
+            push_access_level_attributes: {
+              access_level: $allowedToPushInput.val()
+            }
+          }
+        },
+        success: () => {
+          this.$wrap.effect('highlight');
+        },
+        error() {
+          $.scrollTo(0);
+          new Flash('Failed to update branch!');
+        }
+      });
+    }
+  }
+
+})(window);

app/assets/javascripts/protected_branch_edit_list.js.es6

+(global => {
+  global.gl = global.gl || {};
+
+  gl.ProtectedBranchEditList = class {
+    constructor() {
+      this.$wrap = $('.protected-branches-list');
+
+      // Build edit forms
+      this.$wrap.find('.js-protected-branch-edit-form').each((i, el) => {
+        new gl.ProtectedBranchEdit({
+          $wrap: $(el)
+        });
+      });
+    }
+  }
+
+})(window);

app/assets/javascripts/protected_branch_select.js

-(function() {
-  var bind = function(fn, me){ return function(){ return fn.apply(me, arguments); }; };
-
-  this.ProtectedBranchSelect = (function() {
-    function ProtectedBranchSelect(currentProject) {
-      this.toggleCreateNewButton = bind(this.toggleCreateNewButton, this);
-      this.getProtectedBranches = bind(this.getProtectedBranches, this);
-      $('.dropdown-footer').hide();
-      this.dropdown = $('.js-protected-branch-select').glDropdown({
-        data: this.getProtectedBranches,
-        filterable: true,
-        remote: false,
-        search: {
-          fields: ['title']
-        },
-        selectable: true,
-        toggleLabel: function(selected) {
-          if (selected && 'id' in selected) {
-            return selected.title;
-          } else {
-            return 'Protected Branch';
-          }
-        },
-        fieldName: 'protected_branch[name]',
-        text: function(protected_branch) {
-          return _.escape(protected_branch.title);
-        },
-        id: function(protected_branch) {
-          return _.escape(protected_branch.id);
-        },
-        onFilter: this.toggleCreateNewButton,
-        clicked: function() {
-          return $('.protect-branch-btn').attr('disabled', false);
-        }
-      });
-      $('.create-new-protected-branch').on('click', (function(_this) {
-        return function(event) {
-          _this.dropdown.data('glDropdown').remote.execute();
-          return _this.dropdown.data('glDropdown').selectRowAtIndex(event, 0);
-        };
-      })(this));
-    }
-
-    ProtectedBranchSelect.prototype.getProtectedBranches = function(term, callback) {
-      if (this.selectedBranch) {
-        return callback(gon.open_branches.concat(this.selectedBranch));
-      } else {
-        return callback(gon.open_branches);
-      }
-    };
-
-    ProtectedBranchSelect.prototype.toggleCreateNewButton = function(branchName) {
-      this.selectedBranch = {
-        title: branchName,
-        id: branchName,
-        text: branchName
-      };
-      if (branchName === '') {
-        $('.protected-branch-select-footer-list').addClass('hidden');
-        return $('.dropdown-footer').hide();
-      } else {
-        $('.create-new-protected-branch').text("Create Protected Branch: " + branchName);
-        $('.protected-branch-select-footer-list').removeClass('hidden');
-        return $('.dropdown-footer').show();
-      }
-    };
-
-    return ProtectedBranchSelect;
-
-  })();
-
-}).call(this);

app/assets/javascripts/protected_branches_access_select.js.es6

-class ProtectedBranchesAccessSelect {
-  constructor(container, saveOnSelect, selectDefault) {
-    this.container = container;
-    this.saveOnSelect = saveOnSelect;
-
-    this.container.find(".allowed-to-merge").each((i, element) => {
-      var fieldName = $(element).data('field-name');
-      var dropdown = $(element).glDropdown({
-        data: gon.merge_access_levels,
-        selectable: true,
-        fieldName: fieldName,
-        clicked: _.chain(this.onSelect).partial(element).bind(this).value()
-      });
-
-      if (selectDefault) {
-        dropdown.data('glDropdown').selectRowAtIndex(document.createEvent("Event"), 0);
-      }
-    });
-
-
-    this.container.find(".allowed-to-push").each((i, element) => {
-      var fieldName = $(element).data('field-name');
-      var dropdown = $(element).glDropdown({
-        data: gon.push_access_levels,
-        selectable: true,
-        fieldName: fieldName,
-        clicked: _.chain(this.onSelect).partial(element).bind(this).value()
-      });
-
-      if (selectDefault) {
-        dropdown.data('glDropdown').selectRowAtIndex(document.createEvent("Event"), 0);
-      }
-    });
-  }
-
-  onSelect(dropdown, selected, element, e) {
-    $(dropdown).find('.dropdown-toggle-text').text(selected.text);
-    if (this.saveOnSelect) {
-      return $.ajax({
-        type: "POST",
-        url: $(dropdown).data('url'),
-        dataType: "json",
-        data: {
-          _method: 'PATCH',
-          id: $(dropdown).data('id'),
-          protected_branch: {
-            ["" + ($(dropdown).data('type')) + "_attributes"]: {
-              "access_level": selected.id
-            }
-          }
-        },
-        success: function() {
-          var row;
-          row = $(e.target);
-          return row.closest('tr').effect('highlight');
-        },
-        error: function() {
-          return new Flash("Failed to update branch!", "alert");
-        }
-      });
-    }
-  }
-}

app/assets/javascripts/users_select.js

@@ -13,14 +13,15 @@
       }
       $('.js-user-search').each((function(_this) {
         return function(i, dropdown) {
+          var options = {};
           var $block, $collapsedSidebar, $dropdown, $loading, $selectbox, $value, abilityName, assignTo, assigneeTemplate, collapsedAssigneeTemplate, defaultLabel, firstUser, issueURL, selectedId, showAnyUser, showNullUser;
           $dropdown = $(dropdown);
-          _this.projectId = $dropdown.data('project-id');
-          _this.showCurrentUser = $dropdown.data('current-user');
+          options.projectId = $dropdown.data('project-id');
+          options.showCurrentUser = $dropdown.data('current-user');
           showNullUser = $dropdown.data('null-user');
           showAnyUser = $dropdown.data('any-user');
           firstUser = $dropdown.data('first-user');
-          _this.authorId = $dropdown.data('author-id');
+          options.authorId = $dropdown.data('author-id');
           selectedId = $dropdown.data('selected');
           defaultLabel = $dropdown.data('default-label');
           issueURL = $dropdown.data('issueUpdate');
@@ -75,7 +76,7 @@
             data: function(term, callback) {
               var isAuthorFilter;
               isAuthorFilter = $('.js-author-search');
-              return _this.users(term, function(users) {
+              return _this.users(term, options, function(users) {
                 var anyUser, index, j, len, name, obj, showDivider;
                 if (term.length === 0) {
                   showDivider = 0;
@@ -185,11 +186,14 @@
       $('.ajax-users-select').each((function(_this) {
         return function(i, select) {
           var firstUser, showAnyUser, showEmailUser, showNullUser;
-          _this.projectId = $(select).data('project-id');
-          _this.groupId = $(select).data('group-id');
-          _this.showCurrentUser = $(select).data('current-user');
-          _this.authorId = $(select).data('author-id');
-          _this.skipUsers = $(select).data('skip-users');
+          var options = {};
+          options.skipLdap = $(select).hasClass('skip_ldap');
+          options.projectId = $(select).data('project-id');
+          options.groupId = $(select).data('group-id');
+          options.showCurrentUser = $(select).data('current-user');
+          options.pushCodeToProtectedBranches = $(select).data('push-code-to-protected-branches');
+          options.authorId = $(select).data('author-id');
+          options.skipUsers = $(select).data('skip-users');
           showNullUser = $(select).data('null-user');
           showAnyUser = $(select).data('any-user');
           showEmailUser = $(select).data('email-user');
@@ -199,7 +203,7 @@
             multiple: $(select).hasClass('multiselect'),
             minimumInputLength: 0,
             query: function(query) {
-              return _this.users(query.term, function(users) {
+              return _this.users(query.term, options, function(users) {
                 var anyUser, data, emailUser, index, j, len, name, nullUser, obj, ref;
                 data = {
                   results: users
@@ -309,7 +313,7 @@
       });
     };
 
-    UsersSelect.prototype.users = function(query, callback) {
+    UsersSelect.prototype.users = function(query, options, callback) {
       var url;
       url = this.buildUrl(this.usersPath);
       return $.ajax({
@@ -318,11 +322,13 @@
           search: query,
           per_page: 20,
           active: true,
-          project_id: this.projectId,
-          group_id: this.groupId,
-          current_user: this.showCurrentUser,
-          author_id: this.authorId,
-          skip_users: this.skipUsers
+          project_id: options.projectId || null,
+          group_id: options.groupId || null,
+          skip_ldap: options.skipLdap || null,
+          current_user: options.showCurrentUser || null,
+          push_code_to_protected_branches: options.pushCodeToProtectedBranches || null,
+          author_id: options.authorId || null,
+          skip_users: options.skipUsers || null
         },
         dataType: "json"
       }).done(function(users) {

app/assets/stylesheets/framework/dropdowns.scss

@@ -72,6 +72,14 @@
   &.large {
     width: 200px;
   }
+
+  &.wide {
+    width: 100%;
+
+    + .dropdown-select {
+      width: 100%;
+    }
+  }
 }
 
 .dropdown-menu,

app/assets/stylesheets/framework/panels.scss

@@ -23,4 +23,9 @@
       margin-top: $gl-padding;
     }
   }
+
+  .panel-title {
+    font-size: inherit;
+    line-height: inherit;
+  }
 }

app/assets/stylesheets/pages/projects.scss

@@ -656,13 +656,9 @@ pre.light-well {
 }
 
 .new_protected_branch {
-  .dropdown {
-    display: inline;
-    margin-left: 15px;
-  }
-
   label {
-    min-width: 120px;
+    margin-top: 6px;
+    font-weight: normal;
   }
 }
 
@@ -678,6 +674,21 @@ pre.light-well {
       font-weight: 600;
     }
   }
+
+  .settings-message {
+    margin: 0;
+    border-radius: 0 0 1px 1px;
+    padding: 20px 0;
+    border: none;
+  }
+
+  .table-bordered {
+    border-radius: 1px;
+
+    th:not(:last-child), td:not(:last-child) {
+      border-right: solid 1px transparent;
+    }
+  }
 }
 
 .custom-notifications-form {

app/controllers/profiles/passwords_controller.rb

@@ -50,6 +50,7 @@ class Profiles::PasswordsController < Profiles::ApplicationController
       flash[:notice] = "Password was successfully updated. Please login with it"
       redirect_to new_user_session_path
     else
+      @user.reload
       render 'edit'
     end
   end

app/controllers/projects/deploy_keys_controller.rb

@@ -12,8 +12,7 @@ class Projects::DeployKeysController < Projects::ApplicationController
   end
 
   def new
-    redirect_to namespace_project_deploy_keys_path(@project.namespace,
-                                                   @project)
+    redirect_to namespace_project_deploy_keys_path(@project.namespace, @project)
   end
 
   def create
@@ -21,19 +20,16 @@ class Projects::DeployKeysController < Projects::ApplicationController
     set_index_vars
 
     if @key.valid? && @project.deploy_keys << @key
-      redirect_to namespace_project_deploy_keys_path(@project.namespace,
-                                                     @project)
+      redirect_to namespace_project_deploy_keys_path(@project.namespace, @project)
     else
       render "index"
     end
   end
 
   def enable
-    @key = accessible_keys.find(params[:id])
-    @project.deploy_keys << @key
+    Projects::EnableDeployKeyService.new(@project, current_user, params).execute
 
-    redirect_to namespace_project_deploy_keys_path(@project.namespace,
-                                                   @project)
+    redirect_to namespace_project_deploy_keys_path(@project.namespace, @project)
   end
 
   def disable
@@ -45,9 +41,9 @@ class Projects::DeployKeysController < Projects::ApplicationController
   protected
 
   def set_index_vars
-    @enabled_keys ||= @project.deploy_keys
+    @enabled_keys           ||= @project.deploy_keys
 
-    @available_keys         ||= accessible_keys - @enabled_keys
+    @available_keys         ||= current_user.accessible_deploy_keys - @enabled_keys
     @available_project_keys ||= current_user.project_deploy_keys - @enabled_keys
     @available_public_keys  ||= DeployKey.are_public - @enabled_keys
 
@@ -56,10 +52,6 @@ class Projects::DeployKeysController < Projects::ApplicationController
     @available_public_keys -= @available_project_keys
   end
 
-  def accessible_keys
-    @accessible_keys ||= current_user.accessible_deploy_keys
-  end
-
   def deploy_key_params
     params.require(:deploy_key).permit(:key, :title)
   end

app/controllers/projects/git_http_controller.rb

@@ -20,9 +20,9 @@ class Projects::GitHttpController < Projects::ApplicationController
     elsif receive_pack? && receive_pack_allowed?
       render_ok
     elsif http_blocked?
-      render_not_allowed
+      render_http_not_allowed
     else
-      render_not_found
+      render_denied
     end
   end
 
@@ -31,7 +31,7 @@ class Projects::GitHttpController < Projects::ApplicationController
     if upload_pack? && upload_pack_allowed?
       render_ok
     else
-      render_not_found
+      render_denied
     end
   end
 
@@ -40,7 +40,7 @@ class Projects::GitHttpController < Projects::ApplicationController
     if receive_pack? && receive_pack_allowed?
       render_ok
     else
-      render_not_found
+      render_denied
     end
   end
 
@@ -156,8 +156,17 @@ class Projects::GitHttpController < Projects::ApplicationController
     render plain: 'Not Found', status: :not_found
   end
 
-  def render_not_allowed
-    render plain: download_access.message, status: :forbidden
+  def render_http_not_allowed
+    render plain: access_check.message, status: :forbidden
+  end
+
+  def render_denied
+    if user && user.can?(:read_project, project)
+      render plain: 'Access denied', status: :forbidden
+    else
+      # Do not leak information about project existence
+      render_not_found
+    end
   end
 
   def ci?
@@ -168,22 +177,20 @@ class Projects::GitHttpController < Projects::ApplicationController
     return false unless Gitlab.config.gitlab_shell.upload_pack
 
     if user
-      download_access.allowed?
+      access_check.allowed?
     else
       ci? || project.public?
     end
   end
 
   def access
-    return @access if defined?(@access)
-
-    @access = Gitlab::GitAccess.new(user, project, 'http')
+    @access ||= Gitlab::GitAccess.new(user, project, 'http')
   end
 
-  def download_access
-    return @download_access if defined?(@download_access)
-
-    @download_access = access.check('git-upload-pack')
+  def access_check
+    # Use the magic string '_any' to indicate we do not know what the
+    # changes are. This is also what gitlab-shell does.
+    @access_check ||= access.check(git_command, '_any')
   end
 
   def http_blocked?
@@ -193,8 +200,6 @@ class Projects::GitHttpController < Projects::ApplicationController
   def receive_pack_allowed?
     return false unless Gitlab.config.gitlab_shell.receive_pack
 
-    # Skip user authorization on upload request.
-    # It will be done by the pre-receive hook in the repository.
-    user.present?
+    access_check.allowed?
   end
 end

app/controllers/registrations_controller.rb

@@ -33,7 +33,7 @@ class RegistrationsController < Devise::RegistrationsController
 
   protected
 
-  def build_resource(hash=nil)
+  def build_resource(hash = nil)
     super
   end
 

app/helpers/avatars_helper.rb

 module AvatarsHelper
-
   def author_avatar(commit_or_event, options = {})
     user_avatar(options.merge({
       user: commit_or_event.author,
@@ -26,5 +25,4 @@ module AvatarsHelper
       mail_to(options[:user_email], avatar)
     end
   end
-
 end

app/helpers/explore_helper.rb

 module ExploreHelper
-  def filter_projects_path(options={})
+  def filter_projects_path(options = {})
     exist_opts = {
       sort: params[:sort],
       scope: params[:scope],

app/helpers/search_helper.rb

@@ -107,7 +107,7 @@ module SearchHelper
     Sanitize.clean(str)
   end
 
-  def search_filter_path(options={})
+  def search_filter_path(options = {})
     exist_opts = {
       search: params[:search],
       project_id: params[:project_id],

app/models/concerns/faster_cache_keys.rb

+module FasterCacheKeys
+  # A faster version of Rails' "cache_key" method.
+  #
+  # Rails' default "cache_key" method uses all kind of complex logic to figure
+  # out the cache key. In many cases this complexity and overhead may not be
+  # needed.
+  #
+  # This method does not do any timestamp parsing as this process is quite
+  # expensive and not needed when generating cache keys. This method also relies
+  # on the table name instead of the cache namespace name as the latter uses
+  # complex logic to generate the exact same value (as when using the table
+  # name) in 99% of the cases.
+  def cache_key
+    "#{self.class.table_name}/#{id}-#{read_attribute_before_type_cast(:updated_at)}"
+  end
+end

app/models/issue.rb

@@ -7,6 +7,7 @@ class Issue < ActiveRecord::Base
   include Sortable
   include Taskable
   include Spammable
+  include FasterCacheKeys
 
   DueDateStruct = Struct.new(:title, :name).freeze
   NoDueDate     = DueDateStruct.new('No Due Date', '0').freeze

app/models/merge_request_diff.rb

@@ -36,7 +36,7 @@ class MergeRequestDiff < ActiveRecord::Base
     real_size.presence || raw_diffs.size
   end
 
-  def raw_diffs(options={})
+  def raw_diffs(options = {})
     if options[:ignore_whitespace_change]
       @raw_diffs_no_whitespace ||= begin
         compare = Gitlab::Git::Compare.new(

app/models/note.rb

@@ -5,6 +5,7 @@ class Note < ActiveRecord::Base
   include Mentionable
   include Awardable
   include Importable
+  include FasterCacheKeys
 
   # Attribute containing rendered and redacted Markdown as generated by
   # Banzai::ObjectRenderer.

app/models/project.rb

@@ -865,10 +865,16 @@ class Project < ActiveRecord::Base
 
   # Check if current branch name is marked as protected in the system
   def protected_branch?(branch_name)
+    return true if empty_repo? && default_branch_protected?
+
     @protected_branches ||= self.protected_branches.to_a
     ProtectedBranch.matching(branch_name, protected_branches: @protected_branches).present?
   end
 
+  def user_can_push_to_empty_repo?(user)
+    !default_branch_protected? || team.max_member_access(user.id) > Gitlab::Access::DEVELOPER
+  end
+
   def forked?
     !(forked_project_link.nil? || forked_project_link.forked_from_project.nil?)
   end
@@ -1260,6 +1266,11 @@ class Project < ActiveRecord::Base
 
   private
 
+  def default_branch_protected?
+    current_application_settings.default_branch_protection == Gitlab::Access::PROTECTION_FULL ||
+      current_application_settings.default_branch_protection == Gitlab::Access::PROTECTION_DEV_CAN_MERGE
+  end
+
   def authorized_for_user_by_group?(user, min_access_level)
     member = user.group_members.find_by(source_id: group)
 

app/models/repository.rb

@@ -601,7 +601,7 @@ class Repository
     commit(sha)
   end
 
-  def next_branch(name, opts={})
+  def next_branch(name, opts = {})
     branch_ids = self.branch_names.map do |n|
       next 1 if n == name
       result = n.match(/\A#{name}-([0-9]+)\z/)
@@ -636,9 +636,7 @@ class Repository
   def tags_sorted_by(value)
     case value
     when 'name'
-      # Would be better to use `sort_by` but `version_sorter` only exposes
-      # `sort` and `rsort`
-      VersionSorter.rsort(tag_names).map { |tag_name| find_tag(tag_name) }
+      VersionSorter.rsort(tags) { |tag| tag.name }
     when 'updated_desc'
       tags_sorted_by_committed_date.reverse
     when 'updated_asc'

app/services/projects/enable_deploy_key_service.rb

+module Projects
+  class EnableDeployKeyService < BaseService
+    def execute
+      key = accessible_keys.find_by(id: params[:key_id] || params[:id])
+      return unless key
+
+      project.deploy_keys << key
+      key
+    end
+
+    private
+
+    def accessible_keys
+      current_user.accessible_deploy_keys
+    end
+  end
+end

app/views/admin/application_settings/_form.html.haml

@@ -366,7 +366,9 @@
       .col-sm-10
         = f.select :repository_storage, repository_storage_options_for_select, {}, class: 'form-control'
         .help-block
-          You can manage the repository storage paths in your gitlab.yml configuration file
+          Manage repository storage paths. Learn more in the
+          = succeed "." do
+            = link_to "repository storages documentation", help_page_path("administration/repository_storages")
 
   %fieldset
     %legend Repository Checks

app/views/projects/protected_branches/_branches_list.html.haml

-%h5.prepend-top-0
-  Already Protected (#{@protected_branches.size})
-- if @protected_branches.empty?
-  %p.settings-message.text-center
-    No branches are protected, protect a branch with the form above.
-- else
-  - can_admin_project = can?(current_user, :admin_project, @project)
+.panel.panel-default.protected-branches-list
+  - if @protected_branches.empty?
+    .panel-heading
+      %h3.panel-title
+        Protected branch (#{@protected_branches.size})
+    %p.settings-message.text-center
+      There are currently no protected branches, protect a branch with the form above.
+  - else
+    - can_admin_project = can?(current_user, :admin_project, @project)
 
-  %table.table.protected-branches-list
-    %colgroup
-      %col{ width: "20%" }
-      %col{ width: "30%" }
-      %col{ width: "25%" }
-      %col{ width: "25%" }
-    %thead
-      %tr
-        %th Branch
-        %th Last commit
-        %th Allowed to merge
-        %th Allowed to push
-        - if can_admin_project
-          %th
-    %tbody
-      = render partial: @protected_branches, locals: { can_admin_project: can_admin_project }
+    %table.table.table-bordered
+      %colgroup
+        %col{ width: "25%" }
+        %col{ width: "30%" }
+        %col{ width: "25%" }
+        %col{ width: "20%" }
+      %thead
+        %tr
+          %th Protected branch (#{@protected_branches.size})
+          %th Last commit
+          %th Allowed to merge
+          %th Allowed to push
+          - if can_admin_project
+            %th
+      %tbody
+        = render partial: @protected_branches, locals: { can_admin_project: can_admin_project }
 
-  = paginate @protected_branches, theme: 'gitlab'
+    = paginate @protected_branches, theme: 'gitlab'

app/views/projects/protected_branches/_create_protected_branch.html.haml

+= form_for [@project.namespace.becomes(Namespace), @project, @protected_branch] do |f|
+  .panel.panel-default
+    .panel-heading
+      %h3.panel-title
+        Protect a branch
+    .panel-body
+      .form-horizontal
+        .form-group
+          = f.label :name, class: 'col-md-2 text-right' do
+            Branch:
+          .col-md-10
+            = render partial: "dropdown", locals: { f: f }
+            .help-block
+              = link_to 'Wildcards', help_page_path('user/project/protected_branches', anchor: 'wildcard-protected-branches')
+              such as
+              %code *-stable
+              or
+              %code production/*
+              are supported
+        .form-group
+          %label.col-md-2.text-right{ for: 'merge_access_level_attributes' }
+            Allowed to merge:
+          .col-md-10
+            = dropdown_tag('Select',
+                           options: { toggle_class: 'js-allowed-to-merge wide',
+                           data: { field_name: 'protected_branch[merge_access_level_attributes][access_level]', input_id: 'merge_access_level_attributes' }})
+        .form-group
+          %label.col-md-2.text-right{ for: 'push_access_level_attributes' }
+            Allowed to push:
+          .col-md-10
+            = dropdown_tag('Select',
+                           options: { toggle_class: 'js-allowed-to-push wide',
+                           data: { field_name: 'protected_branch[push_access_level_attributes][access_level]', input_id: 'push_access_level_attributes' }})
+
+    .panel-footer
+      = f.submit 'Protect', class: 'btn-create btn', disabled: true

app/views/projects/protected_branches/_dropdown.html.haml

 = f.hidden_field(:name)
 
-= dropdown_tag("Protected Branch",
-               options: { title: "Pick protected branch", toggle_class: 'js-protected-branch-select js-filter-submit',
+= dropdown_tag('Select branch or create wildcard',
+               options: { toggle_class: 'js-protected-branch-select js-filter-submit wide',
                           filter: true, dropdown_class: "dropdown-menu-selectable", placeholder: "Search protected branches",
                           footer_content: true,
                           data: { show_no: true, show_any: true, show_upcoming: true,
                                   selected: params[:protected_branch_name],
                                   project_id: @project.try(:id) } }) do
 
-  %ul.dropdown-footer-list.hidden.protected-branch-select-footer-list
+  %ul.dropdown-footer-list
     %li
       = link_to '#', title: "New Protected Branch", class: "create-new-protected-branch" do
-        Create new
-
-:javascript
-  new ProtectedBranchSelect();
+        Create wildcard
+        %code

app/views/projects/protected_branches/_protected_branch.html.haml

-- url = namespace_project_protected_branch_path(@project.namespace, @project, protected_branch)
-%tr
+%tr.js-protected-branch-edit-form{ data: { url: namespace_project_protected_branch_path(@project.namespace, @project, protected_branch), branch_id: protected_branch.id } }
   %td
     = protected_branch.name
     - if @project.root_ref?(protected_branch.name)
@@ -16,14 +15,14 @@
         (branch was removed from repository)
   %td
     = hidden_field_tag "allowed_to_merge_#{protected_branch.id}", protected_branch.merge_access_level.access_level
-    = dropdown_tag(protected_branch.merge_access_level.humanize,
-                   options: { title: "Allowed to merge", toggle_class: 'allowed-to-merge', dropdown_class: 'dropdown-menu-selectable merge',
-                   data: { field_name: "allowed_to_merge_#{protected_branch.id}", url: url, id: protected_branch.id, type: "merge_access_level" }})
+    = dropdown_tag( (protected_branch.merge_access_level.humanize || 'Select') ,
+                   options: { toggle_class: 'js-allowed-to-merge', dropdown_class: 'dropdown-menu-selectable js-allowed-to-merge-container',
+                   data: { field_name: "allowed_to_merge_#{protected_branch.id}" }})
   %td
     = hidden_field_tag "allowed_to_push_#{protected_branch.id}", protected_branch.push_access_level.access_level
-    = dropdown_tag(protected_branch.push_access_level.humanize,
-                   options: { title: "Allowed to push", toggle_class: 'allowed-to-push', dropdown_class: 'dropdown-menu-selectable push',
-                   data: { field_name: "allowed_to_push_#{protected_branch.id}", url: url, id: protected_branch.id, type: "push_access_level" }})
+    = dropdown_tag( (protected_branch.push_access_level.humanize || 'Select') ,
+                   options: { toggle_class: 'js-allowed-to-push', dropdown_class: 'dropdown-menu-selectable js-allowed-to-push-container',
+                   data: { field_name: "allowed_to_push_#{protected_branch.id}" }})
   - if can_admin_project
     %td
-      = link_to 'Unprotect', [@project.namespace.becomes(Namespace), @project, protected_branch], data: { confirm: 'Branch will be writable for developers. Are you sure?' }, method: :delete, class: "btn btn-warning btn-sm pull-right"
+      = link_to 'Unprotect', [@project.namespace.becomes(Namespace), @project, protected_branch], data: { confirm: 'Branch will be writable for developers. Are you sure?' }, method: :delete, class: 'btn btn-warning'

app/views/projects/protected_branches/index.html.haml

@@ -14,41 +14,7 @@
         %li prevent <strong>anyone</strong> from deleting the branch
       %p.append-bottom-0 Read more about #{link_to "protected branches", help_page_path("user/project/protected_branches"), class: "underlined-link"} and #{link_to "project permissions", help_page_path("user/permissions"), class: "underlined-link"}.
   .col-lg-9
-    %h5.prepend-top-0
-      Protect a branch
     - if can? current_user, :admin_project, @project
-      = form_for [@project.namespace.becomes(Namespace), @project, @protected_branch] do |f|
-        = form_errors(@protected_branch)
+      = render 'create_protected_branch'
 
-        .form-group
-          = f.label :name, "Branch", class: "label-light"
-          = render partial: "dropdown", locals: { f: f }
-          %p.help-block
-            = link_to "Wildcards", help_page_path('user/project/protected_branches', anchor: "wildcard-protected-branches")
-            such as
-            %code *-stable
-            or
-            %code production/*
-            are supported.
-
-        .form-group
-          = hidden_field_tag 'protected_branch[merge_access_level_attributes][access_level]'
-          = label_tag "Allowed to merge: ", nil, class: "label-light append-bottom-0"
-          = dropdown_tag("<Make a selection>",
-                         options: { title: "Allowed to merge", toggle_class: 'allowed-to-merge',
-                                    dropdown_class: 'dropdown-menu-selectable',
-                                    data: { field_name: "protected_branch[merge_access_level_attributes][access_level]" }})
-
-        .form-group
-          = hidden_field_tag 'protected_branch[push_access_level_attributes][access_level]'
-          = label_tag "Allowed to push: ", nil, class: "label-light append-bottom-0"
-          = dropdown_tag("<Make a selection>",
-                         options: { title: "Allowed to push", toggle_class: 'allowed-to-push',
-                                    dropdown_class: 'dropdown-menu-selectable',
-                                    data: { field_name: "protected_branch[push_access_level_attributes][access_level]" }})
-
-
-        = f.submit "Protect", class: "btn-create btn protect-branch-btn", disabled: true
-
-    %hr
     = render "branches_list"

app/views/shared/web_hooks/_form.html.haml

@@ -19,7 +19,7 @@
         = f.label :token, "Secret Token", class: 'label-light'
         = f.text_field :token, class: "form-control", placeholder: ''
         %p.help-block
-          Use this token to validate received payloads
+          Use this token to validate received payloads. It will be sent with the request in the X-Gitlab-Token HTTP header.
       .form-group
         = f.label :url, "Trigger", class: 'label-light'
         %ul.list-unstyled

app/workers/post_receive.rb

@@ -10,6 +10,10 @@ class PostReceive
       log("Check gitlab.yml config for correct repositories.storages values. No repository storage path matches \"#{repo_path}\"")
     end
 
+    changes = Base64.decode64(changes) unless changes.include?(' ')
+    # Use Sidekiq.logger so arguments can be correlated with execution
+    # time and thread ID's.
+    Sidekiq.logger.info "changes: #{changes.inspect}" if ENV['SIDEKIQ_LOG_ARGUMENTS']
     post_received = Gitlab::GitPostReceive.new(repo_path, identifier, changes)
 
     if post_received.project.nil?

config/initializers/devise.rb

@@ -100,6 +100,9 @@ Devise.setup do |config|
   # secure: true in order to force SSL only cookies.
   # config.cookie_options = {}
 
+  # Send a notification email when the user's password is changed
+  config.send_password_change_notification = true
+
   # ==> Configuration for :validatable
   # Range for password length. Default is 6..128.
   config.password_length = 8..128

doc/administration/container_registry.md

 # GitLab Container Registry Administration
 
-> **Note:**
-This feature was [introduced][ce-4040] in GitLab 8.8.
+> [Introduced][ce-4040] in GitLab 8.8.
 
 With the Docker Container Registry integrated into GitLab, every project can
 have its own space to store its Docker images.

doc/administration/custom_hooks.md

@@ -44,8 +44,7 @@ as appropriate.
 
 ## Custom error messages
 
->**Note:**
-This feature was [introduced][5073] in GitLab 8.10.
+> [Introduced][5073] in GitLab 8.10.
 
 If the commit is declined or an error occurs during the Git hook check,
 the STDERR or STDOUT message of the hook will be present in GitLab's UI.

doc/administration/housekeeping.md

 # Housekeeping
 
-_**Note:** This feature was [introduced][ce-2371] in GitLab 8.4_
+> [Introduced][ce-2371] in GitLab 8.4.
 
 ---
 

doc/administration/raketasks/project_import_export.md

 # Project import/export
 
 >**Note:**
-  - This feature was [introduced][ce-3050] in GitLab 8.9
-  - Importing will not be possible if the import instance version is lower
-    than that of the exporter.
-  - For existing installations, the project import option has to be enabled in
-    application settings (`/admin/application_settings`) under 'Import sources'.
-  - The exports are stored in a temporary [shared directory][tmp] and are deleted
-    every 24 hours by a specific worker.
+>
+>  - [Introduced][ce-3050] in GitLab 8.9.
+>  - Importing will not be possible if the import instance version is lower
+>    than that of the exporter.
+>  - For existing installations, the project import option has to be enabled in
+>    application settings (`/admin/application_settings`) under 'Import sources'.
+>  - The exports are stored in a temporary [shared directory][tmp] and are deleted
+>    every 24 hours by a specific worker.
 
 The GitLab Import/Export version can be checked by using:
 

doc/administration/repository_checks.md

 # Repository checks
 
->**Note:**
-This feature was [introduced][ce-3232] in GitLab 8.7. It is OFF by
-default because it still causes too many false alarms.
+> [Introduced][ce-3232] in GitLab 8.7. It is OFF by default because it still
+causes too many false alarms.
 
 Git has a built-in mechanism, [git fsck][git-fsck], to verify the
 integrity of all data committed to a repository. GitLab administrators

doc/api/README.md

@@ -81,7 +81,7 @@ Read more about [GitLab as an OAuth2 client](oauth2.md).
 
 ### Personal Access Tokens
 
-> **Note:** This feature was [introduced][ce-3749] in GitLab 8.8
+> [Introduced][ce-3749] in GitLab 8.8.
 
 You can create as many personal access tokens as you like from your GitLab
 profile (`/profile/personal_access_tokens`); perhaps one for each application

doc/api/award_emoji.md

 # Award Emoji
 
- >**Note:** This feature was introduced in GitLab 8.9
+> [Introduced][ce-4575] in GitLab 8.9.
 
 An awarded emoji tells a thousand words, and can be awarded on issues, merge
 requests and notes/comments. Issues, merge requests and notes are further called
@@ -365,3 +365,5 @@ Example Response:
   "awardable_type": "Note"
 }
 ```
+
+[ce-4575]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4575

doc/api/deploy_keys.md

@@ -159,3 +159,51 @@ Example response:
    "id" : 13
 }
 ```
+
+## Enable a deploy key
+
+Enables a deploy key for a project so this can be used. Returns the enabled key, with a status code 201 when successful.
+
+```bash
+curl -X POST -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/projects/5/deploy_keys/13/enable
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer | yes | The ID of the project |
+| `key_id`  | integer | yes | The ID of the deploy key |
+
+Example response:
+
+```json
+{
+   "key" : "ssh-rsa AAAA...",
+   "id" : 12,
+   "title" : "My deploy key",
+   "created_at" : "2015-08-29T12:44:31.550Z"
+}
+```
+
+## Disable a deploy key
+
+Disable a deploy key for a project. Returns the disabled key.
+
+```bash
+curl -X DELETE -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/projects/5/deploy_keys/13/disable
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer | yes | The ID of the project |
+| `key_id`  | integer | yes | The ID of the deploy key |
+
+Example response:
+
+```json
+{
+   "key" : "ssh-rsa AAAA...",
+   "id" : 12,
+   "title" : "My deploy key",
+   "created_at" : "2015-08-29T12:44:31.550Z"
+}
+```

doc/api/todos.md

 # Todos
 
-**Note:** This feature was [introduced][ce-3188] in GitLab 8.10
+> [Introduced][ce-3188] in GitLab 8.10.
 
 ## Get a list of todos
 

doc/ci/triggers/README.md

 # Triggering Builds through the API
 
-_**Note:** This feature was [introduced][ci-229] in GitLab CE 7.14_
+> [Introduced][ci-229] in GitLab CE 7.14.
 
 Triggers can be used to force a rebuild of a specific branch, tag or commit,
 with an API call.

doc/container_registry/README.md

 # GitLab Container Registry
 
-> **Note:**
-This feature was [introduced][ce-4040] in GitLab 8.8. Docker Registry manifest
-v1 support was added in GitLab 8.9 to support Docker versions earlier than 1.10.
+> [Introduced][ce-4040] in GitLab 8.8. Docker Registry manifest
+`v1` support was added in GitLab 8.9 to support Docker versions earlier than 1.10.
 
 > **Note:**
 This document is about the user guide. To learn how to enable GitLab Container

doc/development/doc_styleguide.md

@@ -155,15 +155,15 @@ Inside the document:
 
 - Every piece of documentation that comes with a new feature should declare the
   GitLab version that feature got introduced. Right below the heading add a
-  note: `>**Note:** This feature was introduced in GitLab 8.3`
+  note: `> Introduced in GitLab 8.3.`.
 - If possible every feature should have a link to the MR that introduced it.
   The above note would be then transformed to:
-  `>**Note:** This feature was [introduced][ce-1242] in GitLab 8.3`, where
+  `> [Introduced][ce-1242] in GitLab 8.3.`, where
   the [link identifier](#links) is named after the repository (CE) and the MR
-  number
+  number.
 - If the feature is only in GitLab EE, don't forget to mention it, like:
-  `>**Note:** This feature was introduced in GitLab EE 8.3`. Otherwise, leave
-  this mention out
+  `> Introduced in GitLab EE 8.3.`. Otherwise, leave
+  this mention out.
 
 ## References
 

doc/development/newlines_styleguide.md

+# Newlines styleguide
+
+This style guide recommends best practices for newlines in Ruby code.
+
+## Rule: separate code with newlines only when it makes sense from logic perspectice
+
+```ruby
+# bad
+def method
+  issue = Issue.new
+
+  issue.save
+  
+  render json: issue 
+end
+```
+
+```ruby
+# good
+def method
+  issue = Issue.new
+  issue.save
+  
+  render json: issue 
+end
+```
+
+## Rule: separate code and block with newlines
+
+### Newline before block
+
+```ruby
+# bad
+def method
+  issue = Issue.new
+  if issue.save
+    render json: issue
+  end
+end
+```
+
+```ruby
+# good
+def method
+  issue = Issue.new
+
+  if issue.save
+    render json: issue
+  end
+end
+```
+
+## Newline after block
+
+```ruby
+# bad
+def method
+  if issue.save
+    issue.send_email
+  end
+  render json: issue
+end
+```
+
+```ruby
+# good
+def method
+  if issue.save
+    issue.send_email
+  end
+
+  render json: issue
+end
+```
+
+### Exception: no need for newline when code block starts or ends right inside another code block
+
+```ruby
+# bad
+def method
+
+  if issue
+
+    if issue.valid?
+      issue.save
+    end
+
+  end
+
+end
+```
+
+```ruby
+# good
+def method
+  if issue
+    if issue.valid?
+      issue.save
+    end
+  end
+end
+```

doc/monitoring/health_check.md

 # Health Check
 
->**Note:** This feature was [introduced][ce-3888] in GitLab 8.8.
+> [Introduced][ce-3888] in GitLab 8.8.
 
 GitLab provides a health check endpoint for uptime monitoring on the `health_check` web
 endpoint. The health check reports on the overall system status based on the status of

doc/user/project/labels.md

@@ -46,10 +46,11 @@ When you are ready press the **Create label** button to create the new label.
 ## Prioritize labels
 
 >**Notes:**
- - This feature was introduced in GitLab 8.9.
- - Priority sorting is based on the highest priority label only. This might
-   change in the future, follow the discussion in
-   https://gitlab.com/gitlab-org/gitlab-ce/issues/18554.
+>
+> - Introduced in GitLab 8.9.
+> - Priority sorting is based on the highest priority label only. This might
+>   change in the future, follow the discussion in
+>   https://gitlab.com/gitlab-org/gitlab-ce/issues/18554.
 
 Prioritized labels are like any other label, but sorted by priority. This allows
 you to sort issues and merge requests by priority.
@@ -87,8 +88,7 @@ important.
 
 ## Create a new label right from the issue tracker
 
->**Note:**
-This feature was introduced in GitLab 8.6.
+> Introduced in GitLab 8.6.
 
 There are times when you are already in the issue tracker searching for a
 label, only to realize it doesn't exist. Instead of going to the **Labels**

doc/user/project/protected_branches.md

@@ -47,8 +47,7 @@ creation.
 
 ## Wildcard protected branches
 
->**Note:**
-This feature was [introduced][ce-4665] in GitLab 8.10.
+> [Introduced][ce-4665] in GitLab 8.10.
 
 You can specify a wildcard protected branch, which will protect all branches
 matching the wildcard. For example:

doc/user/project/settings/import_export.md

 # Project import/export
 
 >**Notes:**
-  - This feature was [introduced][ce-3050] in GitLab 8.9
-  - Importing will not be possible if the import instance version is lower
-    than that of the exporter.
-  - For existing installations, the project import option has to be enabled in
-    application settings (`/admin/application_settings`) under 'Import sources'.
-    Ask your administrator if you don't see the **GitLab export** button when
-    creating a new project.
-  - You can find some useful raketasks if you are an administrator in the
-    [import_export](../../../administration/raketasks/project_import_export.md)
-    raketask.
-  - The exports are stored in a temporary [shared directory][tmp] and are deleted
-    every 24 hours by a specific worker.
+>
+>  - [Introduced][ce-3050] in GitLab 8.9.
+>  - Importing will not be possible if the import instance version is lower
+>    than that of the exporter.
+>  - For existing installations, the project import option has to be enabled in
+>    application settings (`/admin/application_settings`) under 'Import sources'.
+>    Ask your administrator if you don't see the **GitLab export** button when
+>    creating a new project.
+>  - You can find some useful raketasks if you are an administrator in the
+>    [import_export](../../../administration/raketasks/project_import_export.md)
+>    raketask.
+>  - The exports are stored in a temporary [shared directory][tmp] and are deleted
+>    every 24 hours by a specific worker.
 
 Existing projects running on any GitLab instance or GitLab.com can be exported
 with all their related data and be moved into a new GitLab instance.

doc/web_hooks/web_hooks.md

@@ -26,6 +26,10 @@ GitLab webhooks keep in mind the following things:
     you are writing a low-level hook this is important to remember.
 -   GitLab ignores the HTTP status code returned by your endpoint.
 
+## Secret Token
+
+If you specify a secret token, it will be sent with the hook request in the `X-Gitlab-Token` HTTP header. Your webhook endpoint can check that to verify that the request is legitimate.
+
 ## SSL Verification
 
 By default, the SSL certificate of the webhook endpoint is verified based on

doc/workflow/award_emoji.md

 # Award emoji
 
 >**Note:**
-This feature was [introduced][1825] in GitLab 8.2.
+[Introduced][1825] in GitLab 8.2.
 
 When you're collaborating online, you get fewer opportunities for high-fives
 and thumbs-ups. Emoji can be awarded to issues and merge requests, making
@@ -16,7 +16,7 @@ award emoji.
 ## Sort issues and merge requests on vote count
 
 >**Note:**
-This feature was [introduced][2871] in GitLab 8.5.
+[Introduced][2871] in GitLab 8.5.
 
 You can quickly sort issues and merge requests by the number of votes they
 have received. The sort options can be found in the dropdown menu as "Most
@@ -45,7 +45,7 @@ downvotes.
 ## Award emoji for comments
 
 >**Note:**
-This feature was [introduced][4291] in GitLab 8.9.
+[Introduced][4291] in GitLab 8.9.
 
 Award emoji can also be applied to individual comments when you want to
 celebrate an accomplishment or agree with an opinion.

doc/workflow/cherry_pick_changes.md

 # Cherry-pick changes
 
->**Note:**
-This feature was [introduced][ce-3514] in GitLab 8.7.
+> [Introduced][ce-3514] in GitLab 8.7.
 
 ---
 

doc/workflow/file_finder.md

 # File finder
 
-_**Note:** This feature was [introduced][gh-9889] in GitLab 8.4._
+> [Introduced][gh-9889] in GitLab 8.4.
 
 ---
 

doc/workflow/revert_changes.md

 # Reverting changes
 
-_**Note:** This feature was [introduced][ce-1990] in GitLab 8.5._
+> [Introduced][ce-1990] in GitLab 8.5.
 
 ---
 

doc/workflow/todos.md

 # GitLab Todos
 
->**Note:** This feature was [introduced][ce-2817] in GitLab 8.5.
+> [Introduced][ce-2817] in GitLab 8.5.
 
 When you log into GitLab, you normally want to see where you should spend your
 time and take some action, or what you need to keep an eye on. All without the

doc/workflow/web_editor.md

@@ -70,8 +70,7 @@ There are multiple ways to create a branch from GitLab's web interface.
 
 ### Create a new branch from an issue
 
->**Note:**
-This feature was [introduced][ce-2808] in GitLab 8.6.
+> [Introduced][ce-2808] in GitLab 8.6.
 
 In case your development workflow dictates to have an issue for every merge
 request, you can quickly create a branch right on the issue page which will be

lib/api/deploy_keys.rb

@@ -10,6 +10,9 @@ module API
       present keys, with: Entities::SSHKey
     end
 
+    params do
+      requires :id, type: String, desc: 'The ID of the project'
+    end
     resource :projects do
       before { authorize_admin_project }
 
@@ -17,52 +20,43 @@ module API
       # Use "projects/:id/deploy_keys/..." instead.
       #
       %w(keys deploy_keys).each do |path|
-        # Get a specific project's deploy keys
-        #
-        # Example Request:
-        #   GET /projects/:id/deploy_keys
+        desc "Get a specific project's deploy keys" do
+          success Entities::SSHKey
+        end
         get ":id/#{path}" do
           present user_project.deploy_keys, with: Entities::SSHKey
         end
 
-        # Get single deploy key owned by currently authenticated user
-        #
-        # Example Request:
-        #   GET /projects/:id/deploy_keys/:key_id
+        desc 'Get single deploy key' do
+          success Entities::SSHKey
+        end
+        params do
+          requires :key_id, type: Integer, desc: 'The ID of the deploy key'
+        end
         get ":id/#{path}/:key_id" do
           key = user_project.deploy_keys.find params[:key_id]
           present key, with: Entities::SSHKey
         end
 
-        # Add new deploy key to currently authenticated user
-        # If deploy key already exists - it will be joined to project
-        # but only if original one was accessible by same user
-        #
-        # Parameters:
-        #   key (required) - New deploy Key
-        #   title (required) - New deploy Key's title
-        # Example Request:
-        #   POST /projects/:id/deploy_keys
+        # TODO: for 9.0 we should check if params are there with the params block
+        # grape provides, at this point we'd change behaviour so we can't
+        # Behaviour now if you don't provide all required params: it renders a
+        # validation error or two.
+        desc 'Add new deploy key to currently authenticated user' do
+          success Entities::SSHKey
+        end
         post ":id/#{path}" do
           attrs = attributes_for_keys [:title, :key]
+          attrs[:key].strip! if attrs[:key]
 
-          if attrs[:key].present?
-            attrs[:key].strip!
-
-            # check if key already exist in project
-            key = user_project.deploy_keys.find_by(key: attrs[:key])
-            if key
-              present key, with: Entities::SSHKey
-              next
-            end
+          key = user_project.deploy_keys.find_by(key: attrs[:key])
+          present key, with: Entities::SSHKey if key
 
-            # Check for available deploy keys in other projects
-            key = current_user.accessible_deploy_keys.find_by(key: attrs[:key])
-            if key
-              user_project.deploy_keys << key
-              present key, with: Entities::SSHKey
-              next
-            end
+          # Check for available deploy keys in other projects
+          key = current_user.accessible_deploy_keys.find_by(key: attrs[:key])
+          if key
+            user_project.deploy_keys << key
+            present key, with: Entities::SSHKey
           end
 
           key = DeployKey.new attrs
@@ -74,12 +68,46 @@ module API
           end
         end
 
-        # Delete existing deploy key of currently authenticated user
-        #
-        # Example Request:
-        #   DELETE /projects/:id/deploy_keys/:key_id
+        desc 'Enable a deploy key for a project' do
+          detail 'This feature was added in GitLab 8.11'
+          success Entities::SSHKey
+        end
+        params do
+          requires :key_id, type: Integer, desc: 'The ID of the deploy key'
+        end
+        post ":id/#{path}/:key_id/enable" do
+          key = ::Projects::EnableDeployKeyService.new(user_project,
+                                                        current_user, declared(params)).execute
+
+          if key
+            present key, with: Entities::SSHKey
+          else
+            not_found!('Deploy Key')
+          end
+        end
+
+        desc 'Disable a deploy key for a project' do
+          detail 'This feature was added in GitLab 8.11'
+          success Entities::SSHKey
+        end
+        params do
+          requires :key_id, type: Integer, desc: 'The ID of the deploy key'
+        end
+        delete ":id/#{path}/:key_id/disable" do
+          key = user_project.deploy_keys_projects.find_by(deploy_key_id: params[:key_id])
+          key.destroy
+
+          present key.deploy_key, with: Entities::SSHKey
+        end
+
+        desc 'Delete existing deploy key of currently authenticated user' do
+          success Key
+        end
+        params do
+          requires :key_id, type: Integer, desc: 'The ID of the deploy key'
+        end
         delete ":id/#{path}/:key_id" do
-          key = user_project.deploy_keys.find params[:key_id]
+          key = user_project.deploy_keys.find(params[:key_id])
           key.destroy
         end
       end

lib/banzai/filter/video_link_filter.rb

 module Banzai
   module Filter
-
     # Find every image that isn't already wrapped in an `a` tag, and that has
     # a `src` attribute ending with a video extension, add a new video node and
     # a "Download" link in the case the video cannot be played.
     class VideoLinkFilter < HTML::Pipeline::Filter
-
       def call
         doc.xpath(query).each do |el|
           el.replace(video_node(doc, el))
@@ -54,6 +52,5 @@ module Banzai
         container
       end
     end
-
   end
 end

lib/ci/static_model.rb

-# Provides an ActiveRecord-like interface to a model whose data is not persisted to a database.
-module Ci
-  module StaticModel
-    extend ActiveSupport::Concern
-
-    module ClassMethods
-      # Used by ActiveRecord's polymorphic association to set object_id
-      def primary_key
-        'id'
-      end
-
-      # Used by ActiveRecord's polymorphic association to set object_type
-      def base_class
-        self
-      end
-    end
-
-    # Used by AR for fetching attributes
-    #
-    # Pass it along if we respond to it.
-    def [](key)
-      send(key) if respond_to?(key)
-    end
-
-    def to_param
-      id
-    end
-
-    def new_record?
-      false
-    end
-
-    def persisted?
-      false
-    end
-
-    def destroyed?
-      false
-    end
-
-    def ==(other)
-      if other.is_a? ::Ci::StaticModel
-        id == other.id
-      else
-        super
-      end
-    end
-  end
-end

lib/gitlab/git_access.rb

@@ -14,7 +14,7 @@ module Gitlab
       @user_access = UserAccess.new(user, project: project)
     end
 
-    def check(cmd, changes = nil)
+    def check(cmd, changes)
       return build_status_object(false, "Git access over #{protocol.upcase} is not allowed") unless protocol_allowed?
 
       unless actor

lib/gitlab/git_post_receive.rb

@@ -39,7 +39,6 @@ module Gitlab
     end
 
     def deserialize_changes(changes)
-      changes = Base64.decode64(changes) unless changes.include?(' ')
       changes = utf8_encode_changes(changes)
       changes.lines
     end

lib/gitlab/import_export/avatar_restorer.rb

 module Gitlab
   module ImportExport
     class AvatarRestorer
-
       def initialize(project:, shared:)
         @project = project
         @shared = shared

lib/gitlab/import_export/members_mapper.rb

@@ -18,11 +18,14 @@ module Gitlab
         @map ||=
           begin
             @exported_members.inject(missing_keys_tracking_hash) do |hash, member|
-              existing_user = User.where(find_project_user_query(member)).first
-              old_user_id = member['user']['id']
-              if existing_user && add_user_as_team_member(existing_user, member)
-                hash[old_user_id] = existing_user.id
+              if member['user']
+                old_user_id = member['user']['id']
+                existing_user = User.where(find_project_user_query(member)).first
+                hash[old_user_id] = existing_user.id if existing_user && add_team_member(member, existing_user)
+              else
+                add_team_member(member)
               end
+
               hash
             end
           end
@@ -45,7 +48,7 @@ module Gitlab
         ProjectMember.create!(user: @user, access_level: ProjectMember::MASTER, source_id: @project.id, importing: true)
       end
 
-      def add_user_as_team_member(existing_user, member)
+      def add_team_member(member, existing_user = nil)
         member['user'] = existing_user
 
         ProjectMember.create(member_hash(member)).persisted?

lib/gitlab/ldap/access.rb

@@ -25,7 +25,7 @@ module Gitlab
         end
       end
 
-      def initialize(user, adapter=nil)
+      def initialize(user, adapter = nil)
         @adapter = adapter
         @user = user
         @provider = user.ldap_identity.provider

lib/gitlab/ldap/adapter.rb

@@ -13,7 +13,7 @@ module Gitlab
         Gitlab::LDAP::Config.new(provider)
       end
 
-      def initialize(provider, ldap=nil)
+      def initialize(provider, ldap = nil)
         @provider = provider
         @ldap = ldap || Net::LDAP.new(config.adapter_options)
       end

lib/gitlab/popen.rb

@@ -5,7 +5,7 @@ module Gitlab
   module Popen
     extend self
 
-    def popen(cmd, path=nil)
+    def popen(cmd, path = nil)
       unless cmd.is_a?(Array)
         raise "System commands must be given as an array of strings"
       end

lib/gitlab/redis.rb

@@ -37,7 +37,7 @@ module Gitlab
       redis_config_hash
     end
 
-    def initialize(rails_env=nil)
+    def initialize(rails_env = nil)
       rails_env ||= Rails.env
       config_file = File.expand_path('../../../config/resque.yml', __FILE__)
 

lib/gitlab/user_access.rb

@@ -30,6 +30,8 @@ module Gitlab
       return false unless user
 
       if project.protected_branch?(ref)
+        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
+
         access_levels = project.protected_branches.matching(ref).map(&:push_access_level)
         access_levels.any? { |access_level| access_level.check_access(user) }
       else

lib/support/nginx/gitlab

@@ -49,12 +49,7 @@ server {
 
     proxy_http_version 1.1;
 
-    ## By overwriting Host and clearing X-Forwarded-Host we ensure that
-    ## internal HTTP redirects generated by GitLab always send users to
-    ## YOUR_SERVER_FQDN.
-    proxy_set_header    Host                YOUR_SERVER_FQDN;
-    proxy_set_header    X-Forwarded-Host    "";
-
+    proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
     proxy_set_header    X-Forwarded-Proto   $scheme;

lib/support/nginx/gitlab-ssl

@@ -93,12 +93,7 @@ server {
 
     proxy_http_version 1.1;
 
-    ## By overwriting Host and clearing X-Forwarded-Host we ensure that
-    ## internal HTTP redirects generated by GitLab always send users to
-    ## YOUR_SERVER_FQDN.
-    proxy_set_header    Host                YOUR_SERVER_FQDN;
-    proxy_set_header    X-Forwarded-Host    "";
-
+    proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
     proxy_set_header    X-Forwarded-Ssl     on;
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;

spec/features/admin/admin_disables_git_access_protocol_spec.rb

@@ -45,7 +45,6 @@ feature 'Admin disables Git access protocol', feature: true do
       expect(page).to have_content("git clone #{project.ssh_url_to_repo}")
       expect(page).to have_selector('#clone-dropdown')
     end
-
   end
 
   def visit_project

spec/features/profiles/password_spec.rb

+require 'spec_helper'
+
+describe 'Profile > Password', feature: true do
+  let(:user) { create(:user, password_automatically_set: true) }
+
+  before do
+    login_as(user)
+    visit edit_profile_password_path
+  end
+
+  def fill_passwords(password, confirmation)
+    fill_in 'New password',          with: password
+    fill_in 'Password confirmation', with: confirmation
+
+    click_button 'Save password'
+  end
+
+  context 'User with password automatically set' do
+    describe 'User puts different passwords in the field and in the confirmation' do
+      it 'shows an error message' do
+        fill_passwords('mypassword', 'mypassword2')
+
+        page.within('.alert-danger') do
+          expect(page).to have_content("Password confirmation doesn't match Password")
+        end
+      end
+
+      it 'does not contains the current password field after an error' do
+        fill_passwords('mypassword', 'mypassword2')
+
+        expect(page).to have_no_field('user[current_password]')
+      end
+    end
+
+    describe 'User puts the same passwords in the field and in the confirmation' do
+      it 'shows a success message' do
+        fill_passwords('mypassword', 'mypassword')
+
+        page.within('.flash-notice') do
+          expect(page).to have_content('Password was successfully updated. Please login with it')
+        end
+      end
+    end
+  end
+end

spec/features/protected_branches_spec.rb

@@ -11,7 +11,7 @@ feature 'Projected Branches', feature: true, js: true do
   def set_protected_branch_name(branch_name)
     find(".js-protected-branch-select").click
     find(".dropdown-input-field").set(branch_name)
-    click_on "Create Protected Branch: #{branch_name}"
+    click_on("Create wildcard #{branch_name}")
   end
 
   describe "explicit protected branches" do
@@ -90,7 +90,7 @@ feature 'Projected Branches', feature: true, js: true do
         visit namespace_project_protected_branches_path(project.namespace, project)
         set_protected_branch_name('master')
         within('.new_protected_branch') do
-          find(".allowed-to-push").click
+          find(".js-allowed-to-push").click
           within(".dropdown.open .dropdown-menu") { click_on access_type_name }
         end
         click_on "Protect"
@@ -107,8 +107,8 @@ feature 'Projected Branches', feature: true, js: true do
         expect(ProtectedBranch.count).to eq(1)
 
         within(".protected-branches-list") do
-          find(".allowed-to-push").click
-          within('.dropdown-menu.push') { click_on access_type_name }
+          find(".js-allowed-to-push").click
+          within('.js-allowed-to-push-container') { click_on access_type_name }
         end
 
         wait_for_ajax
@@ -121,7 +121,7 @@ feature 'Projected Branches', feature: true, js: true do
         visit namespace_project_protected_branches_path(project.namespace, project)
         set_protected_branch_name('master')
         within('.new_protected_branch') do
-          find(".allowed-to-merge").click
+          find(".js-allowed-to-merge").click
           within(".dropdown.open .dropdown-menu") { click_on access_type_name }
         end
         click_on "Protect"
@@ -138,8 +138,8 @@ feature 'Projected Branches', feature: true, js: true do
         expect(ProtectedBranch.count).to eq(1)
 
         within(".protected-branches-list") do
-          find(".allowed-to-merge").click
-          within('.dropdown-menu.merge') { click_on access_type_name }
+          find(".js-allowed-to-merge").click
+          within('.js-allowed-to-merge-container') { click_on access_type_name }
         end
 
         wait_for_ajax

spec/lib/banzai/filter/video_link_filter_spec.rb

@@ -47,5 +47,4 @@ describe Banzai::Filter::VideoLinkFilter, lib: true do
       expect(element['src']).to eq '/path/my_image.jpg'
     end
   end
-
 end

spec/lib/ci/gitlab_ci_yaml_processor_spec.rb

@@ -533,10 +533,6 @@ module Ci
           }
         end
 
-        context 'when also global variables are defined' do
-
-        end
-
         context 'when syntax is correct' do
           let(:variables) do
             { VAR1: 'value1', VAR2: 'value2' }

spec/lib/gitlab/git/hook_spec.rb

@@ -25,7 +25,6 @@ describe Gitlab::Git::Hook, lib: true do
     end
 
     ['pre-receive', 'post-receive', 'update'].each do |hook_name|
-
       context "when triggering a #{hook_name} hook" do
         context "when the hook is successful" do
           it "returns success with no errors" do

spec/lib/gitlab/git_access_spec.rb

@@ -19,11 +19,11 @@ describe Gitlab::GitAccess, lib: true do
       end
 
       it 'blocks ssh git push' do
-        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+        expect(@acc.check('git-receive-pack', '_any').allowed?).to be_falsey
       end
 
       it 'blocks ssh git pull' do
-        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+        expect(@acc.check('git-upload-pack', '_any').allowed?).to be_falsey
       end
     end
 
@@ -34,17 +34,17 @@ describe Gitlab::GitAccess, lib: true do
       end
 
       it 'blocks http push' do
-        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+        expect(@acc.check('git-receive-pack', '_any').allowed?).to be_falsey
       end
 
       it 'blocks http git pull' do
-        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+        expect(@acc.check('git-upload-pack', '_any').allowed?).to be_falsey
       end
     end
   end
 
   describe 'download_access_check' do
-    subject { access.check('git-upload-pack') }
+    subject { access.check('git-upload-pack', '_any') }
 
     describe 'master permissions' do
       before { project.team << [user, :master] }
@@ -288,7 +288,7 @@ describe Gitlab::GitAccess, lib: true do
     let(:actor) { key }
 
     context 'push code' do
-      subject { access.check('git-receive-pack') }
+      subject { access.check('git-receive-pack', '_any') }
 
       context 'when project is authorized' do
         before { key.projects << project }

spec/lib/gitlab/import_export/members_mapper_spec.rb

@@ -26,6 +26,20 @@ describe Gitlab::ImportExport::MembersMapper, services: true do
              "email" => user2.email,
              "username" => user2.username
            }
+       },
+       {
+         "id" => 3,
+         "access_level" => 40,
+         "source_id" => 14,
+         "source_type" => "Project",
+         "user_id" => nil,
+         "notification_level" => 3,
+         "created_at" => "2016-03-11T10:21:44.822Z",
+         "updated_at" => "2016-03-11T10:21:44.822Z",
+         "created_by_id" => 1,
+         "invite_email" => 'invite@test.com',
+         "invite_token" => 'token',
+         "invite_accepted_at" => nil
        }]
     end
 
@@ -47,5 +61,11 @@ describe Gitlab::ImportExport::MembersMapper, services: true do
 
       expect(members_mapper.missing_author_ids.first).to eq(-1)
     end
+
+    it 'has invited members with no user' do
+      members_mapper.map
+
+      expect(ProjectMember.find_by_invite_email('invite@test.com')).not_to be_nil
+    end
   end
 end

spec/lib/gitlab/import_export/project_tree_restorer_spec.rb

@@ -2,7 +2,6 @@ require 'spec_helper'
 
 describe Gitlab::ImportExport::ProjectTreeRestorer, services: true do
   describe 'restore project tree' do
-
     let(:user) { create(:user) }
     let(:namespace) { create(:namespace, owner: user) }
     let(:shared) { Gitlab::ImportExport::Shared.new(relative_path: "", project_path: 'path') }

spec/lib/gitlab/user_access_spec.rb

@@ -9,35 +9,80 @@ describe Gitlab::UserAccess, lib: true do
     describe 'push to none protected branch' do
       it 'returns true if user is a master' do
         project.team << [user, :master]
+
         expect(access.can_push_to_branch?('random_branch')).to be_truthy
       end
 
       it 'returns true if user is a developer' do
         project.team << [user, :developer]
+
         expect(access.can_push_to_branch?('random_branch')).to be_truthy
       end
 
       it 'returns false if user is a reporter' do
         project.team << [user, :reporter]
+
         expect(access.can_push_to_branch?('random_branch')).to be_falsey
       end
     end
 
+    describe 'push to empty project' do
+      let(:empty_project) { create(:project_empty_repo) }
+      let(:project_access) { Gitlab::UserAccess.new(user, project: empty_project) }
+
+      it 'returns true if user is master' do
+        empty_project.team << [user, :master]
+
+        expect(project_access.can_push_to_branch?('master')).to be_truthy
+      end
+
+      it 'returns false if user is developer and project is fully protected' do
+        empty_project.team << [user, :developer]
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_FULL)
+
+        expect(project_access.can_push_to_branch?('master')).to be_falsey
+      end
+
+      it 'returns false if user is developer and it is not allowed to push new commits but can merge into branch' do
+        empty_project.team << [user, :developer]
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
+
+        expect(project_access.can_push_to_branch?('master')).to be_falsey
+      end
+
+      it 'returns true if user is developer and project is unprotected' do
+        empty_project.team << [user, :developer]
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_NONE)
+
+        expect(project_access.can_push_to_branch?('master')).to be_truthy
+      end
+
+      it 'returns true if user is developer and project grants developers permission' do
+        empty_project.team << [user, :developer]
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
+
+        expect(project_access.can_push_to_branch?('master')).to be_truthy
+      end
+    end
+
     describe 'push to protected branch' do
       let(:branch) { create :protected_branch, project: project }
 
       it 'returns true if user is a master' do
         project.team << [user, :master]
+
         expect(access.can_push_to_branch?(branch.name)).to be_truthy
       end
 
       it 'returns false if user is a developer' do
         project.team << [user, :developer]
+
         expect(access.can_push_to_branch?(branch.name)).to be_falsey
       end
 
       it 'returns false if user is a reporter' do
         project.team << [user, :reporter]
+
         expect(access.can_push_to_branch?(branch.name)).to be_falsey
       end
     end
@@ -49,16 +94,19 @@ describe Gitlab::UserAccess, lib: true do
 
       it 'returns true if user is a master' do
         project.team << [user, :master]
+
         expect(access.can_push_to_branch?(@branch.name)).to be_truthy
       end
 
       it 'returns true if user is a developer' do
         project.team << [user, :developer]
+
         expect(access.can_push_to_branch?(@branch.name)).to be_truthy
       end
 
       it 'returns false if user is a reporter' do
         project.team << [user, :reporter]
+
         expect(access.can_push_to_branch?(@branch.name)).to be_falsey
       end
     end
@@ -70,19 +118,21 @@ describe Gitlab::UserAccess, lib: true do
 
       it 'returns true if user is a master' do
         project.team << [user, :master]
+
         expect(access.can_merge_to_branch?(@branch.name)).to be_truthy
       end
 
       it 'returns true if user is a developer' do
         project.team << [user, :developer]
+
         expect(access.can_merge_to_branch?(@branch.name)).to be_truthy
       end
 
       it 'returns false if user is a reporter' do
         project.team << [user, :reporter]
+
         expect(access.can_merge_to_branch?(@branch.name)).to be_falsey
       end
     end
-
   end
 end

spec/models/concerns/faster_cache_keys_spec.rb

+require 'spec_helper'
+
+describe FasterCacheKeys do
+  describe '#cache_key' do
+    it 'returns a String' do
+      # We're using a fixed string here so it's easier to set an expectation for
+      # the resulting cache key.
+      time = '2016-08-08 16:39:00+02'
+      issue = build(:issue, updated_at: time)
+      issue.extend(described_class)
+
+      expect(issue).to receive(:id).and_return(1)
+
+      expect(issue.cache_key).to eq("issues/1-#{time}")
+    end
+  end
+end

spec/models/project_spec.rb

@@ -69,6 +69,7 @@ describe Project, models: true do
     it { is_expected.to include_module(Gitlab::ConfigHelper) }
     it { is_expected.to include_module(Gitlab::ShellAdapter) }
     it { is_expected.to include_module(Gitlab::VisibilityLevel) }
+    it { is_expected.to include_module(Gitlab::CurrentSettings) }
     it { is_expected.to include_module(Referable) }
     it { is_expected.to include_module(Sortable) }
   end
@@ -1070,28 +1071,97 @@ describe Project, models: true do
   end
 
   describe '#protected_branch?' do
+    context 'existing project' do
+      let(:project) { create(:project) }
+
+      it 'returns true when the branch matches a protected branch via direct match' do
+        project.protected_branches.create!(name: 'foo')
+
+        expect(project.protected_branch?('foo')).to eq(true)
+      end
+
+      it 'returns true when the branch matches a protected branch via wildcard match' do
+        project.protected_branches.create!(name: 'production/*')
+
+        expect(project.protected_branch?('production/some-branch')).to eq(true)
+      end
+
+      it 'returns false when the branch does not match a protected branch via direct match' do
+        expect(project.protected_branch?('foo')).to eq(false)
+      end
+
+      it 'returns false when the branch does not match a protected branch via wildcard match' do
+        project.protected_branches.create!(name: 'production/*')
+
+        expect(project.protected_branch?('staging/some-branch')).to eq(false)
+      end
+    end
+
+    context "new project" do
+      let(:project) { create(:empty_project) }
+
+      it 'returns false when default_protected_branch is unprotected' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_NONE)
+
+        expect(project.protected_branch?('master')).to be false
+      end
+
+      it 'returns false when default_protected_branch lets developers push' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
+
+        expect(project.protected_branch?('master')).to be false
+      end
+
+      it 'returns true when default_branch_protection does not let developers push but let developer merge branches' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
+
+        expect(project.protected_branch?('master')).to be true
+      end
+
+      it 'returns true when default_branch_protection is in full protection' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_FULL)
+
+        expect(project.protected_branch?('master')).to be true
+      end
+    end
+  end
+
+  describe '#user_can_push_to_empty_repo?' do
     let(:project) { create(:empty_project) }
+    let(:user)    { create(:user) }
 
-    it 'returns true when the branch matches a protected branch via direct match' do
-      project.protected_branches.create!(name: 'foo')
+    it 'returns false when default_branch_protection is in full protection and user is developer' do
+      project.team << [user, :developer]
+      stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_FULL)
 
-      expect(project.protected_branch?('foo')).to eq(true)
+      expect(project.user_can_push_to_empty_repo?(user)).to be_falsey
     end
 
-    it 'returns true when the branch matches a protected branch via wildcard match' do
-      project.protected_branches.create!(name: 'production/*')
+    it 'returns false when default_branch_protection only lets devs merge and user is dev' do
+      project.team << [user, :developer]
+      stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
 
-      expect(project.protected_branch?('production/some-branch')).to eq(true)
+      expect(project.user_can_push_to_empty_repo?(user)).to be_falsey
     end
 
-    it 'returns false when the branch does not match a protected branch via direct match' do
-      expect(project.protected_branch?('foo')).to eq(false)
+    it 'returns true when default_branch_protection lets devs push and user is developer' do
+      project.team << [user, :developer]
+      stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
+
+      expect(project.user_can_push_to_empty_repo?(user)).to be_truthy
+    end
+
+    it 'returns true when default_branch_protection is unprotected and user is developer' do
+      project.team << [user, :developer]
+      stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_NONE)
+
+      expect(project.user_can_push_to_empty_repo?(user)).to be_truthy
     end
 
-    it 'returns false when the branch does not match a protected branch via wildcard match' do
-      project.protected_branches.create!(name: 'production/*')
+    it 'returns true when user is master' do
+      project.team << [user, :master]
 
-      expect(project.protected_branch?('staging/some-branch')).to eq(false)
+      expect(project.user_can_push_to_empty_repo?(user)).to be_truthy
     end
   end
 

spec/requests/api/deploy_keys.rb

-require 'spec_helper'
-
-describe API::API, api: true  do
-  include ApiHelpers
-
-  let(:user)  { create(:user) }
-  let(:project) { create(:project, creator_id: user.id) }
-  let!(:deploy_keys_project) { create(:deploy_keys_project, project: project) }
-  let(:admin) { create(:admin) }
-
-  describe 'GET /deploy_keys' do
-    before { admin }
-
-    context 'when unauthenticated' do
-      it 'should return authentication error' do
-        get api('/deploy_keys')
-        expect(response.status).to eq(401)
-      end
-    end
-
-    context 'when authenticated as non-admin user' do
-      it 'should return a 403 error' do
-        get api('/deploy_keys', user)
-        expect(response.status).to eq(403)
-      end
-    end
-
-    context 'when authenticated as admin' do
-      it 'should return all deploy keys' do
-        get api('/deploy_keys', admin)
-        expect(response.status).to eq(200)
-
-        expect(json_response).to be_an Array
-        expect(json_response.first['id']).to eq(deploy_keys_project.deploy_key.id)
-      end
-    end
-  end
-end

spec/requests/api/deploy_keys_spec.rb

+require 'spec_helper'
+
+describe API::API, api: true  do
+  include ApiHelpers
+
+  let(:user)        { create(:user) }
+  let(:admin)       { create(:admin) }
+  let(:project)     { create(:project, creator_id: user.id) }
+  let(:deploy_key)  { create(:deploy_key, public: true) }
+
+  let!(:deploy_keys_project) do
+    create(:deploy_keys_project, project: project, deploy_key: deploy_key)
+  end
+
+  describe 'GET /deploy_keys' do
+    context 'when unauthenticated' do
+      it 'should return authentication error' do
+        get api('/deploy_keys')
+
+        expect(response.status).to eq(401)
+      end
+    end
+
+    context 'when authenticated as non-admin user' do
+      it 'should return a 403 error' do
+        get api('/deploy_keys', user)
+
+        expect(response.status).to eq(403)
+      end
+    end
+
+    context 'when authenticated as admin' do
+      it 'should return all deploy keys' do
+        get api('/deploy_keys', admin)
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(json_response.first['id']).to eq(deploy_keys_project.deploy_key.id)
+      end
+    end
+  end
+
+  describe 'GET /projects/:id/deploy_keys' do
+    before { deploy_key }
+
+    it 'should return array of ssh keys' do
+      get api("/projects/#{project.id}/deploy_keys", admin)
+
+      expect(response).to have_http_status(200)
+      expect(json_response).to be_an Array
+      expect(json_response.first['title']).to eq(deploy_key.title)
+    end
+  end
+
+  describe 'GET /projects/:id/deploy_keys/:key_id' do
+    it 'should return a single key' do
+      get api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
+
+      expect(response).to have_http_status(200)
+      expect(json_response['title']).to eq(deploy_key.title)
+    end
+
+    it 'should return 404 Not Found with invalid ID' do
+      get api("/projects/#{project.id}/deploy_keys/404", admin)
+
+      expect(response).to have_http_status(404)
+    end
+  end
+
+  describe 'POST /projects/:id/deploy_keys' do
+    it 'should not create an invalid ssh key' do
+      post api("/projects/#{project.id}/deploy_keys", admin), { title: 'invalid key' }
+
+      expect(response).to have_http_status(400)
+      expect(json_response['message']['key']).to eq([
+        'can\'t be blank',
+        'is too short (minimum is 0 characters)',
+        'is invalid'
+      ])
+    end
+
+    it 'should not create a key without title' do
+      post api("/projects/#{project.id}/deploy_keys", admin), key: 'some key'
+
+      expect(response).to have_http_status(400)
+      expect(json_response['message']['title']).to eq([
+        'can\'t be blank',
+        'is too short (minimum is 0 characters)'
+      ])
+    end
+
+    it 'should create new ssh key' do
+      key_attrs = attributes_for :another_key
+
+      expect do
+        post api("/projects/#{project.id}/deploy_keys", admin), key_attrs
+      end.to change{ project.deploy_keys.count }.by(1)
+    end
+  end
+
+  describe 'DELETE /projects/:id/deploy_keys/:key_id' do
+    before { deploy_key }
+
+    it 'should delete existing key' do
+      expect do
+        delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", admin)
+      end.to change{ project.deploy_keys.count }.by(-1)
+    end
+
+    it 'should return 404 Not Found with invalid ID' do
+      delete api("/projects/#{project.id}/deploy_keys/404", admin)
+
+      expect(response).to have_http_status(404)
+    end
+  end
+
+  describe 'POST /projects/:id/deploy_keys/:key_id/enable' do
+    let(:project2) { create(:empty_project) }
+
+    context 'when the user can admin the project' do
+      it 'enables the key' do
+        expect do
+          post api("/projects/#{project2.id}/deploy_keys/#{deploy_key.id}/enable", admin)
+        end.to change { project2.deploy_keys.count }.from(0).to(1)
+
+        expect(response).to have_http_status(201)
+        expect(json_response['id']).to eq(deploy_key.id)
+      end
+    end
+
+    context 'when authenticated as non-admin user' do
+      it 'should return a 404 error' do
+        post api("/projects/#{project2.id}/deploy_keys/#{deploy_key.id}/enable", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+  end
+
+  describe 'DELETE /projects/:id/deploy_keys/:key_id/disable' do
+    context 'when the user can admin the project' do
+      it 'disables the key' do
+        expect do
+          delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}/disable", admin)
+        end.to change { project.deploy_keys.count }.from(1).to(0)
+
+        expect(response).to have_http_status(200)
+        expect(json_response['id']).to eq(deploy_key.id)
+      end
+    end
+
+    context 'when authenticated as non-admin user' do
+      it 'should return a 404 error' do
+        delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}/disable", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+  end
+end

spec/requests/api/projects_spec.rb

@@ -641,79 +641,7 @@ describe API::API, api: true  do
       expect(response).to have_http_status(404)
     end
   end
-
-  describe :deploy_keys do
-    let(:deploy_keys_project) { create(:deploy_keys_project, project: project) }
-    let(:deploy_key) { deploy_keys_project.deploy_key }
-
-    describe 'GET /projects/:id/deploy_keys' do
-      before { deploy_key }
-
-      it 'should return array of ssh keys' do
-        get api("/projects/#{project.id}/deploy_keys", user)
-        expect(response).to have_http_status(200)
-        expect(json_response).to be_an Array
-        expect(json_response.first['title']).to eq(deploy_key.title)
-      end
-    end
-
-    describe 'GET /projects/:id/deploy_keys/:key_id' do
-      it 'should return a single key' do
-        get api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", user)
-        expect(response).to have_http_status(200)
-        expect(json_response['title']).to eq(deploy_key.title)
-      end
-
-      it 'should return 404 Not Found with invalid ID' do
-        get api("/projects/#{project.id}/deploy_keys/404", user)
-        expect(response).to have_http_status(404)
-      end
-    end
-
-    describe 'POST /projects/:id/deploy_keys' do
-      it 'should not create an invalid ssh key' do
-        post api("/projects/#{project.id}/deploy_keys", user), { title: 'invalid key' }
-        expect(response).to have_http_status(400)
-        expect(json_response['message']['key']).to eq([
-          'can\'t be blank',
-          'is too short (minimum is 0 characters)',
-          'is invalid'
-        ])
-      end
-
-      it 'should not create a key without title' do
-        post api("/projects/#{project.id}/deploy_keys", user), key: 'some key'
-        expect(response).to have_http_status(400)
-        expect(json_response['message']['title']).to eq([
-          'can\'t be blank',
-          'is too short (minimum is 0 characters)'
-        ])
-      end
-
-      it 'should create new ssh key' do
-        key_attrs = attributes_for :key
-        expect do
-          post api("/projects/#{project.id}/deploy_keys", user), key_attrs
-        end.to change{ project.deploy_keys.count }.by(1)
-      end
-    end
-
-    describe 'DELETE /projects/:id/deploy_keys/:key_id' do
-      before { deploy_key }
-
-      it 'should delete existing key' do
-        expect do
-          delete api("/projects/#{project.id}/deploy_keys/#{deploy_key.id}", user)
-        end.to change{ project.deploy_keys.count }.by(-1)
-      end
-
-      it 'should return 404 Not Found with invalid ID' do
-        delete api("/projects/#{project.id}/deploy_keys/404", user)
-        expect(response).to have_http_status(404)
-      end
-    end
-  end
-
+  
   describe :fork_admin do
     let(:project_fork_target) { create(:project) }
     let(:project_fork_source) { create(:project, :public) }

spec/requests/git_http_spec.rb

@@ -75,9 +75,9 @@ describe 'Git HTTP requests', lib: true do
       context "with correct credentials" do
         let(:env) { { user: user.username, password: user.password } }
 
-        it "uploads get status 200 (because Git hooks do the real check)" do
+        it "uploads get status 403" do
           upload(path, env) do |response|
-            expect(response).to have_http_status(200)
+            expect(response).to have_http_status(403)
           end
         end
 
@@ -86,7 +86,7 @@ describe 'Git HTTP requests', lib: true do
             allow(Gitlab.config.gitlab_shell).to receive(:receive_pack).and_return(false)
 
             upload(path, env) do |response|
-              expect(response).to have_http_status(404)
+              expect(response).to have_http_status(403)
             end
           end
         end
@@ -236,9 +236,9 @@ describe 'Git HTTP requests', lib: true do
               end
             end
 
-            it "uploads get status 200 (because Git hooks do the real check)" do
+            it "uploads get status 404" do
               upload(path, user: user.username, password: user.password) do |response|
-                expect(response).to have_http_status(200)
+                expect(response).to have_http_status(404)
               end
             end
           end
@@ -349,19 +349,19 @@ describe 'Git HTTP requests', lib: true do
     end
   end
 
-  def clone_get(project, options={})
+  def clone_get(project, options = {})
     get "/#{project}/info/refs", { service: 'git-upload-pack' }, auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def clone_post(project, options={})
+  def clone_post(project, options = {})
     post "/#{project}/git-upload-pack", {}, auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def push_get(project, options={})
+  def push_get(project, options = {})
     get "/#{project}/info/refs", { service: 'git-receive-pack' }, auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def push_post(project, options={})
+  def push_post(project, options = {})
     post "/#{project}/git-receive-pack", {}, auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 

spec/services/merge_requests/merge_request_diff_cache_service_spec.rb

 require 'spec_helper'
 
 describe MergeRequests::MergeRequestDiffCacheService do
-
   let(:subject) { MergeRequests::MergeRequestDiffCacheService.new }
 
   describe '#execute' do

spec/services/projects/enable_deploy_key_service_spec.rb

+require 'spec_helper'
+
+describe Projects::EnableDeployKeyService, services: true do
+  let(:deploy_key)  { create(:deploy_key, public: true) }
+  let(:project)     { create(:empty_project) }
+  let(:user)        { project.creator}
+  let!(:params)     { { key_id: deploy_key.id } }
+
+  it 'enables the key' do
+    expect do
+      service.execute
+    end.to change { project.deploy_keys.count }.from(0).to(1)
+  end
+
+  context 'trying to add an unaccessable key' do
+    let(:another_key) { create(:another_key) }
+    let!(:params)     { { key_id: another_key.id } }
+
+    it 'returns nil if the key cannot be added' do
+      expect(service.execute).to be nil
+    end
+  end
+
+  def service
+    Projects::EnableDeployKeyService.new(project, user, params)
+  end
+end

spec/support/select2_helper.rb

@@ -11,7 +11,7 @@
 #
 
 module Select2Helper
-  def select2(value, options={})
+  def select2(value, options = {})
     raise ArgumentError, 'options must be a Hash' unless options.kind_of?(Hash)
 
     selector = options.fetch(:from)

vendor/gitignore/Global/VisualStudioCode.gitignore

-.vscode
-
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json