......@@ -121,5 +121,5 @@
.only-ee:
only:
variables:
- $CI_PROJECT_NAME == "gitlab-ee"
- $CI_PROJECT_NAME == "gitlab" # New name of gitlab-ee after the single codebase migration
- $CI_PROJECT_NAME == "gitlab"
- $CI_PROJECT_NAME == "gitlab-ee" # Support former project name for forks/mirrors
......@@ -114,7 +114,8 @@ schedule:review-deploy:
needs: ["schedule:review-build-cng"]
review-stop:
extends: review-deploy
extends:
- .review-deploy-base
when: manual
environment:
action: stop
......@@ -137,7 +138,6 @@ review-cleanup-failed-deployment:
extends: review-stop
stage: prepare
when: on_success
needs: []
allow_failure: false
script:
- delete_failed_release
......
......
......@@ -43,5 +43,6 @@ no_ee_check:
- scripts/no-ee-check
only:
variables:
- $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-foss"
- $CI_SERVER_HOST == "dev.gitlab.org" && $CI_PROJECT_NAME == "gitlabhq"
- $CI_PROJECT_NAME == "gitlab-foss"
- $CI_PROJECT_NAME == "gitlab-ce" # Support former project name for forks/mirrors
- $CI_PROJECT_NAME == "gitlabhq" # Support former project name for dev
Please view this file on the master branch, on stable branches it's out of date.
## 12.3.6
### Security (4 changes)
- Do not index system notes for issue update.
- Redact search results based on Ability.allowed?.
- Do not show private cross references in epic notes.
- Filter out packages the user does'nt have permission to see at group level.
## 12.3.5
- No changes.
## 12.3.4
### Fixed (2 changes)
- Fix replies to service desk emails for projects with issue access as Only Project Members. !17401
- Geo: LFS not being synced. !17633
## 12.3.3
### Security (1 change)
- Restrict access for security reports in MR widget.
## 12.3.2
### Security (2 changes)
- Hide approvers if a rule has any hidden groups.
- Prevent IDOR when adding groups to protected environments.
## 12.3.1
- No changes.
## 12.3.0
### Security (3 changes)
......
......
......@@ -4,7 +4,7 @@ entry.
 
## 12.3.6
 
### Security (14 changes)
### Security (15 changes)
 
- Standardize error response when route is missing.
- Do not display project labels that are not visible for user accessing group labels.
......@@ -17,6 +17,7 @@ entry.
- Return 404 on LFS request if project doesn't exist.
- Mask sentry auth token in Error Tracking dashboard.
- Fixes a Open Redirect issue in `InternalRedirect`.
- Remove deploy access level when project/group link is deleted.
- Sanitize search text to prevent XSS.
- Sanitize all wiki markup formats with GitLab sanitization pipelines.
- Fix stored XSS issue for grafana_url.
......@@ -24,11 +25,18 @@ entry.
 
## 12.3.5
 
- No changes.
### Security (1 change)
- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
 
## 12.3.4
 
- No changes.
### Fixed (2 changes)
- Fix cannot merge icon showing in dropdown for users who can merge. !17306
- Fix pipelines for merge requests in project exports. !17844
 
## 12.3.3
 
......@@ -39,16 +47,18 @@ entry.
 
## 12.3.2
 
### Security (10 changes)
### Security (12 changes)
 
- Fix Gitaly SearchBlobs flag RPC injection.
- Add a policy check for system notes that may not be visible due to cross references to private items.
- Display only participants that user has permission to see on milestone page.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
- Check permissions before showing head pipeline blocking merge requests.
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Prevent bypassing email verification using Salesforce.
- Do not show resource label events referencing not accessible labels.
- Cancel all running CI jobs triggered by the user who is just blocked.
- Fix Gitaly SearchBlobs flag RPC injection.
- Only render fixed number of mermaid blocks.
- Prevent GitLab accounts takeover if SAML is configured.
 
......
......
12.3.6
12.3.6-ee
......@@ -7,6 +7,7 @@ import _ from 'underscore';
import axios from './lib/utils/axios_utils';
import { s__, __, sprintf } from './locale';
import ModalStore from './boards/stores/modal_store';
import { parseBoolean } from './lib/utils/common_utils';
// TODO: remove eventHub hack after code splitting refactor
window.emitSidebarEvent = window.emitSidebarEvent || $.noop;
......@@ -279,12 +280,13 @@ function UsersSelect(currentUser, els, options = {}) {
})
.map(input => {
const userId = parseInt(input.value, 10);
const { avatarUrl, avatar_url, name, username } = input.dataset;
const { avatarUrl, avatar_url, name, username, canMerge } = input.dataset;
return {
avatar_url: avatarUrl || avatar_url,
id: userId,
name,
username,
can_merge: parseBoolean(canMerge),
};
});
......
......
# frozen_string_literal: true
module RendersAssignees
def preload_assignees_for_render(merge_request)
merge_request.project.team.max_member_access_for_user_ids(merge_request.assignees.map(&:id))
end
end
......@@ -5,6 +5,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
include IssuableActions
include RendersNotes
include RendersCommits
include RendersAssignees
include ToggleAwardEmoji
include IssuableCollections
include RecordUserLastActivity
......@@ -41,6 +42,8 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
# use next to appease Rubocop
next render('invalid') if target_branch_missing?
preload_assignees_for_render(@merge_request)
# Build a note object for comment form
@note = @project.notes.new(noteable: @merge_request)
......
......
......@@ -372,6 +372,12 @@ module IssuablesHelper
finder.class.scalar_params.any? { |p| params[p].present? }
end
def assignee_sidebar_data(assignee, merge_request: nil)
{ avatar_url: assignee.avatar_url, name: assignee.name, username: assignee.username }.tap do |data|
data[:can_merge] = merge_request.can_be_merged_by?(assignee) if merge_request
end
end
private
def sidebar_gutter_collapsed?
......
......
......@@ -11,7 +11,7 @@
= hidden_field_tag "#{issuable_type}[assignee_ids][]", 0, id: nil
- else
- assignees.each do |assignee|
= hidden_field_tag "#{issuable_type}[assignee_ids][]", assignee.id, id: nil, data: { avatar_url: assignee.avatar_url, name: assignee.name, username: assignee.username }
= hidden_field_tag "#{issuable_type}[assignee_ids][]", assignee.id, id: nil, data: assignee_sidebar_data(assignee, merge_request: @merge_request)
- options = { toggle_class: 'js-user-search js-author-search',
title: _('Assign to'),
......
......
......@@ -22,6 +22,8 @@ class ScheduleProjectAnyApprovalRuleMigration < ActiveRecord::Migration[5.2]
end
def up
return unless Gitlab.ee?
add_concurrent_index :projects, :id,
name: 'tmp_projects_with_approvals_before_merge',
where: 'approvals_before_merge <> 0'
......
......
......@@ -22,6 +22,8 @@ class ScheduleMergeRequestAnyApprovalRuleMigration < ActiveRecord::Migration[5.2
end
def up
return unless Gitlab.ee?
add_concurrent_index :merge_requests, :id,
name: 'tmp_merge_requests_with_approvals_before_merge',
where: 'approvals_before_merge <> 0'
......
......
......@@ -151,7 +151,7 @@ Clicking on this button will create a merge request to apply the solution onto t
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.2.
Merge Request Approvals can be configured to require approval from a member
of your security team when a vulnerability would be introduced by a merge request.
of your security team when a vulnerability, or a software license compliance violation would be introduced by a merge request.
This threshold is defined as `high`, `critical`, or `unknown`
severity. When any vulnerabilities are present within a merge request, an
......@@ -178,6 +178,29 @@ An approval will be optional when a security report:
- Contains no new vulnerabilities.
- Contains only new vulnerabilities of `low` or `medium` severity.
### Enabling License Approvals within a project
To enable License Approvals, a [project approval rule](../project/merge_requests/merge_request_approvals.md#multiple-approval-rules-premium)
must be created with the case-sensitive name `License-Check`. This approval
group must be set with an "Approvals required" count greater than zero.
Once this group has been added to your project, the approval rule will be enabled
for all Merge Requests. To configure how this rule behaves, you can choose which
licenses to `approve` or `blacklist` in the
[project policies for License Compliance](license_compliance/index.md#project-policies-for-license-compliance) section.
Any code changes made will cause the count of approvals required to reset.
An approval will be required when a license report:
- Contains a dependency that includes a software license that is `blacklisted`.
- Is not generated during pipeline execution.
An approval will be optional when a license report:
- Contains no software license violations.
- Contains only new licenses that are `approved` or unknown.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
......
......
......@@ -337,6 +337,16 @@ of your security team when a vulnerability would be introduced by a merge reques
For more information, see
[Security approvals in merge requests](../../application_security/index.md#security-approvals-in-merge-requests-ultimate).
## License compliance approvals in merge requests **(ULTIMATE)**
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.3.
Merge Request Approvals can be configured to require approval from a member
of your security team when a blacklisted software license would be introduced by a merge request.
For more information, see
[Security approvals in merge requests](../../application_security/index.md#security-approvals-in-merge-requests-ultimate).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
......
......
......@@ -35,7 +35,8 @@ module Gitlab
end
def ee?
ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('../../CHANGELOG-EE.md')
# Support former project name for `dev` and support local Danger run
%w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME']) || Dir.exist?('../../ee')
end
def gitlab_helper
......@@ -52,7 +53,7 @@ module Gitlab
end
def project_name
ee? ? 'gitlab-ee' : 'gitlab-ce'
ee? ? 'gitlab' : 'gitlab-foss'
end
def markdown_list(items)
......
......
......@@ -66,6 +66,7 @@ tree:
- stages:
- :statuses
- :external_pull_request
- :merge_request
- :external_pull_requests
- :auto_devops
- :triggers
......@@ -166,6 +167,12 @@ excluded_attributes:
- :external_diff_size
issues:
- :milestone_id
merge_request:
- :milestone_id
- :ref_fetched
- :merge_jid
- :rebase_jid
- :latest_merge_request_diff_id
merge_requests:
- :milestone_id
- :ref_fetched
......
......
......@@ -38,7 +38,7 @@ module Gitlab
IMPORTED_OBJECT_MAX_RETRIES = 5.freeze
EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature].freeze
EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature merge_request].freeze
TOKEN_RESET_MODELS = %w[Project Namespace Ci::Trigger Ci::Build Ci::Runner ProjectHook].freeze
......@@ -289,6 +289,7 @@ module Gitlab
def find_or_create_object!
return relation_class.find_or_create_by(project_id: @project.id) if @relation_name == :project_feature
return find_or_create_merge_request! if @relation_name == :merge_request
# Can't use IDs as validation exists calling `group` or `project` attributes
finder_hash = parsed_relation_hash.tap do |hash|
......@@ -299,6 +300,11 @@ module Gitlab
GroupProjectObjectBuilder.build(relation_class, finder_hash)
end
def find_or_create_merge_request!
@project.merge_requests.find_by(iid: parsed_relation_hash['iid']) ||
relation_class.new(parsed_relation_hash)
end
end
end
end
......@@ -18,7 +18,8 @@ class AutomatedCleanup
].freeze
def self.ee?
ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('CHANGELOG-EE.md')
# Support former project name for `dev`
%w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME'])
end
def initialize(project_path: ENV['CI_PROJECT_PATH'], gitlab_token: ENV['GITLAB_BOT_REVIEW_APPS_CLEANUP_TOKEN'])
......
......
......@@ -12,7 +12,8 @@ end
module Trigger
def self.ee?
ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('CHANGELOG-EE.md')
# Support former project name for `dev`
%w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME'])
end
class Base
......
......