When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.

This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.

Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.

Ensure only authorised users can create notes on merge requests and issues

See merge request gitlab/gitlabhq!3324

* Prevent creating notes on inaccessible MRs

This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.

* Prevent creating notes in inaccessible Issues

without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.

* Add CHANGELOG entry

Prevent disclosure of merge request id via email

See merge request gitlab/gitlabhq!3350

Send TODOs for comments on commits correctly

See merge request gitlab/gitlabhq!3365

Gitaly: ignore git redirects

See merge request gitlab/gitlabhq!3374

Project visibility restriction bypass

See merge request gitlab/gitlabhq!3330

Add Gitlab::VisibilityLevelChecker that verifies
selected project visibility level (or overridden param)
is not restricted when creating or importing a project

DNS Rebind SSRF in Kubernetes Integration

See merge request gitlab/gitlabhq!3268

Filter out old system notes for epics in notes api endpoint response

See merge request gitlab/gitlabhq!3314

Fix HTML injection for label description

See merge request gitlab/gitlabhq!3315

Permission fix for MergeRequestsController#pipeline_status

See merge request gitlab/gitlabhq!3322

Limit the size of issuable description and comments

See merge request gitlab/gitlabhq!3323

Add merge note type as cross reference

See merge request gitlab/gitlabhq!3328

Use image proxy to mitigate stealing ip addresses

See merge request gitlab/gitlabhq!3333

Fix DNS rebind vulnerability for JIRA integration

See merge request gitlab/gitlabhq!3338

Introduce JobActivity limit for alive jobs

See merge request gitlab/gitlabhq!3343

Clear reset_password_tokens when login (email or username) change

See merge request gitlab/gitlabhq!3346

Require a captcha after unique failed logins from the same IP

See merge request gitlab/gitlabhq!3349

Enforce max chars and max render time in markdown math

See merge request gitlab/gitlabhq!3353

Restrict MergeRequests#test_reports to authenticated users with read-access on Builds

See merge request gitlab/gitlabhq!3354

Add direct upload support for personal snippets

See merge request gitlab/gitlabhq!3359

admin_group authorization for Groups::RunnersController

See merge request gitlab/gitlabhq!3362

Re-escape the whole HTML content when finding HTML references

See merge request gitlab/gitlabhq!3370

[ci skip]

Prepare 12.2.1 release

See merge request gitlab-org/gitlab-ce!32107

Reduce dedup calls to gc only

See merge request gitlab-org/gitlab-ce!32083

At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.

This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.

Fix "ERR value is not an integer or out of range" errors

Closes #66449

See merge request gitlab-org/gitlab-ce!32126

(cherry picked from commit 8832aa95)

6bda359b Fix "ERR value is not an integer or out of range" errors

Embed metrics undefined param fix

Closes #66177

See merge request gitlab-org/gitlab-ce!31975

(cherry picked from commit 04b37e42)

1ebc87e9 Remove dashboard param when undefined
8122a21a Insert additional assertion
2c4e17f9 Ensure all params have the option to be dropped when falsy
3812e4f3 Use isNil check
5ed2c263 Add tests and null check
2ebe1715 Add change log entry

Clarify when new values are valid

See merge request gitlab-org/gitlab-ce!31951

(cherry picked from commit 47c069cc)

1efa52be Clarify when new values are valid

Fix Gitaly N+1 calls with listing issues/MRs via API

Closes #66202

See merge request gitlab-org/gitlab-ce!31938

(cherry picked from commit 57ec78d5)

ba7c501f Fix Gitaly N+1 calls with listing issues/MRs via API

Add Documentation for Feature Flag Target Users

Closes gitlab-ee#11459

See merge request gitlab-org/gitlab-ce!31918

(cherry picked from commit 69df0594)

c42f5bbc Add documentation for feature flag Target Users

Embed specific metrics chart in issue docs

See merge request gitlab-org/gitlab-ce!31900

(cherry picked from commit aed489bf)

482642b0 Adds specific metric styles and prop
146243da Updated styles, removed css :D
0a5d49f7 Adds docs for embedding chart
4bbb0ddf Simpler null checks
758a195b Fix some wrapping issues
d6550ad4 Fix lint and prop type
675639cc Remove everything that isn't docs
eb27d0f1 Apply suggestion to doc/user/project/integrations/prometheus.md
364e7219 Compress generate_link_to_chart.png image

Add documentation for incrementally expand mr diffs

See merge request gitlab-org/gitlab-ce!31878

(cherry picked from commit 0a16c8e1)

c867db91 Add documentation for incrementally expand mr diffs
e9d917c2 Apply suggestion to doc/user/project/merge_requests/index.md

Merge branch '64950-move-download-csv-button-functionality-in-metrics-dashboard-cards-into-the-dropdown' into 'master'

Add docs for csv download

Closes #66291

See merge request gitlab-org/gitlab-ce!31870

(cherry picked from commit 8b0acc31)

40327645 Adds docs for downloading csv
11f959ad Compress download_as_csv.png image
5cf5a52f Merge remote-tracking branch 'origin/master' into...

Link more issues in Design Management Limitations

See merge request gitlab-org/gitlab-ce!31697

(cherry picked from commit e40abf97)

50956e5c Link more issues in Design Management Limitations

Rename License Management to License Compliance

Closes #63329

See merge request gitlab-org/gitlab-ce!31590

(cherry picked from commit 11fd6bdf)

80b05132 Rename License Management to License Compliance