[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"

See merge request gitlab/gitlabhq!2583

[master]Fixed ability to comment on and edit/delete comments on locked or confidential issues

See merge request gitlab/gitlabhq!2612

[master] [pages] Possible symlink time of check to time of use race condition

Closes #2742

See merge request gitlab/gitlabhq!2638

[master] XSS in markdown following unrecognized HTML element

Closes #2732

See merge request gitlab/gitlabhq!2599

[master] Fix XSS in mermaid diagrams

See merge request gitlab/gitlabhq!2597

[master] Don't expose confidential information in commit message list

See merge request gitlab/gitlabhq!2626

[master] Resolve: Promoting a milestone is missing an authorization check

See merge request gitlab/gitlabhq!2598

[master] Do not follow redirects in prometheus service

See merge request gitlab/gitlabhq!2617

[master] Stored XSS for Environments

Closes #2727

See merge request gitlab/gitlabhq!2594

[master] Fixed read private group names

See merge request gitlab/gitlabhq!2589

[Master] Redact sensitive information on gitlab-workhorse log

See merge request gitlab/gitlabhq!2584

[ci skip]

[ci skip]

[ci skip]

Fix deadlock on ChunkedIO

See merge request gitlab-org/gitlab-ce!23329

Rails 5 deprecation: Passing an argument to force an association to reload is now deprecated

See merge request gitlab-org/gitlab-ce!23337

Allow profiler to authenticate by stubbing users directly

Closes #54327

See merge request gitlab-org/gitlab-ce!23320

Backport of gitlab-ee!8470

See merge request gitlab-org/gitlab-ce!23150

Add events index on project_id and created_at

Closes #53992

See merge request gitlab-org/gitlab-ce!23354

Upgrade better_errors gem to 2.5.0

See merge request gitlab-org/gitlab-ce!23312

Fix Image Lazy Loader for some older browsers

Closes #54407

See merge request gitlab-org/gitlab-ce!23349

Override CI_COMMIT_REF_SLUG for QA branches

See merge request gitlab-org/gitlab-ce!23346

CE port of "Move merge request approval settings"

See merge request gitlab-org/gitlab-ce!23157

The `gitlab:assets:compile` job isn't run for the QA branches, thus
there's no Docker image correspinding these branches in the registry.

By overriding `CI_COMMIT_REF_SLUG` to `master` for QA branches, the
`fetch-assets` job in the `omnibus-gitlab` pipeline will pull the
`master` assets Docker image.
Signed-off-by: NRémy Coutable <remy@rymai.me>

Update externalized strings from `/app/views/project/runners`

See merge request gitlab-org/gitlab-ce!23347

i18n: externalize strings from 'app/views/shared/members'

See merge request gitlab-org/gitlab-ce!23125

Some older browsers do not ship with isIntersecting, while they already
have IntersectionObserver support. We make use of `intersectionRatio`
now to fix the Lazy Loader for those browsers.

Batch load only data from same repository when lazy object is accessed

See merge request gitlab-org/gitlab-ce!23309

Signed-off-by: NTao Wang <twang2218@gmail.com>
Signed-off-by: NRémy Coutable <remy@rymai.me>

Cache project HEAD to prevent unnecessary Gitaly calls

See merge request gitlab-org/gitlab-ce!23307

Allow to store null variables

Closes #54379

See merge request gitlab-org/gitlab-ce!23299

CE Backport: Extract Gitlab::Prometheus::QueryVariables

See merge request gitlab-org/gitlab-ce!23335

Refactor issue boards switcher to single file Vue component (CE-port)

See merge request gitlab-org/gitlab-ce!23274

CE port for qa-193-ldap-group-sync EE branch

See merge request gitlab-org/gitlab-ce!22834

Previously, we used a personal access token. This had a couple of
problems:

1. If the user didn't have a PAT, we couldn't impersonate them.
2. It depended on reading the raw PAT from the database.

Instead, we can monkey-patch the authentication methods on
ApplicationController (overriding the Devise ones), and remove them once
we're done. This does mean that profiles will not profile auth
correctly, so for that, use a PAT directly.