Respect project visibility settings in the contributions calendar

This MR fixes a number of bugs relating to access controls and date selection of events for the contributions calendar

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23403

See merge request !2019
Signed-off-by: NRémy Coutable <remy@rymai.me>

Ensure external users are not able to clone disabled repositories.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23788

See merge request !2017
Signed-off-by: NRémy Coutable <remy@rymai.me>

Fix for HackerOne XSS vulnerability in markdown

This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153

See merge request !2015
Signed-off-by: NRémy Coutable <remy@rymai.me>

disable markdown in comments when referencing disabled features

fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548

This MR prevents the following references when tool is disabled:

- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones

This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.

See merge request !2011
Signed-off-by: NRémy Coutable <remy@rymai.me>

It was previously possible for invalid credential errors to go unnoticed
in this task. Users would believe everything was configured correctly and
then sign in would fail with 'invalid credentials'. This adds a specific
bind check, plus catches errors connecting to the server. Also, specs :)

Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

reactivates all tests and writes more tests for it

email token be reset

[e44da1c] Add Label API expected keys to tests

[ac929c8] Update Label API documentation

Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Closes #24075

Signed-off-by: NRémy Coutable <remy@rymai.me>

No matter which environment Gitlab was running as, the admin/logs view
always showed production.log. This commit selects the logfile based
on Rails.env.

- Rename ProductionLogger to EnvironmentLogger
- Make EnvironmentLogger logfile depend on env
- Update spinach test for log tabs

This was the only thing using the `sdoc` gem, which was blocking another
gem from updating.

Fix symlink vulnerability in Import/Export

Replaces https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2018 made by @james

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23822

See merge request !2022
Signed-off-by: NRémy Coutable <remy@rymai.me>

Fix Import/Export foreign key issue to do with project members

Cleans-up any foreign keys in `ProjectMember` - same as we do with the rest of the models when importing.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23837 and https://gitlab.com/gitlab-org/gitlab-ce/issues/23739

See merge request !2020
Signed-off-by: NRémy Coutable <remy@rymai.me>

Because this code resides in lib/ it may be eager loaded. Rails in turn
doesn't define Rails::Generators by default unless you explicitly
require "rails/generators".

The UI allows to define a token to validate payload on the target URL,
this patch adds the feature to the API.

Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/18096

Signed-off-by: NRémy Coutable <remy@rymai.me>