https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26248 added
support for deduplicating FindCommit requests using Gitaly ref name
caching. However, not all endpoints were covered, and in one case the
Gitaly wrapper wasn't actually surrounding the serialization step. We
can safely cache ref names between FindCommit calls for #index and #show
endpoints for merge requests and pipelines. This can significantly
reduce the number of FindCommit requests.

This style change enforces `return if ...` instead of
`return nil if ...` to save maintainers a few minor review points

When we unhooked ClustersController from
Project::ApplicationsController, we missed an EE override to
handle_not_found_or_authorized.

Rather than carry on with override RoutingActions, make a specific proc
for Project that we override in EE instead. Use that proc in both
Clusters::BaseController and Project::ApplicationsController.

Enables frozen string for some vestigial files as
well as the following:

* app/controllers/projects/**/*.rb
* app/controllers/sherlock/**/*.rb
* app/controllers/snippets/**/*.rb
* app/controllers/users/**/*.rb

Partially addresses #47424.

Closes #49120

This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the

```
ArgumentError:
  Attempting to generate a URL from non-sanitized request parameters!
  An attacker can inject malicious data into the generated URL, such as
  changing the host. Whitelist and sanitize passed parameters to be secure.
```

error.

[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168

So we can distinguish between the permissions on the source and the
target project.

- `create_merge_request_from` indicates a user can create a merge
  request with the project as a source_project
- `create_merge_request_in` indicates a user can create a merge
  request with the project as a target_project

This prevents creating merge requests targeting archived projects.

This could happen when a project was already forked, but then the
source was archived.

Security fixes for 10.1 RC

See merge request gitlab/gitlabhq!2209

Open the settings section based on the location hash

In this instance its subgroups, and given we can't deploy it, we
shouldn't allow it to be shown.

Fixes gitlab-org/gitlab-ce#34864

In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change:

When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`.

Note: This changes the behavior of user lookups (see the spec change) so it acts the same way as groups and projects. Unauthenticated clients attempting to access a user page will be redirected to login whether the user exists and is publicly restricted, or does not exist at all.

* Regards project-level pages config
- Nav link is now shown only if Pages is enabled for instance
- Navigation to following controllers denied if Pages disabled:
  * projects/pages_controller
  * projects/pages_domains_controller
- 'disabled' partial removed
+ Test for pages_controller introduced

The user can create a new directory on a different branch than the
source branch when the branch already exists.

add complete changelog for !8949