attr_encrypted (1.3.4 => 3.0.1) Changelog:
https://github.com/attr-encrypted/attr_encrypted/blob/master/CHANGELOG.m
d

attr_encrypted 2.x included a vulnerability, so that major version is
skipped. 3.x requires that the algorithm and mode used by each
encrypted attribute is specified explicitly.

`nil` is no longer a valid value for the encrypted_value_iv field, so
it’s changed to a randomly generated string.

Devise (3.5.4 => 4.1.1) Changelog:
https://github.com/plataformatec/devise/blob/master/CHANGELOG.md

devise-two-factor (2.0.1 => 3.0.0) Changelog:
https://github.com/tinfoil/devise-two-factor/blob/master/CHANGELOG.md

These are reliant on each other, so they have to be upgraded together.

devise-async is no longer necessary as Devise 4.1 fixes a bug with the
ActiveJob integration.

This reverts merge request !3647

These methods seems to be unused.

Signed-off-by: Rémy Coutable <remy@rymai.me>

`User#starred_projects` doesn't perform any visibility checks. This has
a couple of problems:

1. It assumes a user can always view all of their starred projects in
   perpetuity (project not changed to private, access revoked, etc.).
2. It assumes that we'll only ever allow a user to star a project they
   can view. This is currently the case, but bugs happen.

Add `User#viewable_starred_projects` to filter the starred projects by
those the user either has explicit access to, or are public or
internal. Then use that in all places where we list the user's starred
projects.

In 8278b763 the default behaviour of annotation
has changes, which was causing a lot of noise in diffs. We decided in #17382
that it is better to get rid of the whole annotate gem, and instead let people
look at schema.rb for the columns in a table.

Fixes: #17382

Variable `Gitlab::Application.config.secret_key_base` is set in
config/initializers/secret_token.rb. It's very bad practice to use
hard-coded paths inside an application and really unnecessary in this
case.

This reverts commit 1cc614f2.

It was causing the ActiveJob integration to fail, so unfortunately we'll have to add the gem again.

The extra gem isn’t necessary anymore since Rails 4.2 has ActiveJob integration.

Resolves #15575.

Signed-off-by: Rémy Coutable <remy@rymai.me>

send_devise_notification pre-maturely enqueued the task when the user instance
has not yet been committed into the database, causing a record-not-found in the
other sidekiq process.

devise-async has already been taking care of asynchronous mail sending, we just
need to run it inside queue `mailers` instead of `mailer` to enable it.

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

* visiting project will create notification setting if missing
* change notification setting per project even without membership
* use notification settings instead of membership on profile page

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Fixes #14585.

This also refactores ProjectSelect adding some decorator-like functions.

This reverts commit 01160fc0, reversing
changes made to 4bff9daf.

Also incorporates the review into this, mainly spec changes.

The user has the rights of a public user execpt it can never create a project,
 group, or team. Also it cant view internal projects.

GitLab EE adds an extra relation that selects a "project_id" column
instead of an "id" column, making it very hard for this method to be
re-used in EE. Since using User#authorized_groups in
ProjectsFinder#all_groups apparently has no performance impact we can
just use it and keep everything compatible with EE.

We can just use "arel_table" in these cases instead of
"SomeClass.arel_table".

We don't need the extra layer of nesting of UNION queries here (as
User#authorized_projects already returns a UNION'd query).

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>