Updated related_to_banned_user? method in Users::PhoneNumberValidation (!138011) · Merge requests · GitLab.org / GitLab

Hinam Mehra requested to merge anti-abuse/530-update-related-to-banned-user-method into master Nov 28, 2023

What does this MR do and why?

Updates the related_to_banned_user? method in Users::PhoneNumberValidation
It only returns true if the matching phone number record has been verified, i.e. validated_at column of the matching record is not nil
This is in response to an incident. We noticed that malicious users were entering random phone numbers, then getting blocked, which was in-turn preventing legitimate users from signing up.
Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/530

Database

How to set up and validate locally

In the rails console:

# create a phone number validation record
> Users::PhoneNumberValidation.create(international_dial_code: '1', phone_number: '333', country: 'US', user: User.last, validated_at: nil)

# ban the user
User.last.ban!

# check if the phone number matches a banned user, should return false
> Users::PhoneNumberValidation.related_to_banned_user?('1', '333')
=> false 

# Update validated_at of the record
Users::PhoneNumberValidation.last.update(validated_at: Time.now)

# try again, should return true
> Users::PhoneNumberValidation.related_to_banned_user?('1', '333')
=> true

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 29, 2023 by Hinam Mehra

Updated related_to_banned_user? method in Users::PhoneNumberValidation

What does this MR do and why?

Database

How to set up and validate locally

MR acceptance checklist

Merge request reports