Skip to content

Use User#identity_verified? to ensure user is allowed to visit IV pages

Eugie Limpin requested to merge el-restrict-users-access-to-iv-pages into master

What does this MR do and why?

Implements parts of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/674 and https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/673.

Updates IdentityVerificationController to use User#identity_verified? to ensure user is allowed to visit Identity Verification pages.

A user trying to access Identity Verification will get redirected to root_path when any of the following conditions are met:

  1. The user has already completed Identity Verification
  2. ::Gitlab::Saas.feature_available?(:identity_verification) is false
  3. ::Feature.enabled?(:opt_in_identity_verification, self, type: :wip) is false
  4. There are no verification methods available that the user can perform to complete Identity Verification. E.g. feature flags for both phone number verification and credit card verification are disabled.

These conditions are all checked in User#identity_verified?.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
    $ gdk start
  2. Enable FFs

    $ rails c
    > Feature.enable(:opt_in_identity_verification)
    > Feature.enable(:identity_verification_phone_number)
  3. Log in with root

  4. Ensure root is unverified

    $ rails c
    > user = User.first
    > user.identity_verified?
    => false

    If it returns true, run user.phone_number_validation.destroy and confirm that identity_verified? now returns false.

  5. Go to http://localhost:3000/-/identity_verification and validate that you can see the Identity Verification page

    Screenshot_2024-05-02_at_3.46.14_PM

  6. Create a phone number validation record for root to make them identity verified

    $ rails c
    > FactoryBot.create(:phone_number_validation, :validated, user: User.first)
  7. Go to http://localhost:3000/-/identity_verification and validate that you are redirected to the dashboard

Edited by Eugie Limpin

Merge request reports

Loading