Skip to content

Resolve "Project bot users should always have their emails confirmed by default"

What does this MR do?

Fix for : #219539 (closed)

Background

When a project access token is created, a user is also created internally and added as a maintainer to the project.

Problem.

The project bot user creation happens via this service and it internally calls Users::BuildService, to create the user.

Here, the skip_confirmation attribute is set to true only if the executor user is NOT an admin, and that to when Gitlab::CurrentSettings.send_user_confirmation_email is set to false.

So, if the Project access token creation was triggered by say, the GitLab instance admin, the resultant project bot user created will not have their email set to confirmed by default, which when coupled with the feature flag soft_email_confirmation set to disabled, leads this policy to become true, there by preventing API access to such users and hence resulting in 403 errors when API is accessed via these access tokens, as described in #219539 (closed).

Fix

All project bot users should have their email confirmed, by default. The best way to do this would be to set the param skip_confirmation: true from within this service itself, which can be later used by Users::BuildService, no matter who is executing the creation.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Manoj M J

Merge request reports

Loading