Resolve "Project bot users should always have their emails confirmed by default"
What does this MR do?
Fix for : #219539 (closed)
Background
When a project access token is created, a user is also created internally and added as a maintainer to the project.
Problem.
The project bot user creation happens via this service and it internally calls Users::BuildService, to create the user.
Here, the skip_confirmation
attribute is set to true
only if the executor user is NOT an admin, and that to when Gitlab::CurrentSettings.send_user_confirmation_email
is set to false
.
So, if the Project access token creation was triggered by say, the GitLab instance admin, the resultant project bot user created will not have their email set to confirmed by default, which when coupled with the feature flag soft_email_confirmation
set to disabled
, leads this policy to become true, there by preventing API access to such users and hence resulting in 403 errors when API is accessed via these access tokens, as described in #219539 (closed).
Fix
All project bot users should have their email confirmed, by default. The best way to do this would be to set the param skip_confirmation: true
from within this service itself, which can be later used by Users::BuildService
, no matter who is executing the creation.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team