Skip to content

Fix allowlist bug that prevented project access token creation

What does this MR do?

"We have several customers that are encountering an error when creating project access tokens. After further troubleshooting, it seems that they have enabled email domain whitelisting for signing up in their instance."

This MR allows instances with allow-listing enabled to create project access tokens by skipping validation on project bot creation, even if the project bot email is not on the allowed domains list.

Screenshots

Before: Attempting to create a project bot would give a 500:

  "exception.message": "First argument in form cannot contain nil or be empty",
  "exception.backtrace": [
    "app/views/shared/access_tokens/_form.html.haml:9",
    "app/views/projects/settings/access_tokens/index.html.haml:22",
    "app/controllers/application_controller.rb:134:in `render'",
    "app/controllers/projects/settings/access_tokens_controller.rb:24:in `create'",
    "ee/lib/gitlab/ip_address_state.rb:10:in `with'",
    "ee/app/controllers/ee/application_controller.rb:44:in `set_current_ip_address'",
    "app/controllers/application_controller.rb:491:in `set_current_admin'",
    "lib/gitlab/session.rb:11:in `with_session'",
    "app/controllers/application_controller.rb:482:in `set_session_storage'",
    "app/controllers/application_controller.rb:476:in `set_locale'",
    "lib/gitlab/error_tracking.rb:50:in `with_context'",
    "app/controllers/application_controller.rb:541:in `sentry_context'",
    "app/controllers/application_controller.rb:469:in `block in set_current_context'",
    "lib/gitlab/application_context.rb:52:in `block in use'",
    "lib/gitlab/application_context.rb:52:in `use'",
    "lib/gitlab/application_context.rb:20:in `with_context'",
    "app/controllers/application_controller.rb:462:in `set_current_context'",
    "ee/lib/gitlab/jira/middleware.rb:19:in `call'"
  ],

image

image

After:

image

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #235924 (closed)

Edited by Serena Fang

Merge request reports

Loading