Skip to content

Resolve "Project bots can get CAPTCHA even on a private project"

Chad Woolley requested to merge 16240-fix-project-bot-captcha into master

What does this MR do?

Fixes issue that project bots should not get CAPTCHAs when they otherwise should not (for example, on private projects).

See discussion on issue for more context.

Root cause

Additional context on bots and EE-specific override

Note that Project bots are not EE-specific, and also that support bots are now not EE-specific either as of 13.2

Therefore, in addition to being fixed, this logic should also be moved up to the base app/models/issue.rb class (and we can also remove the duplication around which fields to check).

Fix

Therefore, the new logic will live only on the CE app/models/issues.rb, with no EE override, and will look like this:

  def check_for_spam?
    # content created via support bots is always checked for spam, EVEN if it
    # the issue is not publicly visible
    return true if author.support_bot? && spammable_attribute_changed?

    # Only check for spam on issues which are publicly visible (and thus indexed in search engines)
    return false unless publicly_visible?

    # Only check for spam if certain attributes have changed
    spammable_attribute_changed?
  end

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

See the following section of the CAPTCHA epic for notes on how to test CAPTCHA locally: https://gitlab.com/groups/gitlab-org/-/epics/5527#testing-notes

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #16240 (closed)

Edited by Chad Woolley

Merge request reports

Loading