Skip to content

Update no password message shown when logged in via OAuth

What does this MR do and why?

When a user creates an account with a OmniAuth provider (Google, Facebook, etc) their account doesn't have a password set because they use the OmniAuth provider to login. This means that they can not clone a repository over HTTP(S) with a password because there isn't one set. Currently there is an alert explaining to users that they do not have a password set but it is a little confusing. This MR updates this message to hopefully make more sense. The message that is shown to users depends on the value of Allow password authentication for Git over HTTP(S) setting which is set in Admin -> Settings -> General -> Sign-in restrictions.

This MR also takes the opportunity to refactor the no password alert and the no SSH key alerts to use the app/views/shared/_global_alert.html.haml shared partial. This helps create consistency between all the global alerts in GitLab.

Screenshots or screen recordings

Allow password authentication for Git over HTTP(S) value Before After
true Screen_Shot_2021-11-01_at_1.55.14_PM Screen_Shot_2021-11-04_at_3.10.02_PM
false Screen_Shot_2021-11-01_at_1.54.30_PM Screen_Shot_2021-11-04_at_3.10.58_PM

How to set up and validate locally

Normally a user would see this alert if they created their account via an OmniAuth provider. That is a little hard to setup locally but it isn't too hard to fake for local testing.

  1. Open the rails console. bin/rails console
  2. Find a user that has access to a project by username. user = User.find_by_username('user44')
  3. Update the password_automatically_set column. user.update_column(:password_automatically_set, true)
  4. Login as an admin and navigate to /admin/users/user44. Click Impersonate in the upper right corner.
  5. Navigate to a project

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #38061 (closed)

Edited by Peter Hegman

Merge request reports

Loading