Prevent user exists route when GitLab instance doesn't allow registration (!78490) · Merge requests · GitLab.org / GitLab

Gary Holtz requested to merge 349706-the-users-username-exists-action-shouldn-t-be-available-when-gitlab-instance-doesn-t-allow into master Jan 18, 2022

What does this MR do and why?

This adds a conditional to the /users/:username/exists that prevents access when a GitLab instance has registration disabled.

This is a security issue, but low priority and can be fixed in the canonical repo as mentioned here: #349706 (comment 803477846)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #349706 (closed)

Edited Jan 18, 2022 by Gary Holtz

Prevent user exists route when GitLab instance doesn't allow registration

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports