External Users

The user has the rights of a public user execpt it can never create a project, group, or team. Also it cant view internal projects.

External Users
The user has the rights of a public user execpt it can never create a project, group, or team. Also it cant view internal projects.
42fcd388 · Zeger-Jan van de Weg · 065de4ab · 42fcd388 · 42fcd388 · 42fcd388
Commit 42fcd388 authored Mar 10, 2016 by Zeger-Jan van de Weg
15 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -150,7 +150,7 @@ class Admin::UsersController < Admin::ApplicationController
      :email, :remember_me, :bio, :name, :username,
      :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
      :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, :hide_no_password,
-      :projects_limit, :can_create_group, :admin, :key_id
+      :projects_limit, :can_create_group, :admin, :key_id, :external
    )
  end


--- a/app/finders/projects_finder.rb
+++ b/app/finders/projects_finder.rb
@@ -51,13 +51,12 @@ class ProjectsFinder
  end

  def all_projects(current_user)
-    if current_user
-      [
-        current_user.authorized_projects,
-        public_and_internal_projects
-      ]
+    return [Project.public_only] unless current_user
+
+    if current_user.external?
+      [current_user.authorized_projects, public_projects]
    else
-      [Project.public_only]
+      [current_user.authorized_projects, public_and_internal_projects]
    end
  end


--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -109,23 +109,10 @@ class Ability
      key = "/user/#{user.id}/project/#{project.id}"

      RequestStore.store[key] ||= begin
-        team = project.team
+        # Push abilities on the users team role
+        rules.push(*project_team_rules(project.team, user))

-        # Rules based on role in project
-        if team.master?(user)
-          rules.push(*project_master_rules)
-
-        elsif team.developer?(user)
-          rules.push(*project_dev_rules)
-
-        elsif team.reporter?(user)
-          rules.push(*project_report_rules)
-
-        elsif team.guest?(user)
-          rules.push(*project_guest_rules)
-        end
-
-        if project.public? || project.internal?
+        if project.public? || (project.internal? && !user.external?)
          rules.push(*public_project_rules)

          # Allow to read builds for internal projects
@@ -148,6 +135,19 @@ class Ability
      end
    end

+    def project_team_rules(team, user)
+      # Rules based on role in project
+      if team.master?(user)
+        project_master_rules
+      elsif team.developer?(user)
+        project_dev_rules
+      elsif team.reporter?(user)
+        project_report_rules
+      elsif team.guest?(user)
+        project_guest_rules
+      end
+    end
+
    def public_project_rules
      @public_project_rules ||= project_guest_rules + [
        :download_code,
@@ -356,7 +356,7 @@ class Ability
        ]
      end

-      if snippet.public? || snippet.internal?
+      if snippet.public? || (snippet.internal? && !user.external?)
        rules << :read_personal_snippet
      end


--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -59,6 +59,7 @@
 #  hide_project_limit          :boolean          default(FALSE)
 #  unlock_token                :string
 #  otp_grace_period_started_at :datetime
+#  external                    :boolean           default(FALSE)
 #

 require 'carrierwave/orm/activerecord'
@@ -77,6 +78,7 @@ class User < ActiveRecord::Base
  add_authentication_token_field :authentication_token

  default_value_for :admin, false
+  default_value_for :external, false
  default_value_for :can_create_group, gitlab_config.default_can_create_group
  default_value_for :can_create_team, false
  default_value_for :hide_no_ssh_key, false
@@ -179,6 +181,7 @@ class User < ActiveRecord::Base

  after_update :update_emails_with_primary_email, if: ->(user) { user.email_changed? }
  before_save :ensure_authentication_token
+  before_save :ensure_external_user_rights
  after_save :ensure_namespace_correct
  after_initialize :set_projects_limit
  after_create :post_create_hook
@@ -848,4 +851,13 @@ class User < ActiveRecord::Base
  def send_devise_notification(notification, *args)
    devise_mailer.send(notification, self, *args).deliver_later
  end
+
+  def ensure_external_user_rights
+    return unless self.external?
+
+    self.can_create_team    = false
+    self.can_create_group   = false
+    self.projects_limit     = 0
+    self.hide_project_limit = true
+  end
 end
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -61,6 +61,11 @@
          .col-sm-10 You cannot remove your own admin rights
        - else
          .col-sm-10= f.check_box :admin
+
+      .form-group
+        = f.label :external, class: 'control-label'
+        .col-sm-10= f.check_box :external
+
    %fieldset
      %legend Profile
      .form-group

--- a/app/views/admin/users/show.html.haml
+++ b/app/views/admin/users/show.html.haml
@@ -47,6 +47,10 @@
            - else
              Disabled

+        %li
+          %span.light External User:
+          %strong
+            = @user.external? ? "Yes" : "No"
        %li
          %span.light Can create groups:
          %strong

--- a/db/migrate/20160310185910_add_external_flag_to_users.rb
+++ b/db/migrate/20160310185910_add_external_flag_to_users.rb
+class AddExternalFlagToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :external, :boolean, default: false
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20160309140734) do
+ActiveRecord::Schema.define(version: 20160310185910) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -929,6 +929,7 @@ ActiveRecord::Schema.define(version: 20160309140734) do
    t.string   "unlock_token"
    t.datetime "otp_grace_period_started_at"
    t.boolean  "ldap_email",                  default: false, null: false
+    t.boolean  "external",                    default: false
  end

  add_index "users", ["admin"], name: "index_users_on_admin", using: :btree

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -61,19 +61,20 @@ module API
      #   admin                             - User is admin - true or false (default)
      #   can_create_group                  - User can create groups - true or false
      #   confirm                           - Require user confirmation - true (default) or false
+      #   external                          - Is user an external user - true or false(default)
      # Example Request:
      #   POST /users
      post do
        authenticated_as_admin!
        required_attributes! [:email, :password, :name, :username]
-        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :bio, :can_create_group, :admin, :confirm]
+        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :bio, :can_create_group, :admin, :confirm, :external]
        admin = attrs.delete(:admin)
        confirm = !(attrs.delete(:confirm) =~ (/(false|f|no|0)$/i))
        user = User.build_user(attrs)
        user.admin = admin unless admin.nil?
        user.skip_confirmation! unless confirm
-
        identity_attrs = attributes_for_keys [:provider, :extern_uid]
+
        if identity_attrs.any?
          user.identities.build(identity_attrs)
        end

--- a/spec/features/security/project/internal_access_spec.rb
+++ b/spec/features/security/project/internal_access_spec.rb
@@ -34,6 +34,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -45,6 +46,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -56,6 +58,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -67,6 +70,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -78,6 +82,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -89,22 +94,21 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/blob" do
-    before do
-      commit = project.repository.commit
-      path = '.gitignore'
-      @blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
-    end
+    let(:commit) { project.repository.commit }
+    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }

-    it { expect(@blob_path).to be_allowed_for master }
-    it { expect(@blob_path).to be_allowed_for reporter }
-    it { expect(@blob_path).to be_allowed_for :admin }
-    it { expect(@blob_path).to be_allowed_for guest }
-    it { expect(@blob_path).to be_allowed_for :user }
-    it { expect(@blob_path).to be_denied_for :visitor }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/edit" do
@@ -115,6 +119,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -126,6 +131,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -137,6 +143,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -149,6 +156,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -160,6 +168,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -171,6 +180,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -182,6 +192,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -193,6 +204,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -209,6 +221,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -225,6 +238,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -236,6 +250,7 @@ describe "Internal Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end
 end
--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -34,6 +34,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -45,6 +46,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -56,6 +58,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -78,6 +81,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -89,22 +93,21 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/blob" do
-    before do
-      commit = project.repository.commit
-      path = '.gitignore'
-      @blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
-    end
+    let(:commit) { project.repository.commit }
+    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}

-    it { expect(@blob_path).to be_allowed_for master }
-    it { expect(@blob_path).to be_allowed_for reporter }
-    it { expect(@blob_path).to be_allowed_for :admin }
-    it { expect(@blob_path).to be_denied_for guest }
-    it { expect(@blob_path).to be_denied_for :user }
-    it { expect(@blob_path).to be_denied_for :visitor }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
  end

  describe "GET /:project_path/edit" do
@@ -115,6 +118,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -126,6 +130,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -137,6 +142,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -149,6 +155,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -160,6 +167,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -171,6 +179,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -187,6 +196,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -203,6 +213,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -214,6 +225,7 @@ describe "Private Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end
 end
--- a/spec/features/security/project/public_access_spec.rb
+++ b/spec/features/security/project/public_access_spec.rb
@@ -38,6 +38,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -49,6 +50,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -60,6 +62,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -71,6 +74,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -82,6 +86,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -93,6 +98,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -107,6 +113,7 @@ describe "Public Project Access", feature: true  do
      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_allowed_for guest }
      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :external }
      it { is_expected.to be_allowed_for :visitor }
    end

@@ -118,6 +125,7 @@ describe "Public Project Access", feature: true  do
      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_denied_for guest }
      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for :external }
      it { is_expected.to be_denied_for :visitor }
    end
  end
@@ -135,6 +143,7 @@ describe "Public Project Access", feature: true  do
      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_allowed_for guest }
      it { is_expected.to be_allowed_for :user }
+      it { is_expected.to be_allowed_for :external }
      it { is_expected.to be_allowed_for :visitor }
    end

@@ -146,23 +155,22 @@ describe "Public Project Access", feature: true  do
      it { is_expected.to be_allowed_for :admin }
      it { is_expected.to be_denied_for guest }
      it { is_expected.to be_denied_for :user }
+      it { is_expected.to be_denied_for :external }
      it { is_expected.to be_denied_for :visitor }
    end
  end

  describe "GET /:project_path/blob" do
-    before do
-      commit = project.repository.commit
-      path = '.gitignore'
-      @blob_path = namespace_project_blob_path(project.namespace, project, File.join(commit.id, path))
-    end
+    let(:commit) { project.repository.commit }
+
+    subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }

-    it { expect(@blob_path).to be_allowed_for master }
-    it { expect(@blob_path).to be_allowed_for reporter }
-    it { expect(@blob_path).to be_allowed_for :admin }
-    it { expect(@blob_path).to be_allowed_for guest }
-    it { expect(@blob_path).to be_allowed_for :user }
-    it { expect(@blob_path).to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :visitor }
  end

  describe "GET /:project_path/edit" do
@@ -173,6 +181,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -184,6 +193,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -195,6 +205,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -207,6 +218,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -218,6 +230,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -229,6 +242,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -240,6 +254,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -251,6 +266,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end

@@ -267,6 +283,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -283,6 +300,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_allowed_for guest }
    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
    it { is_expected.to be_allowed_for :visitor }
  end

@@ -294,6 +312,7 @@ describe "Public Project Access", feature: true  do
    it { is_expected.to be_allowed_for :admin }
    it { is_expected.to be_denied_for guest }
    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
    it { is_expected.to be_denied_for :visitor }
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -206,6 +206,21 @@ describe User, models: true do
    it { is_expected.to respond_to(:is_admin?) }
    it { is_expected.to respond_to(:name) }
    it { is_expected.to respond_to(:private_token) }
+    it { is_expected.to respond_to(:external?) }
+  end
+
+  describe 'before save hook' do
+    context 'when saving an external user' do
+      let(:user)          { create(:user) }
+      let(:external_user) { create(:user, external: true) }
+
+      it "sets other properties aswell" do
+        expect(external_user.can_create_team).to be_falsey
+        expect(external_user.can_create_group).to be_falsey
+        expect(external_user.hide_project_limit).to be_truthy
+        expect(external_user.projects_limit).to be 0
+      end
+    end
  end

  describe '#confirm' do
@@ -430,6 +445,7 @@ describe User, models: true do
        expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit)
        expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group)
        expect(user.theme_id).to eq(Gitlab.config.gitlab.default_theme)
+        expect(user.external).to be_falsey
      end
    end


--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -120,6 +120,26 @@ describe API::API, api: true  do
      expect(response.status).to eq(201)
    end

+    it 'creates non-external users by default' do
+      post api("/users", admin), attributes_for(:user)
+      expect(response.status).to eq(201)
+
+      user_id = json_response['id']
+      new_user = User.find(user_id)
+      expect(new_user).not_to eq nil
+      expect(new_user.external).to be_falsy
+    end
+
+    it 'should allow an external user to be created' do
+      post api("/users", admin), attributes_for(:user, external: true)
+      expect(response.status).to eq(201)
+
+      user_id = json_response['id']
+      new_user = User.find(user_id)
+      expect(new_user).not_to eq nil
+      expect(new_user.external).to be_truthy
+    end
+
    it "should not create user with invalid email" do
      post api('/users', admin),
        email: 'invalid email',

--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -15,6 +15,8 @@ module AccessMatchers
      logout
    when :admin
      login_as(create(:admin))
+    when :external
+      login_as(create(:user, external: true))
    when User
      login_as(user)
    else