Merge branch 'nicolasdular/confirm-email-before-ci-usage' into 'master'

Confirm email before ci usage

See merge request gitlab-org/gitlab!19783

app/controllers/concerns/confirm_email_warning.rb

@@ -19,7 +19,7 @@ module ConfirmEmailWarning
 
     email = current_user.unconfirmed_email || current_user.email
 
-    flash.now[:warning] = _("Please check your email (%{email}) to verify that you own this address. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.").html_safe % {
+    flash.now[:warning] = _("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.").html_safe % {
       email: email,
       resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
       update_link: view_context.link_to(_('Update it'), profile_path)

app/policies/project_policy.rb

@@ -117,6 +117,10 @@ class ProjectPolicy < BasePolicy
     !@subject.builds_enabled?
   end
 
+  condition(:user_confirmed?) do
+    @user && @user.confirmed?
+  end
+
   features = %w[
     merge_requests
     issues
@@ -249,10 +253,7 @@ class ProjectPolicy < BasePolicy
     enable :update_commit_status
     enable :create_build
     enable :update_build
-    enable :create_pipeline
-    enable :update_pipeline
     enable :read_pipeline_schedule
-    enable :create_pipeline_schedule
     enable :create_merge_request_from
     enable :create_wiki
     enable :push_code
@@ -267,6 +268,12 @@ class ProjectPolicy < BasePolicy
     enable :update_release
   end
 
+  rule { can?(:developer_access) & user_confirmed? }.policy do
+    enable :create_pipeline
+    enable :update_pipeline
+    enable :create_pipeline_schedule
+  end
+
   rule { can?(:maintainer_access) }.policy do
     enable :admin_board
     enable :push_to_delete_protected_branch
@@ -418,7 +425,7 @@ class ProjectPolicy < BasePolicy
 
   # These rules are included to allow maintainers of projects to push to certain
   # to run pipelines for the branches they have access to.
-  rule { can?(:public_access) & has_merge_requests_allowing_pushes }.policy do
+  rule { can?(:public_access) & has_merge_requests_allowing_pushes & user_confirmed? }.policy do
     enable :create_build
     enable :create_pipeline
   end

changelogs/unreleased/nicolasdular-confirm-email-before-ci-usage.yml

+---
+title: Only allow confirmed users to run pipelines
+merge_request:
+author:
+type: fixed

locale/gitlab.pot

@@ -12205,7 +12205,7 @@ msgstr ""
 msgid "Please check the configuration file to ensure that it is available and the YAML is valid"
 msgstr ""
 
-msgid "Please check your email (%{email}) to verify that you own this address. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}."
+msgid "Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}."
 msgstr ""
 
 msgid "Please choose a group URL with no special characters."

spec/controllers/concerns/confirm_email_warning_spec.rb

@@ -19,7 +19,7 @@ describe ConfirmEmailWarning do
 
   RSpec::Matchers.define :set_confirm_warning_for do |email|
     match do |response|
-      expect(response).to set_flash.now[:warning].to include("Please check your email (#{email}) to verify that you own this address.")
+      expect(response).to set_flash.now[:warning].to include("Please check your email (#{email}) to verify that you own this address and unlock the power of CI/CD.")
     end
   end
 

spec/features/users/login_spec.rb

@@ -806,7 +806,7 @@ describe 'Login' do
       gitlab_sign_in(user)
 
       expect(current_path).to eq root_path
-      expect(page).to have_content("Please check your email (#{user.email}) to verify that you own this address.")
+      expect(page).to have_content("Please check your email (#{user.email}) to verify that you own this address and unlock the power of CI/CD.")
     end
 
     context "when not having confirmed within Devise's allow_unconfirmed_access_for time" do

spec/features/users/signup_spec.rb

@@ -222,7 +222,7 @@ shared_examples 'Signup' do
             expect(current_path).to eq users_sign_up_welcome_path
           else
             expect(current_path).to eq dashboard_projects_path
-            expect(page).to have_content("Please check your email (#{new_user.email}) to verify that you own this address.")
+            expect(page).to have_content("Please check your email (#{new_user.email}) to verify that you own this address and unlock the power of CI/CD.")
           end
         end
       end

spec/policies/project_policy_spec.rb

@@ -315,6 +315,31 @@ describe ProjectPolicy do
     end
   end
 
+  context 'pipeline feature' do
+    let(:project) { create(:project) }
+
+    describe 'for unconfirmed user' do
+      let(:unconfirmed_user) { create(:user, confirmed_at: nil) }
+      subject { described_class.new(unconfirmed_user, project) }
+
+      it 'disallows to modify pipelines' do
+        expect_disallowed(:create_pipeline)
+        expect_disallowed(:update_pipeline)
+        expect_disallowed(:create_pipeline_schedule)
+      end
+    end
+
+    describe 'for confirmed user' do
+      subject { described_class.new(developer, project) }
+
+      it 'allows modify pipelines' do
+        expect_allowed(:create_pipeline)
+        expect_allowed(:update_pipeline)
+        expect_allowed(:create_pipeline_schedule)
+      end
+    end
+  end
+
   context 'builds feature' do
     context 'when builds are disabled' do
       subject { described_class.new(owner, project) }