Commit a508dba7 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch...

Merge branch '219539-project-access-tokens-returns-403-forbidden-your-account-has-been-blocked' into 'master'

Resolve "Project bot users should always have their emails confirmed by default"

See merge request gitlab-org/gitlab!35498
parents e10c146c 4d8567cd
...@@ -13,8 +13,6 @@ module ResourceAccessTokens ...@@ -13,8 +13,6 @@ module ResourceAccessTokens
return unless feature_enabled? return unless feature_enabled?
return error("User does not have permission to create #{resource_type} Access Token") unless has_permission_to_create? return error("User does not have permission to create #{resource_type} Access Token") unless has_permission_to_create?
# We skip authorization by default, since the user creating the bot is not an admin
# and project/group bot users are not created via sign-up
user = create_user user = create_user
return error(user.errors.full_messages.to_sentence) unless user.persisted? return error(user.errors.full_messages.to_sentence) unless user.persisted?
...@@ -49,6 +47,11 @@ module ResourceAccessTokens ...@@ -49,6 +47,11 @@ module ResourceAccessTokens
end end
def create_user def create_user
# Even project maintainers can create project access tokens, which in turn
# creates a bot user, and so it becomes necessary to have `skip_authorization: true`
# since someone like a project maintainer does not inherently have the ability
# to create a new user in the system.
Users::CreateService.new(current_user, default_user_params).execute(skip_authorization: true) Users::CreateService.new(current_user, default_user_params).execute(skip_authorization: true)
end end
...@@ -57,7 +60,8 @@ module ResourceAccessTokens ...@@ -57,7 +60,8 @@ module ResourceAccessTokens
name: params[:name] || "#{resource.name.to_s.humanize} bot", name: params[:name] || "#{resource.name.to_s.humanize} bot",
email: generate_email, email: generate_email,
username: generate_username, username: generate_username,
user_type: "#{resource_type}_bot".to_sym user_type: "#{resource_type}_bot".to_sym,
skip_confirmation: true # Bot users should always have their emails confirmed.
} }
end end
......
---
title: Project bot users should always have their emails confirmed by default
merge_request: 35498
author:
type: fixed
...@@ -45,6 +45,27 @@ RSpec.describe ResourceAccessTokens::CreateService do ...@@ -45,6 +45,27 @@ RSpec.describe ResourceAccessTokens::CreateService do
expect(access_token.user.reload.user_type).to eq("#{resource_type}_bot") expect(access_token.user.reload.user_type).to eq("#{resource_type}_bot")
end end
context 'email confirmation status' do
shared_examples_for 'creates a user that has their email confirmed' do
it 'creates a user that has their email confirmed' do
response = subject
access_token = response.payload[:access_token]
expect(access_token.user.reload.confirmed?).to eq(true)
end
end
context 'when created by an admin' do
it_behaves_like 'creates a user that has their email confirmed' do
let(:user) { create(:admin) }
end
end
context 'when created by a non-admin' do
it_behaves_like 'creates a user that has their email confirmed'
end
end
context 'bot name' do context 'bot name' do
context 'when no value is passed' do context 'when no value is passed' do
it 'uses default value' do it 'uses default value' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment