Set blocked Omniauth accounts to blocked_pending_approval

Previously the user state was set to `blocked` when
`block_auto_created_users` was set for a provider.

Now, the state is set to `blocked_pending_approval` so accounts can be
worked down by admins via the pending approval queue.

Changelog: changed

doc/integration/omniauth.md

@@ -69,14 +69,13 @@ earlier version, you must explicitly enable it.
 - `auto_link_ldap_user` can be used if you have [LDAP / ActiveDirectory](../administration/auth/ldap/index.md)
   integration enabled. It defaults to `false`. When enabled, users automatically
   created through an OmniAuth provider have their LDAP identity created in GitLab as well.
-- `block_auto_created_users` defaults to `true`. If `true` auto created users will
-  be blocked by default and must be unblocked by an administrator before
-  they are able to sign in.
+- `block_auto_created_users` defaults to `true`. If `true`, auto created users will
+  be blocked pending approval by an administrator before they are able to sign in.
 
 NOTE:
 If you set `block_auto_created_users` to `false`, make sure to only
 define providers under `allow_single_sign_on` that you are able to control, like
-SAML, Shibboleth, Crowd, or Google. Otherwise, set it to `false`, or any user on
+SAML, Shibboleth, Crowd, or Google. Otherwise, set it to `true`, or any user on
 the Internet can successfully sign in to your GitLab without
 administrative approval.
 

doc/user/admin_area/moderate_users.md

@@ -13,11 +13,12 @@ users.
 ## Users pending approval
 
 A user in _pending approval_ state requires action by an administrator. A user sign up can be in a
-pending approval state because an administrator has enabled either, or both, of the following
-options:
+pending approval state because an administrator has enabled any of the following options:
 
 - [Require admin approval for new sign-ups](settings/sign_up_restrictions.md#require-administrator-approval-for-new-sign-ups) setting.
 - [User cap](settings/sign_up_restrictions.md#user-cap).
+- [Block auto-created users (OmniAuth)](../../integration/omniauth.md#initial-omniauth-configuration)
+- [Block auto-created users (LDAP)](../../administration/auth/ldap/index.md#basic-configuration-settings)
 
 When a user registers for an account while this setting is enabled:
 

lib/gitlab/auth/o_auth/user.rb

@@ -54,7 +54,7 @@ module Gitlab
 
           Users::UpdateService.new(gl_user, user: gl_user).execute!
 
-          gl_user.block if block_after_save
+          gl_user.block_pending_approval if block_after_save
 
           log.info "(#{provider}) saving user #{auth_hash.email} from login with admin => #{gl_user.admin}, extern_uid => #{auth_hash.uid}"
           gl_user

spec/controllers/omniauth_callbacks_controller_spec.rb

@@ -317,7 +317,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
           it 'denies sign-in if sign-up is enabled, but block_auto_created_users is set' do
             post :atlassian_oauth2
 
-            expect(flash[:alert]).to start_with 'Your account has been blocked.'
+            expect(flash[:alert]).to start_with 'Your account is pending approval'
           end
 
           it 'accepts sign-in if sign-up is enabled' do
@@ -399,7 +399,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
       it 'denies login if sign up is enabled, but block_auto_created_users is set' do
         post :saml, params: { SAMLResponse: mock_saml_response }
 
-        expect(flash[:alert]).to start_with 'Your account has been blocked.'
+        expect(flash[:alert]).to start_with 'Your account is pending approval'
       end
 
       it 'accepts login if sign up is enabled' do