Fix allowlist bug that prevented project access token creation

eb0fbb28 · Serena Fang · James Lopez · a53ff11f · eb0fbb28 · eb0fbb28
Commit eb0fbb28 authored Oct 22, 2020 by Serena Fang Committed by James Lopez Oct 22, 2020
4 changed files
--- a/ee/app/models/ee/group_member.rb
+++ b/ee/app/models/ee/group_member.rb
@@ -38,6 +38,8 @@ module EE

    def group_domain_limitations
      if user
+        return if user.project_bot?
+
        validate_users_email
        validate_email_verified
      else

--- a/ee/app/models/ee/project_team.rb
+++ b/ee/app/models/ee/project_team.rb
@@ -14,7 +14,9 @@ module EE

    override :add_user
    def add_user(user, access_level, current_user: nil, expires_at: nil)
-      return false if group_member_lock
+      if group_member_lock && !user.project_bot?
+        return false
+      end

      super
    end

--- a/ee/spec/models/group_member_spec.rb
+++ b/ee/spec/models/group_member_spec.rb
@@ -43,6 +43,18 @@ RSpec.describe GroupMember do
          expect(group_member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
        end

+        context 'with project bot users' do
+          let_it_be(:project_bot) { create(:user, :project_bot, email: "bot@example.com") }
+
+          it 'bot user email does not match' do
+            expect(group.allowed_email_domains.include?(project_bot.email)).to be_falsey
+          end
+
+          it 'allows the project bot user' do
+            expect(build(:group_member, group: group, user: project_bot)).to be_valid
+          end
+        end
+
        context 'with group SAML users' do
          let(:saml_provider) { create(:saml_provider, group: group) }


--- a/ee/spec/models/project_team_spec.rb
+++ b/ee/spec/models/project_team_spec.rb
@@ -35,7 +35,17 @@ RSpec.describe ProjectTeam do
      it 'does not add the given user to the team' do
        project.team.add_user(user, :reporter)

-        expect(project.team.reporter?(user)).to be(false)
+        expect(project.members.map(&:user)).not_to include(user)
+      end
+
+      context 'project bot user' do
+        let_it_be(:project_bot) { create(:user, :project_bot) }
+
+        it 'adds the project bot user to the team' do
+          project.team.add_user(project_bot, :maintainer)
+
+          expect(project.members.map(&:user)).to include(project_bot)
+        end
      end
    end
  end