Bypass signup domain validation for external users

Fixes #25279

Bypass signup domain validation for external users
Fixes #25279
d9ee55ee · Reza Mohammadi · bbb7fbcd · d9ee55ee · d9ee55ee · d9ee55ee
Commit d9ee55ee authored Jan 12, 2017 by Reza Mohammadi
4 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -119,7 +119,7 @@ class User < ActiveRecord::Base
  validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
  before_validation :generate_password, on: :create
-  before_validation :signup_domain_valid?, on: :create
+  before_validation :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id }
  before_validation :sanitize_attrs
  before_validation :set_notification_email, if: ->(user) { user.email_changed? }
  before_validation :set_public_email, if: ->(user) { user.public_email_changed? }

--- a/changelogs/unreleased/bypass-email-domain-validation-when-created-by-admin.yml
+++ b/changelogs/unreleased/bypass-email-domain-validation-when-created-by-admin.yml
+---
+title: Bypass email domain validation when a user is created by an admin.
+merge_request: 8575
+author: Reza Mohammadi @remohammadi
--- a/doc/user/admin_area/settings/sign_up_restrictions.md
+++ b/doc/user/admin_area/settings/sign_up_restrictions.md
 # Sign-up restrictions
+You can block email addresses of specific domains, or whitelist only some
+specifc domains via the **Application Settings** in the Admin area.
+>**Note**: These restrictions are only applied during sign-up. An admin is
+able to add add a user through the admin panel with a disallowed domain. Also
+note that the users can change their email addresses after signup to
+disallowed domains.
+## Whitelist email domains
+> [Introduced][ce-598] in GitLab 7.11.0
+You can restrict users to only signup using email addresses matching the given
+domains list.
 ## Blacklist email domains
 > [Introduced][ce-5259] in GitLab 8.10.
@@ -9,13 +24,16 @@ from creating an account on your GitLab server. This is particularly useful to
 prevent spam. Disposable email addresses are usually used by malicious users to
 create dummy accounts and spam issues.
+## Settings
 This feature can be activated via the **Application Settings** in the Admin area,
 and you have the option of entering the list manually, or uploading a file with
 the list.
-The blacklist accepts wildcards, so you can use `*.test.com` to block every
+Both whitelist and blacklist accept wildcards, so for example, you can use
-`test.com` subdomain, or `*.io` to block all domains ending in `.io`. Domains
+`*.company.com` to accept every `company.com` subdomain, or `*.io` to block all
-should be separated by a whitespace, semicolon, comma, or a new line.
+domains ending in `.io`. Domains should be separated by a whitespace,
+semicolon, comma, or a new line.
 ![Domain Blacklist](img/domain_blacklist.png)

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -141,6 +141,11 @@ describe User, models: true do
          user = build(:user, email: "example@test.com")
          expect(user).to be_invalid
        end
+        it 'accepts example@test.com when added by another user' do
+          user = build(:user, email: "example@test.com", created_by_id: 1)
+          expect(user).to be_valid
+        end
      end
      context 'domain blacklist' do
@@ -159,6 +164,11 @@ describe User, models: true do
            user = build(:user, email: 'info@example.com')
            expect(user).not_to be_valid
          end
+          it 'accepts info@example.com when added by another user' do
+            user = build(:user, email: 'info@example.com', created_by_id: 1)
+            expect(user).to be_valid
+          end
        end
        context 'when a signup domain is blacklisted but a wildcard subdomain is allowed' do