Merge branch...

Merge branch 'security-fix-bypass-email-verification-on-scim-user-creation-via-api-ee' into 'master' Security fix bypass email verification on scim user creation via api ee See merge request gitlab/gitlab-ee!1040

Merge branch...
Merge branch 'security-fix-bypass-email-verification-on-scim-user-creation-via-api-ee' into 'master' Security fix bypass email verification on scim user creation via api ee See merge request gitlab/gitlab-ee!1040
3b97460e · GitLab Release Tools Bot · 60891ae9 · dfced477 · 3b97460e · 3b97460e
Commit 3b97460e authored Jul 26, 2019 by GitLab Release Tools Bot
3 changed files
--- a/ee/changelogs/unreleased/security-fix-bypass-email-verification-on-scim-user-creation-via-api-ee.yml
+++ b/ee/changelogs/unreleased/security-fix-bypass-email-verification-on-scim-user-creation-via-api-ee.yml
+---
+title: Fix bypass email verification when SCIM user is created via API
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/gitlab/scim/provisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/provisioning_service.rb
@@ -8,7 +8,7 @@ module EE

        IDENTITY_PROVIDER = 'group_saml'
        PASSWORD_AUTOMATICALLY_SET = true
-        SKIP_EMAIL_CONFIRMATION = true
+        SKIP_EMAIL_CONFIRMATION = false
        DEFAULT_ACCESS = :guest

        def initialize(group, parsed_hash)

--- a/ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb
@@ -44,6 +44,15 @@ describe ::EE::Gitlab::Scim::ProvisioningService do
        expect(User.find_by(service_params.except(:extern_uid))).to be_a(User)
      end

+      it 'user record requires confirmation' do
+        service.execute
+
+        user = User.find_by(email: service_params[:email])
+
+        expect(user).to be_present
+        expect(user).not_to be_confirmed
+      end
+
      context 'existing user' do
        before do
          create(:user, email: 'work@example.com')