Commit 88365615 authored by Vitali Tatarintev's avatar Vitali Tatarintev

Merge branch '267568-user-admin-approval-default-for-new-instances' into 'master'

User admin approval - Default for new instances

See merge request gitlab-org/gitlab!46937
parents feea6edb be5e72dd
...@@ -120,7 +120,7 @@ module ApplicationSettingImplementation ...@@ -120,7 +120,7 @@ module ApplicationSettingImplementation
repository_checks_enabled: true, repository_checks_enabled: true,
repository_storages_weighted: { default: 100 }, repository_storages_weighted: { default: 100 },
repository_storages: ['default'], repository_storages: ['default'],
require_admin_approval_after_user_signup: false, require_admin_approval_after_user_signup: true,
require_two_factor_authentication: false, require_two_factor_authentication: false,
restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels'], restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels'],
rsa_key_restriction: 0, rsa_key_restriction: 0,
......
---
title: Admin approval required on user registration by default
merge_request: 46937
author:
type: changed
# frozen_string_literal: true
class AddDefaultTrueRequireAdminApprovalAfterUserSignupToApplicationSettings < ActiveRecord::Migration[6.0]
DOWNTIME = false
def change
change_column_default :application_settings, :require_admin_approval_after_user_signup, from: false, to: true
end
end
07160ee3c92e68273042df979640c3927abbb187f79e1a4645471e28061e1c2c
\ No newline at end of file
...@@ -9324,7 +9324,7 @@ CREATE TABLE application_settings ( ...@@ -9324,7 +9324,7 @@ CREATE TABLE application_settings (
gitpod_enabled boolean DEFAULT false NOT NULL, gitpod_enabled boolean DEFAULT false NOT NULL,
gitpod_url text DEFAULT 'https://gitpod.io/'::text, gitpod_url text DEFAULT 'https://gitpod.io/'::text,
abuse_notification_email character varying, abuse_notification_email character varying,
require_admin_approval_after_user_signup boolean DEFAULT false NOT NULL, require_admin_approval_after_user_signup boolean DEFAULT true NOT NULL,
help_page_documentation_base_url text, help_page_documentation_base_url text,
automatic_purchased_storage_allocation boolean DEFAULT false NOT NULL, automatic_purchased_storage_allocation boolean DEFAULT false NOT NULL,
encrypted_ci_jwt_signing_key text, encrypted_ci_jwt_signing_key text,
......
...@@ -27,9 +27,10 @@ To disable sign ups: ...@@ -27,9 +27,10 @@ To disable sign ups:
## Require administrator approval for new sign ups ## Require administrator approval for new sign ups
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4491) in GitLab 13.5. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4491) in GitLab 13.5.
> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/267568) in GitLab 13.6.
When this setting is enabled, any user visiting your GitLab domain and signing up for a new account must be explicitly [approved](../approving_users.md#approving-a-user) by an administrator before they can start using their account. This setting is only applicable if sign ups are enabled. When this setting is enabled, any user visiting your GitLab domain and signing up for a new account must be explicitly [approved](../approving_users.md#approving-a-user) by an administrator before they can start using their account. This setting is enabled by default for newly created instances. This setting is only applicable if sign ups are enabled.
To require administrator approval for new sign ups: To require administrator approval for new sign ups:
......
...@@ -10,6 +10,7 @@ RSpec.describe 'Group or Project invitations' do ...@@ -10,6 +10,7 @@ RSpec.describe 'Group or Project invitations' do
let(:dev_env_or_com) { true } let(:dev_env_or_com) { true }
before do before do
stub_application_setting(require_admin_approval_after_user_signup: false)
allow(::Gitlab).to receive(:dev_env_or_com?).and_return(dev_env_or_com) allow(::Gitlab).to receive(:dev_env_or_com?).and_return(dev_env_or_com)
visit invite_path(group_invite.raw_invite_token) visit invite_path(group_invite.raw_invite_token)
...@@ -55,4 +56,17 @@ RSpec.describe 'Group or Project invitations' do ...@@ -55,4 +56,17 @@ RSpec.describe 'Group or Project invitations' do
expect(page).not_to have_content('My company or team') expect(page).not_to have_content('My company or team')
end end
end end
context 'with admin approval on sign-up enabled' do
before do
stub_application_setting(require_admin_approval_after_user_signup: true)
end
it 'does not sign the user in' do
fill_in_sign_up_form(new_user)
expect(current_path).to eq(new_user_session_path)
expect(page).to have_content('You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator.')
end
end
end end
...@@ -5,6 +5,10 @@ require 'spec_helper' ...@@ -5,6 +5,10 @@ require 'spec_helper'
RSpec.describe 'Signup on EE' do RSpec.describe 'Signup on EE' do
let(:new_user) { build_stubbed(:user) } let(:new_user) { build_stubbed(:user) }
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
end
def fill_in_signup_form def fill_in_signup_form
fill_in 'new_user_username', with: new_user.username fill_in 'new_user_username', with: new_user.username
fill_in 'new_user_email', with: new_user.email fill_in 'new_user_email', with: new_user.email
......
...@@ -5,6 +5,10 @@ require 'spec_helper' ...@@ -5,6 +5,10 @@ require 'spec_helper'
RSpec.describe 'Trial Sign Up' do RSpec.describe 'Trial Sign Up' do
let(:user_attrs) { attributes_for(:user, first_name: 'GitLab', last_name: 'GitLab') } let(:user_attrs) { attributes_for(:user, first_name: 'GitLab', last_name: 'GitLab') }
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
end
describe 'on GitLab.com' do describe 'on GitLab.com' do
before do before do
allow(Gitlab).to receive(:com?).and_return(true).at_least(:once) allow(Gitlab).to receive(:com?).and_return(true).at_least(:once)
......
...@@ -18,15 +18,13 @@ module QA ...@@ -18,15 +18,13 @@ module QA
end end
def sign_up!(user) def sign_up!(user)
signed_in = retry_until(raise_on_failure: false) do
fill_element :new_user_first_name_field, user.first_name fill_element :new_user_first_name_field, user.first_name
fill_element :new_user_last_name_field, user.last_name fill_element :new_user_last_name_field, user.last_name
fill_element :new_user_username_field, user.username fill_element :new_user_username_field, user.username
fill_element :new_user_email_field, user.email fill_element :new_user_email_field, user.email
fill_element :new_user_password_field, user.password fill_element :new_user_password_field, user.password
signed_in = retry_until do
click_element :new_user_register_button if has_element?(:new_user_register_button) click_element :new_user_register_button if has_element?(:new_user_register_button)
click_element :get_started_button if has_element?(:get_started_button) click_element :get_started_button if has_element?(:get_started_button)
Page::Main::Menu.perform(&:has_personal_area?) Page::Main::Menu.perform(&:has_personal_area?)
......
...@@ -33,7 +33,7 @@ module QA ...@@ -33,7 +33,7 @@ module QA
def api_client def api_client
@api_client ||= Runtime::API::Client.as_admin @api_client ||= Runtime::API::Client.as_admin
rescue AuthorizationError => e rescue API::Client::AuthorizationError => e
raise "Administrator access is required to set application settings. #{e.message}" raise "Administrator access is required to set application settings. #{e.message}"
end end
end end
......
...@@ -8,7 +8,7 @@ module QA ...@@ -8,7 +8,7 @@ module QA
module Env module Env
extend self extend self
attr_writer :personal_access_token, :ldap_username, :ldap_password attr_writer :personal_access_token
ENV_VARIABLES = Gitlab::QA::Runtime::Env::ENV_VARIABLES ENV_VARIABLES = Gitlab::QA::Runtime::Env::ENV_VARIABLES
...@@ -293,6 +293,11 @@ module QA ...@@ -293,6 +293,11 @@ module QA
@ldap_username ||= ENV['GITLAB_LDAP_USERNAME'] @ldap_username ||= ENV['GITLAB_LDAP_USERNAME']
end end
def ldap_username=(ldap_username)
@ldap_username = ldap_username # rubocop:disable Gitlab/ModuleWithInstanceVariables
ENV['GITLAB_LDAP_USERNAME'] = ldap_username
end
def ldap_password def ldap_password
@ldap_password ||= ENV['GITLAB_LDAP_PASSWORD'] @ldap_password ||= ENV['GITLAB_LDAP_PASSWORD']
end end
......
...@@ -13,11 +13,39 @@ module QA ...@@ -13,11 +13,39 @@ module QA
end end
end end
RSpec.describe 'Manage', :skip_signup_disabled do RSpec.describe 'Manage', :skip_signup_disabled, :requires_admin do
describe 'while LDAP is enabled', :orchestrated, :ldap_no_tls, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/935' do
before do
# When LDAP is enabled, a previous test might have created a token for the LDAP 'tanuki' user who is not an admin
# So we need to set it to nil in order to create a new token for admin user so that we are able to set_application_settings
# Also, when GITLAB_LDAP_USERNAME is provided, it is used to create a token. This also needs to be set to nil temporarily
# for the same reason as above.
@personal_access_token = Runtime::Env.personal_access_token
Runtime::Env.personal_access_token = nil
ldap_username = Runtime::Env.ldap_username
Runtime::Env.ldap_username = nil
disable_require_admin_approval_after_user_signup
Runtime::Env.ldap_username = ldap_username
end
it_behaves_like 'registration and login'
after do
Runtime::Env.personal_access_token = @personal_access_token
end
end
describe 'standard', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/936' do describe 'standard', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/936' do
before(:all) do
disable_require_admin_approval_after_user_signup
end
it_behaves_like 'registration and login' it_behaves_like 'registration and login'
context 'when user account is deleted', :requires_admin do context 'when user account is deleted' do
let(:user) do let(:user) do
Resource::User.fabricate_via_api! do |resource| Resource::User.fabricate_via_api! do |resource|
resource.api_client = admin_api_client resource.api_client = admin_api_client
...@@ -61,11 +89,10 @@ module QA ...@@ -61,11 +89,10 @@ module QA
end end
end end
end end
end
RSpec.describe 'Manage', :orchestrated, :ldap_no_tls, :skip_signup_disabled do def disable_require_admin_approval_after_user_signup
describe 'while LDAP is enabled', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/935' do Runtime::ApplicationSettings.set_application_settings(require_admin_approval_after_user_signup: false)
it_behaves_like 'registration and login' sleep 10 # It takes a moment for the setting to come into effect
end end
end end
end end
...@@ -7,6 +7,7 @@ RSpec.describe RegistrationsController do ...@@ -7,6 +7,7 @@ RSpec.describe RegistrationsController do
before do before do
stub_feature_flags(invisible_captcha: false) stub_feature_flags(invisible_captcha: false)
stub_application_setting(require_admin_approval_after_user_signup: false)
end end
describe '#new' do describe '#new' do
...@@ -76,10 +77,6 @@ RSpec.describe RegistrationsController do ...@@ -76,10 +77,6 @@ RSpec.describe RegistrationsController do
end end
context 'when the `require_admin_approval_after_user_signup` setting is turned off' do context 'when the `require_admin_approval_after_user_signup` setting is turned off' do
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
end
it 'signs up the user in `active` state' do it 'signs up the user in `active` state' do
subject subject
created_user = User.find_by(email: 'new@user.com') created_user = User.find_by(email: 'new@user.com')
......
...@@ -10,6 +10,7 @@ RSpec.describe 'Group or Project invitations', :aggregate_failures do ...@@ -10,6 +10,7 @@ RSpec.describe 'Group or Project invitations', :aggregate_failures do
let(:group_invite) { group.group_members.invite.last } let(:group_invite) { group.group_members.invite.last }
before do before do
stub_application_setting(require_admin_approval_after_user_signup: false)
project.add_maintainer(owner) project.add_maintainer(owner)
group.add_owner(owner) group.add_owner(owner)
group.add_developer('user@example.com', owner) group.add_developer('user@example.com', owner)
...@@ -97,6 +98,21 @@ RSpec.describe 'Group or Project invitations', :aggregate_failures do ...@@ -97,6 +98,21 @@ RSpec.describe 'Group or Project invitations', :aggregate_failures do
click_link 'Register now' click_link 'Register now'
end end
context 'with admin appoval required enabled' do
before do
stub_application_setting(require_admin_approval_after_user_signup: true)
end
let(:send_email_confirmation) { true }
it 'does not sign the user in' do
fill_in_sign_up_form(new_user)
expect(current_path).to eq(new_user_session_path)
expect(page).to have_content('You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator')
end
end
context 'email confirmation disabled' do context 'email confirmation disabled' do
let(:send_email_confirmation) { false } let(:send_email_confirmation) { false }
......
...@@ -43,6 +43,10 @@ end ...@@ -43,6 +43,10 @@ end
RSpec.describe 'Signup' do RSpec.describe 'Signup' do
include TermsHelper include TermsHelper
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
end
let(:new_user) { build_stubbed(:user) } let(:new_user) { build_stubbed(:user) }
def fill_in_signup_form def fill_in_signup_form
...@@ -228,6 +232,22 @@ RSpec.describe 'Signup' do ...@@ -228,6 +232,22 @@ RSpec.describe 'Signup' do
expect(current_path).to eq users_sign_up_welcome_path expect(current_path).to eq users_sign_up_welcome_path
end end
end end
context 'with required admin approval enabled' do
before do
stub_application_setting(require_admin_approval_after_user_signup: true)
end
it 'creates the user but does not sign them in' do
visit new_user_registration_path
fill_in_signup_form
expect { click_button 'Register' }.to change { User.count }.by(1)
expect(current_path).to eq new_user_session_path
expect(page).to have_content("You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator")
end
end
end end
context 'with errors' do context 'with errors' do
......
...@@ -41,7 +41,7 @@ RSpec.describe API::Settings, 'Settings' do ...@@ -41,7 +41,7 @@ RSpec.describe API::Settings, 'Settings' do
expect(json_response['spam_check_endpoint_enabled']).to be_falsey expect(json_response['spam_check_endpoint_enabled']).to be_falsey
expect(json_response['spam_check_endpoint_url']).to be_nil expect(json_response['spam_check_endpoint_url']).to be_nil
expect(json_response['wiki_page_max_content_bytes']).to be_a(Integer) expect(json_response['wiki_page_max_content_bytes']).to be_a(Integer)
expect(json_response['require_admin_approval_after_user_signup']).to eq(false) expect(json_response['require_admin_approval_after_user_signup']).to eq(true)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment