Merge branch...

Merge branch '219539-project-access-tokens-returns-403-forbidden-your-account-has-been-blocked' into 'master' Resolve "Project bot users should always have their emails confirmed by default" See merge request gitlab-org/gitlab!35498

Merge branch...
Merge branch '219539-project-access-tokens-returns-403-forbidden-your-account-has-been-blocked' into 'master' Resolve "Project bot users should always have their emails confirmed by default" See merge request gitlab-org/gitlab!35498
a508dba7 · Bob Van Landuyt · e10c146c · 4d8567cd · a508dba7 · a508dba7
Commit a508dba7 authored Jun 30, 2020 by Bob Van Landuyt
3 changed files
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -13,8 +13,6 @@ module ResourceAccessTokens
      return unless feature_enabled?
      return error("User does not have permission to create #{resource_type} Access Token") unless has_permission_to_create?

-      # We skip authorization by default, since the user creating the bot is not an admin
-      # and project/group bot users are not created via sign-up
      user = create_user

      return error(user.errors.full_messages.to_sentence) unless user.persisted?
@@ -49,6 +47,11 @@ module ResourceAccessTokens
    end

    def create_user
+      # Even project maintainers can create project access tokens, which in turn
+      # creates a bot user, and so it becomes necessary to  have `skip_authorization: true`
+      # since someone like a project maintainer does not inherently have the ability
+      # to create a new user in the system.
+
      Users::CreateService.new(current_user, default_user_params).execute(skip_authorization: true)
    end

@@ -57,7 +60,8 @@ module ResourceAccessTokens
        name: params[:name] || "#{resource.name.to_s.humanize} bot",
        email: generate_email,
        username: generate_username,
-        user_type: "#{resource_type}_bot".to_sym
+        user_type: "#{resource_type}_bot".to_sym,
+        skip_confirmation: true # Bot users should always have their emails confirmed.
      }
    end


--- a/changelogs/unreleased/219539-project-access-tokens-returns-403-forbidden-your-account-has-been-.yml
+++ b/changelogs/unreleased/219539-project-access-tokens-returns-403-forbidden-your-account-has-been-.yml
+---
+title: Project bot users should always have their emails confirmed by default
+merge_request: 35498
+author:
+type: fixed
--- a/spec/services/resource_access_tokens/create_service_spec.rb
+++ b/spec/services/resource_access_tokens/create_service_spec.rb
@@ -45,6 +45,27 @@ RSpec.describe ResourceAccessTokens::CreateService do
        expect(access_token.user.reload.user_type).to eq("#{resource_type}_bot")
      end

+      context 'email confirmation status' do
+        shared_examples_for 'creates a user that has their email confirmed' do
+          it 'creates a user that has their email confirmed' do
+            response = subject
+            access_token = response.payload[:access_token]
+
+            expect(access_token.user.reload.confirmed?).to eq(true)
+          end
+        end
+
+        context 'when created by an admin' do
+          it_behaves_like 'creates a user that has their email confirmed' do
+            let(:user) { create(:admin) }
+          end
+        end
+
+        context 'when created by a non-admin' do
+          it_behaves_like 'creates a user that has their email confirmed'
+        end
+      end
+
      context 'bot name' do
        context 'when no value is passed' do
          it 'uses default value' do