Send verify email for users created via SCIM API

ee/changelogs/unreleased/security-fix-bypass-email-verification-on-scim-user-creation-via-api-ee.yml

+---
+title: Fix bypass email verification when SCIM user is created via API
+merge_request:
+author:
+type: security

ee/lib/ee/gitlab/scim/provisioning_service.rb

@@ -8,7 +8,7 @@ module EE
 
         IDENTITY_PROVIDER = 'group_saml'
         PASSWORD_AUTOMATICALLY_SET = true
-        SKIP_EMAIL_CONFIRMATION = true
+        SKIP_EMAIL_CONFIRMATION = false
         DEFAULT_ACCESS = :guest
 
         def initialize(group, parsed_hash)

ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb

@@ -44,6 +44,15 @@ describe ::EE::Gitlab::Scim::ProvisioningService do
         expect(User.find_by(service_params.except(:extern_uid))).to be_a(User)
       end
 
+      it 'user record requires confirmation' do
+        service.execute
+
+        user = User.find_by(email: service_params[:email])
+
+        expect(user).to be_present
+        expect(user).not_to be_confirmed
+      end
+
       context 'existing user' do
         before do
           create(:user, email: 'work@example.com')