Commit e55a9459 authored by Vincent Fazio's avatar Vincent Fazio Committed by Drew Blessing

Set blocked Omniauth accounts to blocked_pending_approval

Previously the user state was set to `blocked` when
`block_auto_created_users` was set for a provider.

Now, the state is set to `blocked_pending_approval` so accounts can be
worked down by admins via the pending approval queue.

Changelog: changed
parent b359579d
...@@ -69,14 +69,13 @@ earlier version, you must explicitly enable it. ...@@ -69,14 +69,13 @@ earlier version, you must explicitly enable it.
- `auto_link_ldap_user` can be used if you have [LDAP / ActiveDirectory](../administration/auth/ldap/index.md) - `auto_link_ldap_user` can be used if you have [LDAP / ActiveDirectory](../administration/auth/ldap/index.md)
integration enabled. It defaults to `false`. When enabled, users automatically integration enabled. It defaults to `false`. When enabled, users automatically
created through an OmniAuth provider have their LDAP identity created in GitLab as well. created through an OmniAuth provider have their LDAP identity created in GitLab as well.
- `block_auto_created_users` defaults to `true`. If `true` auto created users will - `block_auto_created_users` defaults to `true`. If `true`, auto created users will
be blocked by default and must be unblocked by an administrator before be blocked pending approval by an administrator before they are able to sign in.
they are able to sign in.
NOTE: NOTE:
If you set `block_auto_created_users` to `false`, make sure to only If you set `block_auto_created_users` to `false`, make sure to only
define providers under `allow_single_sign_on` that you are able to control, like define providers under `allow_single_sign_on` that you are able to control, like
SAML, Shibboleth, Crowd, or Google. Otherwise, set it to `false`, or any user on SAML, Shibboleth, Crowd, or Google. Otherwise, set it to `true`, or any user on
the Internet can successfully sign in to your GitLab without the Internet can successfully sign in to your GitLab without
administrative approval. administrative approval.
......
...@@ -13,11 +13,12 @@ users. ...@@ -13,11 +13,12 @@ users.
## Users pending approval ## Users pending approval
A user in _pending approval_ state requires action by an administrator. A user sign up can be in a A user in _pending approval_ state requires action by an administrator. A user sign up can be in a
pending approval state because an administrator has enabled either, or both, of the following pending approval state because an administrator has enabled any of the following options:
options:
- [Require admin approval for new sign-ups](settings/sign_up_restrictions.md#require-administrator-approval-for-new-sign-ups) setting. - [Require admin approval for new sign-ups](settings/sign_up_restrictions.md#require-administrator-approval-for-new-sign-ups) setting.
- [User cap](settings/sign_up_restrictions.md#user-cap). - [User cap](settings/sign_up_restrictions.md#user-cap).
- [Block auto-created users (OmniAuth)](../../integration/omniauth.md#initial-omniauth-configuration)
- [Block auto-created users (LDAP)](../../administration/auth/ldap/index.md#basic-configuration-settings)
When a user registers for an account while this setting is enabled: When a user registers for an account while this setting is enabled:
......
...@@ -54,7 +54,7 @@ module Gitlab ...@@ -54,7 +54,7 @@ module Gitlab
Users::UpdateService.new(gl_user, user: gl_user).execute! Users::UpdateService.new(gl_user, user: gl_user).execute!
gl_user.block if block_after_save gl_user.block_pending_approval if block_after_save
log.info "(#{provider}) saving user #{auth_hash.email} from login with admin => #{gl_user.admin}, extern_uid => #{auth_hash.uid}" log.info "(#{provider}) saving user #{auth_hash.email} from login with admin => #{gl_user.admin}, extern_uid => #{auth_hash.uid}"
gl_user gl_user
......
...@@ -317,7 +317,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do ...@@ -317,7 +317,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
it 'denies sign-in if sign-up is enabled, but block_auto_created_users is set' do it 'denies sign-in if sign-up is enabled, but block_auto_created_users is set' do
post :atlassian_oauth2 post :atlassian_oauth2
expect(flash[:alert]).to start_with 'Your account has been blocked.' expect(flash[:alert]).to start_with 'Your account is pending approval'
end end
it 'accepts sign-in if sign-up is enabled' do it 'accepts sign-in if sign-up is enabled' do
...@@ -399,7 +399,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do ...@@ -399,7 +399,7 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
it 'denies login if sign up is enabled, but block_auto_created_users is set' do it 'denies login if sign up is enabled, but block_auto_created_users is set' do
post :saml, params: { SAMLResponse: mock_saml_response } post :saml, params: { SAMLResponse: mock_saml_response }
expect(flash[:alert]).to start_with 'Your account has been blocked.' expect(flash[:alert]).to start_with 'Your account is pending approval'
end end
it 'accepts login if sign up is enabled' do it 'accepts login if sign up is enabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment