Do not mark bot users as pending approval when User Cap is enabled

When User cap is enabled we mark all newly created users as pending approval, even those that are not humans. This prevents creation of project access tokens - at the time when we try to create the token the associated bot users is not approved. This updates `Users::BuildService#set_pending_approval_state` to mark users as pending approval only if they are `human?`. See https://gitlab.com/gitlab-org/gitlab/-/issues/323191.

Do not mark bot users as pending approval when User Cap is enabled
When User cap is enabled we mark all newly created users as pending approval, even those that are not humans. This prevents creation of project access tokens - at the time when we try to create the token the associated bot users is not approved. This updates `Users::BuildService#set_pending_approval_state` to mark users as pending approval only if they are `human?`. See https://gitlab.com/gitlab-org/gitlab/-/issues/323191.
f8e7c520 · Krasimir Angelov · Arturo Herrero · ba8bd0de · f8e7c520 · f8e7c520
Commit f8e7c520 authored Mar 11, 2021 by Krasimir Angelov Committed by Arturo Herrero Mar 12, 2021
3 changed files
--- a/ee/app/services/ee/users/build_service.rb
+++ b/ee/app/services/ee/users/build_service.rb
@@ -105,6 +105,8 @@ module EE
      def set_pending_approval_state(user)
        return unless ::Gitlab::CurrentSettings.should_apply_user_signup_cap?
+        return unless user.human?
        user.state = ::User::BLOCKED_PENDING_APPROVAL_STATE
      end
    end

--- a/ee/changelogs/unreleased/323191-user-cap-do-not-block-bot-users.yml
+++ b/ee/changelogs/unreleased/323191-user-cap-do-not-block-bot-users.yml
+---
+title: Do not mark bot users as pending approval when User Cap is enabled
+merge_request: 56287
+author:
+type: fixed
--- a/ee/spec/services/ee/users/build_service_spec.rb
+++ b/ee/spec/services/ee/users/build_service_spec.rb
@@ -8,6 +8,31 @@ RSpec.describe Users::BuildService do
      { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass' }
    end
+    context 'with non admin user' do
+      let(:non_admin) { create(:user) }
+      context 'when user signup cap is set' do
+        before do
+          allow(Gitlab::CurrentSettings).to receive(:new_user_signups_cap).and_return(10)
+        end
+        it 'does not set the user state to blocked_pending_approval for non human users' do
+          params = {
+            name: 'Project Bot',
+            email: 'project_bot@example.com',
+            username: 'project_bot',
+            user_type: 'project_bot',
+            skip_confirmation: true
+          }
+          service = described_class.new(non_admin, params)
+          user = service.execute(skip_authorization: true)
+          expect(user).to be_active
+        end
+      end
+    end
    context 'with an admin user' do
      let!(:admin_user) { create(:admin) }
      let(:service) { described_class.new(admin_user, ActionController::Parameters.new(params).permit!) }