Skip to content

Bogdan Denkovych: Add "Emails" to The Auth expertise list

Bogdan Denkovych requested to merge bdenkovych-add-emails-auth-expertise into master

Why is this change being made?

The "Emails" area deserves to be an individual item in The Auth expertise list.

Representation of "Emails" and its relation to Users is quite complex in the GitLab system. Users could have primary email and secondary emails. Sometimes[gitlab-org/gitlab!113404 (comment 1299619167)], team members need some clarifications to understand the design of "Emails" in the GitLab system and how properly use implementation parts to build some business logic on top of that. Making mistakes in that area would lead to security issues since it is user emails.

I want to add this item to my Auth expertise list to let team members know I could be the right person to discuss it or to be asked some questions.

Why me?

Well, ... my history with "Emails" started when I started to work on gitlab-org/gitlab#356665 (closed). I identified that this issue is just one of the side effects of a bigger issue - GitLab links unverified secondary emails to users. For that, I needed to learn the whole "Emails" representation in the GitLab system. It turned out that that root cause has been producing lots of other bugs and security issues that we know (1, 2). By analyzing the codebase, I can say that there is a lot of issues we don't know yet. We managed to fix the security issue by partially addressing the root cause issue https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2491/ and created a follow-up issue gitlab-org/gitlab#367823 (closed) resolving of which will completely eliminate similar side effects in other parts of the application. It is hard to measure but resolving of this issue will have a significant impact on the GitLab system, it will fix lots of issues we know and don't know yet. It will significantly improve Support Efficiency. My familiarity with the "Emails" area and my vision of the direction for the area should make me the right team member to assist with questions or to just discuss it for knowledge transfer.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Bogdan Denkovych

Merge request reports