Soft email confirmation flow
What does this MR do?
The suggested change allows a user to use the site without the hard requirement to confirm her email address after signing up when the send_user_confirmation_email
application setting is set to true.
Before this change, a user would land on an "Almost there" page, preventing her to use the site until a confirmation link sent to her email address was followed.
The time a user can use the site without confirming her email address is set to 30 days through Devise's allow_unconfirmed_access_for
setting. When the user has not yet confirmed her email address before this time, she will not be able to login anymore and will see the flash alert 'You have to confirm your email address before continuing'.
When a user logs in during the 'grace period', she will see a flash warning on every visited page. This is set in the ConfirmEmailWarning
concern.
This feature is behind the feature flag soft_email_confirmation
.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry for user-facing changes, or community contribution. Check the link for other scenarios. -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Closes #47003 (closed)