Skip to content

Soft email confirmation flow

What does this MR do?

The suggested change allows a user to use the site without the hard requirement to confirm her email address after signing up when the send_user_confirmation_email application setting is set to true.

Before this change, a user would land on an "Almost there" page, preventing her to use the site until a confirmation link sent to her email address was followed.

The time a user can use the site without confirming her email address is set to 30 days through Devise's allow_unconfirmed_access_for setting. When the user has not yet confirmed her email address before this time, she will not be able to login anymore and will see the flash alert 'You have to confirm your email address before continuing'.

When a user logs in during the 'grace period', she will see a flash warning on every visited page. This is set in the ConfirmEmailWarning concern.

This feature is behind the feature flag soft_email_confirmation.

Does this MR meet the acceptance criteria?

Conformity

Performance and testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #47003 (closed)

Edited by Grzegorz Bizon

Merge request reports