Merge branch 'do-not-show-exemption-when-cc-is-required' into 'master'

Do not offer exemption when credit card is required

Closes gitlab-org/modelops/anti-abuse/team-tasks#587

See merge request !142983



Merged-by: Smriti Garg <sgarg@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Co-authored-by: imand3r <ianderson@gitlab.com>

ee/app/models/concerns/identity_verifiable.rb

@@ -112,15 +112,17 @@ def exempt_from_identity_verification?
 
   def offer_phone_number_exemption?
     return false unless credit_card_verification_enabled?
-    return true if medium_risk?
+    return false unless phone_number_verification_enabled?
 
-    if low_risk? && phone_number_verification_enabled?
-      return experiment(:phone_verification_for_low_risk_users, user: self) do |e|
-        e.candidate { true }
-      end.run
-    end
+    phone_required = verification_method_required?(method: VERIFICATION_METHODS[:PHONE_NUMBER])
+    cc_required = verification_method_required?(method: VERIFICATION_METHODS[:CREDIT_CARD])
 
-    false
+    return false if phone_required && cc_required
+
+    # If phone verification is not required but a phone exemption exists it means the user toggled from
+    # verifying with a phone to verifying with a credit card. Returning true if a phone exemption exists
+    # will allow the user to toggle back to using phone verification from the credit card form.
+    phone_required || exempt_from_phone_number_verification?
   end
 
   def verification_method_allowed?(method:)

ee/spec/models/concerns/identity_verifiable_spec.rb

@@ -667,39 +667,25 @@ def add_identity_verification_exemption
   end
 
   describe '#offer_phone_number_exemption?' do
-    subject(:offer_phone_number_exemption?) { !!user.offer_phone_number_exemption? }
-
-    where(:credit_card, :risk_band, :phone_number, :experiment_group, :result) do
-      true  | 'Low'         | true  | :candidate | true
-      true  | 'Low'         | true  | :control   | false
-      true  | 'Low'         | false | :candidate | false
-      true  | 'Low'         | false | :control   | false
-      true  | 'Medium'      | true  | :candidate | true
-      true  | 'Medium'      | true  | :control   | true
-      true  | 'Medium'      | false | :candidate | true
-      true  | 'Medium'      | false | :control   | true
-      true  | 'High'        | true  | :control   | false
-      true  | 'Unavailable' | true  | :control   | false
-      true  | nil           | true  | :control   | false
-      false | 'Low'         | true  | :candidate | false
-      false | 'Low'         | true  | :control   | false
-      false | 'Low'         | false | :candidate | false
-      false | 'Low'         | false | :control   | false
-      false | 'Medium'      | true  | :candidate | false
-      false | 'Medium'      | true  | :control   | false
-      false | 'Medium'      | false | :candidate | false
-      false | 'Medium'      | false | :control   | false
-      false | 'High'        | true  | :control   | false
-      false | 'Unavailable' | true  | :control   | false
-      false | nil           | true  | :control   | false
+    subject(:offer_phone_number_exemption?) { user.offer_phone_number_exemption? }
+
+    where(:credit_card, :phone_number, :phone_exempt, :required_verification_methods, :result) do
+      true   | true  | false | %w[email]                   | false
+      false  | true  | false | %w[email phone]             | false
+      true   | true  | false | %w[email phone]             | true
+      true   | false | false | %w[email credit_card]       | false
+      true   | true  | false | %w[email credit_card]       | false
+      true   | true  | true  | %w[email credit_card]       | true
+      true   | true  | false | %w[email phone credit_card] | false
     end
 
     with_them do
       before do
-        add_user_risk_band(risk_band) if risk_band
         stub_feature_flags(identity_verification_credit_card: credit_card)
         stub_feature_flags(identity_verification_phone_number: phone_number)
-        stub_experiments(phone_verification_for_low_risk_users: experiment_group)
+
+        allow(user).to receive(:required_identity_verification_methods).and_return(required_verification_methods)
+        allow(user).to receive(:exempt_from_phone_number_verification?).and_return(phone_exempt)
       end
 
       it { is_expected.to eq(result) }