Remove Username lookup when resolving users in ImportExport::MembersMapper
Problem statement
Gitlab::ImportExport::MembersMapper uses username to locate users when user could not be found by email
https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/members_mapper.rb#L85-84
There can be a situation of incorrect users being mapped to imported project/group if:
- Intended user at source and destination has different email address
- Intended user has a different username at destination
- A different user at destination has the same username as the intended user at source
In this case, when Project/Group Import is performed, everything that intended user authored will be mapped to a different, unintended user.
This is especially risky when users are importing projects/groups from self-managed into GitLab.com, since GitLab.com's userbase is big, and there are higher chances of somebody already taking the desired username.
Proposed solution
Remove username from user lookup and rely purely on email addresses.
Original requirement for Project Import was to have username lookup, however that might not be and optimal backup, if user could not be resolved by email.
Risks
Can more than 1 user associate with the same email address?
It looks like we have validations in place that do not allow more than 1 user to have the same email address, which is good.
validate :unique_email, if: :email_changed?
def unique_email
if !emails.exists?(email: email) && Email.exists?(email: email)
errors.add(:email, _('has already been taken'))
end
endhttps://gitlab.com/gitlab-org/gitlab/blob/master/app/models/user.rb#L712-716
We also have a unique index on email column, which prevents having 2 users with the same email address
t.index ["email"], name: "index_users_on_email", unique: true
https://gitlab.com/gitlab-org/gitlab/blob/master/db/schema.rb#L4207