Skip to content

Project access tokens returns "403 Forbidden - Your account has been blocked."

Summary

When trying to use a project access token created by the root user the API returns {"message":"403 Forbidden - Your account has been blocked."}

Update 2020-06-10

It appears this bug may not be because the access token was created by the root user. It seems this has to do with "Project Bot Users" sometimes having an "Unverified" email.

Screen_Shot_2020-06-10_at_10.52.32_AM

Thanks to @nightvisi0n for identifying the root of the issue in this thread

Steps to reproduce

On a self-managed instance:

  • Log in as the root user of the instance
  • Enable the :resource_access_token feature flag
    • Feature.enable(:resource_access_token)
  • Create a Project Access Token. "Project" -> "Settings" -> "Access Tokens"
  • Try to make a request with this Project Access Token
    • curl --header "Private-Token: <your_project_access_token>" "https://example.com/api/v4/projects/:id/users"

Example Project

(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)

(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)

What is the current bug behavior?

API returns 403 Forbidden - Your account has been blocked.

What is the expected correct behavior?

API should allow requests made with Project Access Tokens

Output of checks

Happening on a self-managed instance

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:         Ubuntu 16.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.6.6p146
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.9
Git Version:    2.26.2
Sidekiq Version:5.2.7
Go Version:     unknown
GitLab information
Version:        13.1.0-pre
Revision:       976293a6325
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     11.7
URL:            https://gitlab-test-area.peterhegman.com
HTTP Clone URL: https://gitlab-test-area.peterhegman.com/some-group/some-project.git
SSH Clone URL:  git@gitlab-test-area.peterhegman.com:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: 
GitLab Shell
Version:        13.2.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.2.0 ? ... OK (13.2.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
1/1 ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.22.0 ? ... yes (2.26.2)
Git user has default SSH configuration? ... yes
Active users: ... 4
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes

Current workaround

Login with a user that is not the root user and create the Project Access Token

  1. Navigate to the /admin/users
  2. Click on the the "Project Bot User" that corresponds to the access token
  3. Click "Confirm user"
Edited by Jeremy Watson (ex-GitLab)