Skip to content

Allow users to disable unknown sign-in notification

Add two configuration options to allow users to disable unknown sign-in notifications:

  • A configuration option, default disabled, to Admin area -> Settings that when enabled will allow users to disable the unknown sign-in notification if they wish.
  • A configuration option in the user's profile, default enabled, that if the application setting is enabled, allows the user to disable the unknown sign-in notification.

The default behavior is that users cannot disable the unknown sign-in notification. Only if an administrator enables the option allow it should it be possible for users to disable.

The application setting should be enabled for GitLab.com.

Original Description

The Email notification for unknown sign-ins feature currently sends the notification to all users regardless of whether 2FA is enabled or not. The content is dynamic in that it will suggest a user enable 2FA if it's not already enabled on the account.

However, some users still receive the notification when it's not particularly helpful to them. For example, in a case where the user's IP address changes frequently and they also have their browser clear cookies on exit. This will cause the user to receive a notification on each sign-in assuming the browser has been closed. We should make the user experience with this feature as good as possible. No one likes spam/unnecessary emails, but we also need to balance security.

When 2FA is enabled the account is reasonably secure. Do we need to send the notification in that case?

An alternative to this suggested feature would be to allow a user to disable the notification. This could be useful for GitLab.com and would likely need to be allowed/denied via a global setting. There are definitely cases where an instance admin may not want to allow a user to disable the notification themselves as that would defeat the purpose of the feature. That's why it's probably preferable to do this in a way that doesn't require a configuration option, but we can fall back to this if the suggestion in this issue isn't desired.

Edited by Drew Blessing