Enforcing 'Terms of Service' acceptance results in 'project member restricted' GitLab Pages returning 404 errors

Summary

We recently enabled the ability to enforce acceptance of terms of service on a private GitLab instance (v13.5.1), forcing all existing members to need to accept the terms before being able to continue using GitLab. This works fine when using the main interface for project management, where users are presented with a screen to accept the terms before moving on.

However, we also have users that primarily happen to access static content hosted using access-controlled GitLab Pages (based on project membership). When such a user visits an access-controlled 'GitLab Page' they are presented with a 404 error. This seems like the correct behavior for those without access, but for those that do have access, I think they should be presented with the page to accept the terms of acceptance.

I'm filing this here, as I'm not 100% sure whether this is something that needs to be handled on the OAuth side of GitLab or in gitlab-org/gitlab-pages>. From a quick check of that codebase, it looked to me as if this would be on the OAuth side of things. Looking at the UserAccessDeniedReason class I wonder if there are other cases where it may make sense to revisit this behavior as well.

Steps to reproduce

  • On a GitLab instance that does not enforce acceptance of the terms of service.
  • Create a new project using access-controlled GitLab Pages and restrict to project members.
  • Visit the GitLab Page as a project member and confirm the page is accessible.
  • Enforce acceptance of terms of service on the GitLab instance.
  • Visit the GitLab Page as a project member not having accepted the terms.
  • The page will show a 404.
  • Go to the main GitLab instance and accept the terms of service.
  • Visit the GitLab Page as a project member which will now show up as expected.

What is the current bug behavior?

Visitors of access-controlled GitLab Pages that are allowed to view the page, but have not accepted the terms of service, are presented with a 404 page similarly to those who don't have access at all. This is confusing as the reason they are being denied access is not clear (especially if they previously had access and nothing has changed about project membership).

What is the expected correct behavior?

Visitors of access-controlled GitLab Pages that are allowed to view the page, but have not accepted the terms of service, should be presented with the terms of service and the ability to accept them. For those not allowed to view the page, the 404 behavior should be preserved.

Relevant logs and/or screenshots

Unfortunately, I was unable to capture the behavior at the time and would like to not reproduce it on a production instance.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.6.6p146
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.9
Git Version:    2.28.0
Sidekiq Version:5.2.9
Go Version:     unknown

GitLab information
Version:        13.5.1
Revision:       8ee0746f54c
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.4
URL:            https://
HTTP Clone URL: https:///some-group/some-project.git
SSH Clone URL:  ssh://git@/some-group/some-project.git
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: openid_connect

GitLab Shell
Version:        13.11.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.11.0 ? ... OK (13.11.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...

All projects report: yes



Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.24.0 ? ... yes (2.28.0)
Git user has default SSH configuration? ... yes
Active users: ... 58
Is authorized keys file accessible? ... skipped (authorized keys not enabled)
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished