Skip to content

Follow-up from "Fix project access token regression"

The following discussion from !50784 (closed) should be addressed:

  • @serenafang started a discussion:

    The pipeline is currently failing on spec/lib/gitlab/auth_spec.rb:377, "when project bot is not a project member" and "when project bot user is blocked". In both cases the failure looks like:

    expected: #<struct Gitlab::Auth::Result actor=nil, project=nil, type=nil, authentication_abilities=nil>
            got: #<struct Gitlab::Auth::Result actor=#<User id:42 @user39>, project=nil, type=:personal_access_token, ...:download_code, :read_container_image, :push_code, :create_container_image, :admin_container_image]>

    aka, when the project bot is not valid (when they're not a project member or when they're blocked), we expect them not to be authenticated but because line 201: if token.user.project_bot? is true, it's being authenticated anyway.

    If we reintroduce this line, which I removed in !47247 (merged), the pipeline passes and the problem is fixed:

    return if project && token.user.project_bot? && !project.bots.include?(token.user)