Blocking a user adds a sign in event to their Authentication Log
Summary
Blocking a user creates a "Signed in with authentication" event in that user's Authentication Log. It is unclear why this event is created as the user is not signing in and can lead to user's believing their account has been compromised as they see this event when they did not log in. This makes security auditing quite difficult.
Steps to reproduce
- Block a user
- Wait a minute or two just to make sure unblocking isn't the cause of the issue.
- Unblock the same user.
- Check the user's authentication log and see the first line is now "Signed in with authentication" and the timestamp matches the time you blocked the user.
Example Project
What is the current bug behavior?
Blocking a user creates a "Signed in with authentication" event in that user's Authentication Log.
What is the expected correct behavior?
Blocking a user should not create any events in that user's Authentication Log.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Proposal
Update app/controllers/profiles_controller.rb:66
to exclude events where custom_message == 'Blocked user'
(From @mwoolf.)