Once the User Cap setting is set it always requires Admin Approval for new users even if user count is below cap
Summary
Whenever the user cap setting is set to any number at all admin approval is required for new sign-ups. This is not the intent of the design and does not match the docs or description for the setting on the settings page.
Steps to reproduce
- Spin up a fresh GL instance, I spun all of my test boxes up in docker using v14.0.5
- Head over to Sign-up settings in the admin panel
- Disable
Require admin approval for new sign-ups
(this is enabled by default) - Set the value for the
User cap
field to any number, I picked10000
. Hit save - Log out and register a new user, experience the following banner:
You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator.
- Log back in as an admin and observe that the billable users < user cap
- Voila you've reproduced the bug
Example Project
What is the current bug behavior?
Whenever user cap is set to non nil
value any new sign-ups need to be approved by an admin
What is the expected correct behavior?
ONLY when number of billable users reaches the user cap, any user who is added or requests access must be approved by an administrator before they can start using their account.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
root@127:/# gitlab-rake gitlab:env:info System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.3 Redis Version: 6.0.14 Git Version: 2.32.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 14.0.5-ee Revision: b044f06e4dd Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.6 URL: http://127.0.0.1 HTTP Clone URL: http://127.0.0.1/some-group/some-project.git SSH Clone URL: git@127.0.0.1:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.19.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
root@127:/# gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.19.0 ? ... OK (13.19.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/1 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.31.0 ? ... yes (2.32.0) Git user has default SSH configuration? ... yes Active users: ... 2 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Best I can tell the issue appears with this code: !47993 (diffs)
Specifically:
def should_apply_user_signup_cap?
::Feature.enabled?(:admin_new_user_signups_cap) &&
::Gitlab::CurrentSettings.new_user_signups_cap.present?
end
From my very limited understanding this is just checking whether the feature is enabled (which it is by default now) and whether the setting is nil
or populated. It doesn't check whether billable users > user cap.