Skip to content

Require admin approval for new sign-ups setting bypassed

Summary

The Require admin approval for new sign-ups setting is bypassed when checked, automatically approving new users without any confirmation from an admin. New users are told to await approval, but refreshing the page and signing in is not inhibited, and checking the user status shows the user has already been approved. This happens regardless of whether email approval is enabled or not.

When initially setting up this instance I had tested this functionality (was somewhere in 14.7 or so), and it was functioning as expected. Today I had someone join as a new user to test functionality and noticed this behavior.

Steps to reproduce

  1. Have self-hosted GitLab instance.
  2. Ensure Require admin approval for new sign-ups and Sign-up enabled checkboxes are checked in the Admin/Settings/General/Sign-up restrictions section. Ensure Send confirmation email on sign-up is unchecked, and Allow/Deny/Restriction lists are empty/disabled. Save changes.
  3. Open up new window to instance frontend in a separate browser/incognito/etc.
  4. Click Register now.
  5. Enter login to use for testing. Click Register to submit login.
  6. A top message will be shown as you are redirect to sign-in page, saying "You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator."
  7. Back as the admin user (first browser), check Admin/Users. New user will show up in Active instead of Pending approval. (Expected: New user shows up in Pending approval)
  8. Back as test user (second browser), sign-in using credentials submitted in step 5. Login will redirect to new user role selection page without issue. (Expected: New user will fail to sign-in, expecting approval from admin)
  9. Logout test user. Delete test user from admin users page.
  10. Enable Send confirmation email on sign-up from Admin settings now. Save changes.
  11. Repeat steps 3-9, and additionally click confirmation email link for test user after step 6. Observe bug behavior occurs here too.

What is the current bug behavior?

New user will show up in Active in admin/users page, and is able to sign in immediately after sign-up, without any confirmation from an admin.

What is the expected correct behavior?

New user will show up in Pending approval in admin/users page, and is blocked from signing in until an admin approves the user.

Relevant logs and/or screenshots

I don't know which logs to grab for this, please let me know.

Screenshot_2022-05-24_102949

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:         Ubuntu 20.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.7.5p203
Gem Version:    3.1.4
Bundler Version:2.2.33
Rake Version:   13.0.6
Redis Version:  6.2.6
Sidekiq Version:6.4.0
Go Version:     unknown

GitLab information
Version:        15.0.0-ee
Revision:       3b397c17532
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.10
URL:            https://[REDACTED]
HTTP Clone URL: https://[REDACTED]/some-group/some-project.git
SSH Clone URL:  git@[REDACTED]:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: no

GitLab Shell
Version:        14.3.0
Repository storage paths:
- default:      /srv/www/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 14.3.0 ? ... OK (14.3.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Checking Reply by email ...


IMAP server credentials are correct? ... Checking [REDACTED]@gmail.com
yes
Mailroom enabled? ... skipped
MailRoom running? ... skipped


Checking Reply by email ... Finished


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
3/4 ... yes
3/5 ... yes
3/6 ... yes
3/8 ... yes
4/9 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git user has default SSH configuration? ... yes
Active users: ... 4
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

Sorry, I am unfamiliar with Ruby.