Skip to content

Allow group Owner to disable email confirmation for contribution reassignment for Enterprise Users

⚠️ We should ask AppSec (@ameyadarshan) to review the MRs that implement the confirmation skip to make sure we don't accidentally implement a loophole

Problem

Larger customers with many users could appreciate a way to auto-approve user contribution and membership mapping. This however stands in conflict with the intent of the feature, where user's approval is crucial.

This issue is to consider if adding an option to disable email confirmation for contribution reassignment for Enterprise Users (Premium/Ultimate GitLab.com only feature) is a feasible and secure option or not.

Proposed solution

  1. Add a group setting to disable email confirmation for contribution and membership reassignment for group owners on behalf of only their enterprise users and no other users. The bypass setting must not apply to any other users except users that are Enterprise Users of that group. Warn that contribution reassignment is not reversible. (Copy needed) Examples:

2. Or add an action for each separate Enterprise user, like here https://docs.gitlab.com/ee/user/enterprise_user/#disable-two-factor-authentication

The assumption is that it would be preferable to disable email confirmation for contribution and membership reassignment for all Enterprise Users in the group, so option 1.

This action should be available only for Owner of a top-level group, with Premium or Ultimate license.

Reassignment of contributions from placeholders to active users on destination instance takes place on the level of the top-level group and can be done by a group Owner only. So this is fitting nicely with who and where can manage Enterprise Users.

  1. Reassigning Owner should see a warning when they map a placeholder to a user that is an Enterprise user if the new group setting is enabled. The warning should be similar as in Allow Admin to re-assign contributions from pla... (#523259 - closed) - a warning banner on the Placeholders tab above the placeholders reassignment table. We have already a warning there, so we will need to adjust it and add that the reassignment confirmation email will be skipped if they reassign to Enterprise user, since the group setting (add link to it) allowing them to do it was enabled.

  2. Show a popup when the Owner reassigns someone (without confirmation needed) that makes them acknowledge that it'll bypass user confirmation and that it's not reversible. Similar copy as in the warning banner (copy needed). Show a checkbox to not show the pop-up again.

  3. backend must make correct checks before allowing the bypass:

    • Feature flag (importer_user_mapping_allow_bypass_of_confirmation) is enabled AND Group has the setting enabled AND has correct license tier AND user is one of their enterprise users AND it's GitLab.com AND group is top-level group. This is a combination of checking our feature flag is enabled, the setting is enabled, and User#managed_by_group?(group) which takes care of the other checks.
    • We must validate in both:
      • the service/controller layer and
      • also within the model - see the implementation of admin bypass !190272 (merged)

  4. Checking the group has enabled the setting and User#managed_by_group?(group) #503356 (comment 2491431627). Additionally we should validate in the model - see !190272 (comment 2491201214).

  5. Send emails to users after the reassignment completed, so they are informed that contributions were reassigned to them. (copy needed)

  6. When the group setting is on and the reassignment is done with CSV, show additional warning/confirmation modal in CSV workflow.

Documentation

Document this option in Enterprise users docs here and link to it from Contribution reassignment feature docs.

Event tracking

Add an event for the action of group owner disabling email confirmation for contribution reassignment for Enterprise Users. See !182679 (merged) for how it's done.

Edited by Luke Duncalfe