Skip to content

Allow Admin to re-assign contributions from placeholders to users without confirmation - Backend

⚠️ We should ask AppSec (@ameyadarshan) to review the MRs that implement the confirmation skip to make sure we don't accidentally implement a loophole

Problem

Larger customers with many users could appreciate a way to auto-approve user contribution and membership mapping. This however stands in conflict with the intent of the feature, where user's approval is crucial.

A Premium customer feedback that they users do not check their emails, so the reassignment cannot complete in their case.

This issue is to consider if allowing Admin user to re-assign contributions from placeholders to users without confirmation is a feasible and secure option or not.

Same problem as in Allow group Owner to disable email confirmation... (#503356 - closed), different proposal.

Proposal

  1. Add an Admin setting to allow admins to assign contributions from placeholders to users without sending confirmation emails to users, so without user confirmation. Warn that contribution reassignment is not reversible. (Copy needed)

  2. The setting will only apply when the instance allows user impersonation &17382 (comment 2479140704).

Admins can access any group page if they know the group slug/path. They can start a placeholder user reassignment.

  1. In UI, when Admin is logged and the setting is enabled, show an warning banner on the Placeholders tab; we have one already there, so add to it that the reassignment confirmation email to users will be skipped since they are administrators and the setting to allow them to reassign without user confirmation was enabled. Now we have: Screenshot_2025-03-13_at_11.09.20 Keep what we have in warning now and add additional info. (Copy needed)

  2. To make sure Admin is really sure what they're doing, show a popup when the Admin reassigns someone (without confirmation needed) that makes them acknowledge that it'll bypass user confirmation and that it's not reversible. Similar copy as in the warning banner (copy needed). Show a checkbox to not show the pop-up again.

  3. Send emails to users after the reassignment completed, so they are informed that contributions were reassigned to them.

Security considerations we talked about

Note: We do not need to force admin users to enable 2FA to use this feature. #523259 (comment 2387576308)

GitLab already includes a feature to enforce 2FA for admin users.

However, it's disabled by default. The feature was implemented by #427549 (closed).

The first item in the "Get started administering GitLab" docs is a suggestion to enable 2FA.

Event tracking

Add an event for the action of admin reassigning contributions from placeholder to user without confirmation. See !182679 (merged) for how it's done.

Edited by Luke Duncalfe