Skip to content

Allow only admins to change enterprise user primary email to any email

Bogdan Denkovych requested to merge bdenkovych-allow-only-admins-to-change-enterprise-user-primary-email-to-any-email into master

What does this MR do and why?

After a user becomes an enterprise user based on domain verification, the GitLab system should restrict enterprise users' primary email to verified domains only. This will not allow users to take over enterprise users accounts by changing primary email to their personal email.

However, we need to retain the ability for GitLab instance admins to change enterprise users primary email to any. This requirement comes from the GitLab IT team. As per GitLab Team member offboarding, in some cases, IT team transfers GitLab account ownership directly to a user by changing the account's primary email to user's personal email. Such primary email change should also disassociate user from the enterprise group.

enterprise_user_email_change validation

This MR adds enterprise_user_email_change validation to User model. This validation

  • is only applicable to users that became enterprise users based on domain verification (user.enterprise_user?)
  • could be skipped by using User#skip_enterprise_user_email_change_restrictions! method. We use this method to bypass this validation to allow GitLab instance admins to change enterprise users' primary emails
  • is only applicable when user's primary email is being changed (user.email_changed?)
    • This is very important not to break user records. Use-case: After a user became an enterprise user based on domain verification. Group owners could remove the related verified domain. As per #406277 (closed), users that have become enterprise users before domain removal/expiration will remain enterprise users of that group. That means that this validation would fail for those users. That is why we should only apply this validation when a user email is changed to prevent breaking user records in that case.
  • is put under a feature flag :Feature.enabled?(:enterprise_users_automatic_claim, user.user_detail.enterprise_group) for safer rollout.
  • This validation is required for &9675 and will be rolled out as a part of that epic.
  • Toggling this validation should not cause data integrity issues - Primary email change should disassociate user f... (!124588 - merged) wasn't put under any FF and should guarantee data integrity. So we won't end up with enterprise user records with personal primary emails.

Closes #412968 (closed), #412762 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Bogdan Denkovych

Merge request reports