Allow admin to create an identity verification exemption
What does this MR do and why?
When an identity verification exemption is created, a user just needs to confirm an email address to confirm their identity. They do not need to confirm their identity with a phone number and/or a credit card.
This also removes the phone number exemption button from the admin interface as that has become redundant with the self-service option that was introduced with this MR.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/459
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
 |
 |
How to set up and validate locally
-
Enable identity verification
Feature.enable(:identity_verification) Feature.enable(:identity_verification_phone_number) ApplicationSetting.current.update(email_confirmation_setting: 2, require_admin_approval_after_user_signup: false) -
Visit http://localhost:3000/users/sign_up, create a new account and stop when on the identity verification page (
http://localhost:3000/users/identity_verification) -
Update the new created user's risk score to
MediumUser.last.custom_attributes.create!(key: UserCustomAttribute::ARKOSE_RISK_BAND, value: Arkose::VerifyResponse::RISK_BAND_MEDIUM) -
Refresh the page and verify the new user needs to verify their phone number
-
Open a second incognito window, login as an admin and visit the users page: http://localhost:3000/admin/users/{User.last.username}
-
As admin, click the
Create identity verification exemptionbutton -
Refresh the first window and verify the new user does not need to verify their phone number anymore
-
As admin, click the
Remove identity verification exemptionbutton -
Refresh the first window and verify the new user does not need to verify their phone number again
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.