Simplify code to determine required identity verification methods
What does this MR do and why?
Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/435110.
Refactor IdentityVerifiable
to make code to determine required identity verification methods for a user easier to follow.
This will also make it easier to update the code to return required identity verification methods for users that are already active (https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/629) like so,
Planned update
diff --git a/ee/app/models/concerns/identity_verifiable.rb b/ee/app/models/concerns/identity_verifiable.rb
index f1560d501c64..1178b7fead69 100644
--- a/ee/app/models/concerns/identity_verifiable.rb
+++ b/ee/app/models/concerns/identity_verifiable.rb
@@ -17,6 +17,7 @@ module IdentityVerifiable
HIGH_RISK_USER_METHODS = %w[email phone credit_card].freeze
MEDIUM_RISK_USER_METHODS = %w[email phone].freeze
LOW_RISK_USER_METHODS = %w[email].freeze
+ ACTIVE_USER_METHODS = %w[phone].freeze
def identity_verification_enabled?
return false unless ::Gitlab::CurrentSettings.email_confirmation_setting_hard?
@@ -70,13 +71,21 @@ def required_identity_verification_methods
end
def determine_required_methods
- return IDENTITY_VERIFICATION_EXEMPT_METHODS if exempt_from_identity_verification?
+ unless active_user?
+ return IDENTITY_VERIFICATION_EXEMPT_METHODS if exempt_from_identity_verification?
+ end
+
return PHONE_NUMBER_EXEMPT_METHODS if exempt_from_phone_number_verification?
return ASSUMED_HIGH_RISK_USER_METHODS if assumed_high_risk? || affected_by_phone_verifications_limit?
- return HIGH_RISK_USER_METHODS if high_risk?
- return MEDIUM_RISK_USER_METHODS if medium_risk? || phone_number_verification_experiment_candidate?
- LOW_RISK_USER_METHODS
+ if active_user?
+ ACTIVE_USER_METHODS
+ else
+ return HIGH_RISK_USER_METHODS if high_risk?
+ return MEDIUM_RISK_USER_METHODS if medium_risk? || phone_number_verification_experiment_candidate?
+
+ LOW_RISK_USER_METHODS
+ end
end
def verification_method_enabled?(method)
@@ -181,6 +190,10 @@ def verification_method_allowed?(method:)
private
+ def active_user?
+ last_sign_in_at.present?
+ end
+
def risk_profile
@risk_profile ||= IdentityVerification::UserRiskProfile.new(self)
end
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Eugie Limpin