Skip to content

Only show 2FA badge to project maintainers and group owners

📖 What does this MR do?

Related to #24908 (closed)

Currently on the project/group members view the 2FA badge is shown to all users. This MR hides the 2FA badge for project members with less than "Maintainer" access and group members with less than "Owner" access.

📋 Summary of changes

💻 Local testing

  1. Create a group
  2. Navigate to "Group" -> "Members" and use the form to add a user. Make note of that user's name
  3. Navigate to /admin/users, search for the user, click on the found user, and then click "Impersonate"
  4. Navigate to /-/profile/two_factor_auth and use 1Password to setup 2FA
  5. Stop impersonating the user and navigate back to "Group" -> "Members". The 2FA badge should show
  6. Add another user as a "Maintainer"
  7. Impersonate that user you just added as a "Maintainer" and navigate to "Group" -> "Members". The 2FA badge should not show.

The process for testing a project is the same but in step 6 add a "Developer" instead of a "Maintainer"

📷 Screenshots

Logged in user Before After
Group owner Screen_Shot_2021-02-19_at_10.00.52_AM Screen_Shot_2021-02-19_at_10.03.57_AM
Group maintainer Screen_Shot_2021-02-19_at_10.01.23_AM Screen_Shot_2021-02-19_at_10.04.26_AM
Group guest Screen_Shot_2021-02-19_at_10.01.53_AM Screen_Shot_2021-02-19_at_10.04.59_AM
Project maintainer Screen_Shot_2021-02-19_at_9.54.47_AM Screen_Shot_2021-02-19_at_9.51.42_AM
Project developer Screen_Shot_2021-02-19_at_9.55.18_AM Screen_Shot_2021-02-19_at_9.52.14_AM
Project guest Screen_Shot_2021-02-19_at_9.55.49_AM Screen_Shot_2021-02-19_at_9.46.28_AM

🚦 Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Peter Hegman

Merge request reports

Loading