Require password confirmation when user changes their primary email
What does this MR do?
With this MR, user is prompted with a modal to re-authenticate with their current password, when they want to save changes to their primary email.
This MR solves for #339145 (closed).
When user changes their primary email, a re-authentication with current user password is required, unless the user is signed in via OmniAuth/LDAP/SAML/etc. and they do not have a local password.
Implementation detail: frontend doesn't prompt for the password when password_automatically_set?
returns true
.
Note: It can be extended to require password confirmation for changes to some other user attributes (by adding to ATTRS_REQUIRING_PASSWORD_CHECK
).
Screenshots or Screencasts (strongly suggested)
Screen_Recording_2021-09-20_at_6.26.29_PM
Does this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Merge request reports
Activity
changed milestone to %14.3
added backend frontend groupoptimize labels
requested review from @dblessing
assigned to @m_frankiewicz
- Resolved by Drew Blessing
@dblessing could you have a look to check if this is going in the good direction, as you participated in discussion on &6549
- Resolved by Magdalena Frankiewicz
@blabuschagne do you have capacity to follow up with the fronted part? I wrote in description what I would imagine for frontend, let me know if you have any questions or doubts.
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Vijay Hawoldar ( @vij
) (UTC+1)James Fargher ( @proglottis
) (UTC+13)frontend Sheldon Led ( @sheldonled
) (UTC+1)Denys Mishunov ( @dmishunov
) (UTC+2)test Quality for spec/features/*
Sanad Liaquat ( @sliaquat
) (UTC+5)Maintainer review is optional for test Quality for spec/features/*
To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Dangermentioned in issue #339145 (closed)
mentioned in epic &6549
added security label
added typefeature label
Allure report
allure-report-publisher
generated test report for 086303a7!review-qa-smoke:
test reportassigned to @blabuschagne
added 1 commit
- 7099d51d - Do not ask for password confirmation if it was set automatically
added 1 commit
- c888f00b - Do not require user password confirmation for API, LDAP, SCIM
unassigned @blabuschagne
requested review from @blabuschagne
requested review from @ekigbo and removed review request for @blabuschagne
@dmoraBerlin
, thanks for approving this merge request.This is the first time the merge request is approved. To ensure full test coverage, a new pipeline has been started.
For more info, please refer to the following links:
Setting label(s) devopsmanage sectiondev based on groupoptimize.
added devopsmanage sectiondev labels
removed review request for @ekigbo
assigned to @ekigbo
mentioned in merge request !70348 (closed)
added 2 commits
- Resolved by Magdalena Frankiewicz
- Resolved by Magdalena Frankiewicz
- Resolved by Magdalena Frankiewicz
Hi @m_frankiewicz I've added the related frontend changes to this MR. This includes:
- jest tests for the modal component
- additional RSpec feature tests for the
user_edit_profile_spec
Would you be free to review the updated frontend changes @blabuschagne? The main differences to the first draft was I made a slight refactor to move the DOM manipulation into the
index.js
, cleaning up the modal component a bit.
requested review from @blabuschagne
- Resolved by Brandon Labuschagne
- Resolved by Ezekiel Kigbo
removed review request for @blabuschagne
changed milestone to %14.4
requested review from @blabuschagne
removed review request for @blabuschagne
- Resolved by Magdalena Frankiewicz
@fneill could you have a look at the issue description and direct me, if this needs documentation change? At first I thought yes, but now I'm actually leaning to no. If you could help me and clarify, that would be great :)
removed review request for @dblessing
added 1 commit
- 79762265 - Do not prompt for password if it is automatically set
marked the checklist item I have self-reviewed this MR per code review guidelines. as completed
marked the checklist item This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) as completed
marked the checklist item I have followed the style guides. as completed
marked the checklist item This change is backwards compatible across updates, or this does not apply. as completed