### Summary We have our site configured to allow access only via SSH and not HTTPS. Also, we use SAML as SSO, so users don't need passwords. However, all users get the orange banner with the confusing message about needing a password. The logic in `app/views/shared/_no_password.html.haml` delegates to `app/models/user.rb#require_password?` which only takes LDAP identity grounding into account. The logic should really be short-circuited if the HTTPS option is disabled site-wide, but for now I've patched it by making a similar `saml_user?` that works for us instead. ### Steps to reproduce - Brand new `gitlab-ce` install - SSH-only access selected in Admin Settings - OmniAuth set up to authorise via SAML ### What is the current *bug* behavior? Users see orange banner "You won't be able to pull or push project code via HTTPS until you set a password on your account" in any repo. ### What is the expected *correct* behavior? No banner should be shown if HTTPS git access is disabled. ### Relevant logs and/or screenshots n/a ### Output of checks n/a #### Results of GitLab environment info <details> ``` root@gitlab:~# gitlab-rake gitlab:env:info System information System: Ubuntu 16.04 Current User: git Using RVM: no Ruby Version: 2.3.3p222 Gem Version: 2.6.6 Bundler Version:1.13.7 Rake Version: 10.5.0 Redis Version: 3.2.5 Git Version: 2.10.2 Sidekiq Version:4.2.7 GitLab information Version: 9.0.5 Revision: gitlab-ce@a6b9899d4d6440bed20e01ffc2f07ed61ce3c748 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.beno.ai HTTP Clone URL: https://gitlab.beno.ai/some-group/some-project.git SSH Clone URL: git@git.beno.ai:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: saml GitLab Shell Version: 5.0.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/ Git: /opt/gitlab/embedded/bin/git ``` </details> #### Results of GitLab application Check <details> ``` root@gitlab:~# gitlab-rake gitlab:check SANITIZE=true Checking GitLab Shell ... GitLab Shell version >= 5.0.0 ? ... OK (5.0.0) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 4/1 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK Send ping to redis server: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Reply by email ... IMAP server credentials are correct? ... yes Init.d configured correctly? ... skipped (omnibus-gitlab has no init script) MailRoom running? ... can't check because of previous errors Checking Reply by email ... Finished Checking LDAP ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab ... Git configured with autocrlf=input? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config outdated? ... no Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory setup correctly? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) projects have namespace: ... 4/1 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.1.0 ? ... yes (2.3.3) Your git bin path is "/opt/gitlab/embedded/bin/git" Git version >= 2.7.3 ? ... yes (2.10.2) Active users: 2 Checking GitLab ... Finished ``` </details> ### Possible fixes - `app/models/user.rb:562` in `require_password?` - `app/views/shared/_no_password.html.haml`