Skip to content

Optional admin approval for local user sign up

Overview

In order to maintain control over an instance's membership, some administrators may benefit from requiring they manually approve any new user registration. This has a couple of use cases:

  • Reduces operational burden for instances that err on the side of security and have registration disabled, but want to conditionally allow sign-up for certain members of the organization.
  • Enables an EE instance to better control seat utilization. If managing costs is important to an instance, this may be helpful to gate membership on an instance.

Proposal

  • Add an instance-level setting requiring admin approval for new users.
    • New users who attempt to register a new user on an enabled instance should see a message informing them that an admin must first approve their registration.
    • Present an error to the user if they attempt to recover their password or login before they are approved.
  • For the first iteration, no UI:
    • Each request should send a registration request to instance administrators. The email should have the user's name, username, and email, with a link to approve or disapprove the request.
    • Send a notification email to the user when the request has been approved. We can also mark their email as confirmed.
    • User that requested approval are placed in a new state "blocked_pending_approval" that functionally blocks the user and doesn't count them against licensing. Having a new state will be useful when building an approval queue in the future.

OP

I would like to have the ability to restrict new users coming in from local sign up. For now, if you allow sign up in GitLab, users which register there have an account directly with default access rights. It is already possible to restrict users coming from omniauth providers, but it would be great to restrict users coming from local sign up as well. In our environment, we accept users coming in via Shibboleth directly as users with default access rights and users coming in via Github are marked as external. I would like to activate sign up again, but restrict it so that admins have to approve new users before they get their account. During approval, we should be able to mark them as external. Is this possible to implement?

Edited by Melissa Ushakov