Add by email adds by account id for any address starting with numbers
Summary
Email addresses that start with numbers are interpreted as user ids and not emails, causing unintended users to be added to projects.
I'm assigning gitlab-ce2779335 gitlab-ce3713901 gitlab-ce~3857529a since it results in users adding unintended individuals to private projects.
Originally reported here: https://twitter.com/amine_hakkou/status/1041813378484903936?s=21
Steps to reproduce
- Add an email of the form
<number>test@example.com
in the Add Member interface, where number is a valid user id. For example1test@example.com
. - The text entry with populate with
Add <*> by email
- Select add user.
- The user with the specified id will be added to the project instead.
Example Project
Any project seems to work.
What is the current bug behavior?
A user is added by id and not email.
What is the expected correct behavior?
User is invited by email.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com.