Add latest changes from gitlab-org/gitlab@master

5 files changed, 82 insertions, 33 deletions

diff --git a/app/controllers/concerns/google_analytics_csp.rb b/app/controllers/concerns/google_analytics_csp.rb
index 1a8e405928d..4fffe298803 100644
--- a/app/controllers/concerns/google_analytics_csp.rb
+++ b/app/controllers/concerns/google_analytics_csp.rb
@@ -7,17 +7,33 @@ module GoogleAnalyticsCSP
     content_security_policy do |policy|
       next unless helpers.google_tag_manager_enabled? || policy.directives.present?
 
+      # Tag Manager with a Content Security Policy for Google Analytics 4
+      # https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
+
       default_script_src = policy.directives['script-src'] || policy.directives['default-src']
       script_src_values = Array.wrap(default_script_src) | ['*.googletagmanager.com']
       policy.script_src(*script_src_values)
 
       default_img_src = policy.directives['img-src'] || policy.directives['default-src']
-      img_src_values = Array.wrap(default_img_src) | ['*.google-analytics.com', '*.googletagmanager.com']
+      img_src_values =
+        Array.wrap(default_img_src) |
+        [
+          '*.google-analytics.com',
+          '*.analytics.google.com',
+          '*.googletagmanager.com',
+          '*.g.doubleclick.net'
+        ]
       policy.img_src(*img_src_values)
 
       default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
       connect_src_values =
-        Array.wrap(default_connect_src) | ['*.google-analytics.com', '*.analytics.google.com', '*.googletagmanager.com']
+        Array.wrap(default_connect_src) |
+        [
+          '*.google-analytics.com',
+          '*.analytics.google.com',
+          '*.googletagmanager.com',
+          '*.g.doubleclick.net'
+        ]
       policy.connect_src(*connect_src_values)
     end
   end
diff --git a/app/controllers/concerns/onboarding/redirectable.rb b/app/controllers/concerns/onboarding/redirectable.rb
new file mode 100644
index 00000000000..7e669db9199
--- /dev/null
+++ b/app/controllers/concerns/onboarding/redirectable.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Onboarding
+  module Redirectable
+    extend ActiveSupport::Concern
+
+    private
+
+    def after_sign_up_path
+      if onboarding_status.single_invite?
+        flash[:notice] = helpers.invite_accepted_notice(onboarding_status.last_invited_member)
+        onboarding_status.last_invited_member_source.activity_path
+      else
+        # Invites will come here if there is more than 1.
+        path_for_signed_in_user
+      end
+    end
+
+    def path_for_signed_in_user
+      stored_location_for(:user) || last_member_activity_path
+    end
+
+    def last_member_activity_path
+      return dashboard_projects_path unless onboarding_status.last_invited_member_source.present?
+
+      onboarding_status.last_invited_member_source.activity_path
+    end
+  end
+end
+
+Onboarding::Redirectable.prepend_mod
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 72b3516ae3f..a97516fddff 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -7,6 +7,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include InitializesCurrentUserMode
   include KnownSignIn
   include AcceptsPendingInvitations
+  include Onboarding::Redirectable
 
   after_action :verify_known_sign_in
 
@@ -169,38 +170,38 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def sign_in_user_flow(auth_user_class)
     auth_user = build_auth_user(auth_user_class)
     new_user = auth_user.new?
-    user = auth_user.find_and_update!
+    @user = auth_user.find_and_update!
 
     if auth_user.valid_sign_in?
       # In this case the `#current_user` would not be set. So we can't fetch it
       # from that in `#context_user`. Pushing it manually here makes the information
       # available in the logs for this request.
-      Gitlab::ApplicationContext.push(user: user)
-      track_event(user, oauth['provider'], 'succeeded')
-      Gitlab::Tracking.event(self.class.name, "#{oauth['provider']}_sso", user: user) if new_user
+      Gitlab::ApplicationContext.push(user: @user)
+      track_event(@user, oauth['provider'], 'succeeded')
+      Gitlab::Tracking.event(self.class.name, "#{oauth['provider']}_sso", user: @user) if new_user
 
-      set_remember_me(user)
+      set_remember_me(@user)
 
-      if user.two_factor_enabled? && !auth_user.bypass_two_factor?
-        prompt_for_two_factor(user)
+      if @user.two_factor_enabled? && !auth_user.bypass_two_factor?
+        prompt_for_two_factor(@user)
         store_idp_two_factor_status(false)
       else
-        if user.deactivated?
-          user.activate
+        if @user.deactivated?
+          @user.activate
           flash[:notice] = _('Welcome back! Your account had been deactivated due to inactivity but is now reactivated.')
         end
 
         # session variable for storing bypass two-factor request from IDP
         store_idp_two_factor_status(true)
 
-        accept_pending_invitations(user: user) if new_user
-        persist_accepted_terms_if_required(user) if new_user
+        accept_pending_invitations(user: @user) if new_user
+        persist_accepted_terms_if_required(@user) if new_user
 
-        perform_registration_tasks(user, oauth['provider']) if new_user
-        sign_in_and_redirect_or_verify_identity(user, auth_user, new_user)
+        perform_registration_tasks(@user, oauth['provider']) if new_user
+        sign_in_and_redirect_or_verify_identity(@user, auth_user, new_user)
       end
     else
-      fail_login(user)
+      fail_login(@user)
     end
   rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
     handle_disabled_provider
@@ -323,9 +324,10 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     store_location_for(:user, after_sign_up_path)
   end
 
-  def after_sign_up_path
-    users_sign_up_welcome_path
+  def onboarding_status
+    Onboarding::Status.new(params.to_unsafe_h.deep_symbolize_keys, session, @user)
   end
+  strong_memoize_attr :onboarding_status
 
   # overridden in EE
   def sign_in_and_redirect_or_verify_identity(user, _, _)
diff --git a/app/controllers/registrations/welcome_controller.rb b/app/controllers/registrations/welcome_controller.rb
index f7a601ec0bd..bdbb7b00c40 100644
--- a/app/controllers/registrations/welcome_controller.rb
+++ b/app/controllers/registrations/welcome_controller.rb
@@ -6,6 +6,7 @@ module Registrations
     include GoogleAnalyticsCSP
     include GoogleSyndicationCSP
     include ::Gitlab::Utils::StrongMemoize
+    include Onboarding::Redirectable
 
     layout 'minimal'
     # TODO: Once this is an ee + SaaS only feature, we can remove this.
@@ -18,7 +19,7 @@ module Registrations
     feature_category :user_management
 
     def show
-      return redirect_to path_for_signed_in_user(current_user) if completed_welcome_step?
+      return redirect_to path_for_signed_in_user if completed_welcome_step?
 
       track_event('render')
     end
@@ -52,16 +53,6 @@ module Registrations
       params.require(:user).permit(:role, :setup_for_company)
     end
 
-    def path_for_signed_in_user(user)
-      stored_location_for(user) || last_member_activity_path
-    end
-
-    def last_member_activity_path
-      return dashboard_projects_path unless onboarding_status.last_invited_member_source.present?
-
-      onboarding_status.last_invited_member_source.activity_path
-    end
-
     def update_success_path
       if onboarding_status.continue_full_onboarding? # trials/regular registration on .com
         signup_onboarding_path
@@ -71,7 +62,7 @@ module Registrations
       else
         # Subscription registrations goes through here as well.
         # Invites will come here too if there is more than 1.
-        path_for_signed_in_user(current_user)
+        path_for_signed_in_user
       end
     end
 
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index a8b5ca81f49..abc00d7c19b 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -14,6 +14,7 @@ class RegistrationsController < Devise::RegistrationsController
   include SkipsAlreadySignedInMessage
   include Gitlab::RackLoadBalancingHelpers
   include ::Gitlab::Utils::StrongMemoize
+  include Onboarding::Redirectable
 
   layout 'devise'
 
@@ -60,7 +61,7 @@ class RegistrationsController < Devise::RegistrationsController
 
     # Devise sets a flash message on both successful & failed signups,
     # but we only want to show a message if the resource is blocked by a pending approval.
-    flash[:notice] = nil unless resource.blocked_pending_approval?
+    flash[:notice] = nil unless allow_flash_content?(resource)
   rescue Gitlab::Access::AccessDeniedError
     redirect_to(new_user_session_path)
   end
@@ -121,6 +122,9 @@ class RegistrationsController < Devise::RegistrationsController
   def after_sign_up_path_for(user)
     Gitlab::AppLogger.info(user_created_message(confirmed: user.confirmed?))
 
+    # Member#accept_invite! operates on the member record to change the association, so the user needs reloaded
+    # to update the collection.
+    user.reset
     after_sign_up_path
   end
 
@@ -146,8 +150,13 @@ class RegistrationsController < Devise::RegistrationsController
 
   private
 
-  def after_sign_up_path
-    users_sign_up_welcome_path
+  def onboarding_status
+    Onboarding::Status.new(params.to_unsafe_h.deep_symbolize_keys, session, resource)
+  end
+  strong_memoize_attr :onboarding_status
+
+  def allow_flash_content?(user)
+    user.blocked_pending_approval? || onboarding_status.single_invite?
   end
 
   # overridden in EE