diff options
Diffstat (limited to 'app/models/user.rb')
| -rw-r--r-- | app/models/user.rb | 59 |
1 files changed, 46 insertions, 13 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index be64e057d59..c735f20b92c 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -25,11 +25,14 @@ class User < ApplicationRecord include IgnorableColumns include UpdateHighestRole include HasUserType + include Gitlab::Auth::Otp::Fortinet DEFAULT_NOTIFICATION_LEVEL = :participating INSTANCE_ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT = 10 + BLOCKED_PENDING_APPROVAL_STATE = 'blocked_pending_approval'.freeze + add_authentication_token_field :incoming_email_token, token_generator: -> { SecureRandom.hex.to_i(16).to_s(36) } add_authentication_token_field :feed_token add_authentication_token_field :static_object_token @@ -166,6 +169,7 @@ class User < ApplicationRecord has_many :issue_assignees, inverse_of: :assignee has_many :merge_request_assignees, inverse_of: :assignee + has_many :merge_request_reviewers, inverse_of: :reviewer has_many :assigned_issues, class_name: "Issue", through: :issue_assignees, source: :issue has_many :assigned_merge_requests, class_name: "MergeRequest", through: :merge_request_assignees, source: :merge_request @@ -286,6 +290,7 @@ class User < ApplicationRecord delegate :path, to: :namespace, allow_nil: true, prefix: true delegate :job_title, :job_title=, to: :user_detail, allow_nil: true + delegate :other_role, :other_role=, to: :user_detail, allow_nil: true delegate :bio, :bio=, :bio_html, to: :user_detail, allow_nil: true delegate :webauthn_xid, :webauthn_xid=, to: :user_detail, allow_nil: true @@ -587,11 +592,7 @@ class User < ApplicationRecord sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query])) - where( - fuzzy_arel_match(:name, query, lower_exact_match: true) - .or(fuzzy_arel_match(:username, query, lower_exact_match: true)) - .or(arel_table[:email].eq(query)) - ).reorder(sanitized_order_sql, :name) + search_with_secondary_emails(query).reorder(sanitized_order_sql, :name) end # Limits the result set to users _not_ in the given query/list of IDs. @@ -606,6 +607,18 @@ class User < ApplicationRecord reorder(:name) end + def search_without_secondary_emails(query) + return none if query.blank? + + query = query.downcase + + where( + fuzzy_arel_match(:name, query, lower_exact_match: true) + .or(fuzzy_arel_match(:username, query, lower_exact_match: true)) + .or(arel_table[:email].eq(query)) + ) + end + # searches user by given pattern # it compares name, email, username fields and user's secondary emails with given pattern # This method uses ILIKE on PostgreSQL. @@ -616,15 +629,16 @@ class User < ApplicationRecord query = query.downcase email_table = Email.arel_table - matched_by_emails_user_ids = email_table + matched_by_email_user_id = email_table .project(email_table[:user_id]) .where(email_table[:email].eq(query)) + .take(1) # at most 1 record as there is a unique constraint where( fuzzy_arel_match(:name, query) .or(fuzzy_arel_match(:username, query)) .or(arel_table[:email].eq(query)) - .or(arel_table[:id].in(matched_by_emails_user_ids)) + .or(arel_table[:id].eq(matched_by_email_user_id)) ) end @@ -708,6 +722,7 @@ class User < ApplicationRecord u.name = 'GitLab Security Bot' u.website_url = Gitlab::Routing.url_helpers.help_page_url('user/application_security/security_bot/index.md') u.avatar = bot_avatar(image: 'security-bot.png') + u.confirmed_at = Time.zone.now end end @@ -797,7 +812,9 @@ class User < ApplicationRecord end def two_factor_otp_enabled? - otp_required_for_login? || Feature.enabled?(:forti_authenticator, self) + otp_required_for_login? || + forti_authenticator_enabled?(self) || + forti_token_cloud_enabled?(self) end def two_factor_u2f_enabled? @@ -1032,7 +1049,7 @@ class User < ApplicationRecord end def require_personal_access_token_creation_for_git_auth? - return false if allow_password_authentication_for_git? || ldap_user? + return false if allow_password_authentication_for_git? || password_based_omniauth_user? PersonalAccessTokensFinder.new(user: self, impersonation: false, state: 'active').execute.none? end @@ -1050,7 +1067,7 @@ class User < ApplicationRecord end def allow_password_authentication_for_git? - Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? + Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !password_based_omniauth_user? end def can_change_username? @@ -1130,6 +1147,18 @@ class User < ApplicationRecord namespace.find_fork_of(project) end + def password_based_omniauth_user? + ldap_user? || crowd_user? + end + + def crowd_user? + if identities.loaded? + identities.find { |identity| identity.provider == 'crowd' && identity.extern_uid.present? } + else + identities.with_any_extern_uid('crowd').exists? + end + end + def ldap_user? if identities.loaded? identities.find { |identity| Gitlab::Auth::OAuth::Provider.ldap_provider?(identity.provider) && !identity.extern_uid.nil? } @@ -1229,7 +1258,7 @@ class User < ApplicationRecord end def solo_owned_groups - @solo_owned_groups ||= owned_groups.select do |group| + @solo_owned_groups ||= owned_groups.includes(:owners).select do |group| group.owners == [self] end end @@ -1464,6 +1493,10 @@ class User < ApplicationRecord !solo_owned_groups.present? end + def can_remove_self? + true + end + def ci_owned_runners @ci_owned_runners ||= begin project_runners = Ci::RunnerProject @@ -1636,11 +1669,11 @@ class User < ApplicationRecord save end - # each existing user needs to have an `feed_token`. + # each existing user needs to have a `feed_token`. # we do this on read since migrating all existing users is not a feasible # solution. def feed_token - ensure_feed_token! + Gitlab::CurrentSettings.disable_feed_token ? nil : ensure_feed_token! end # Each existing user needs to have a `static_object_token`. |