Merge branch 'security-prevent-leaking-emails-of-newly-created-users-16-0' into '16-0-stable-ee'

Prevent leaking emails of newly created users See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3451 Merged-by: Reuben Pereira <2967854-rpereira2@users.noreply.gitlab.com> Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Co-authored-by: Bogdan Denkovych <bdenkovych@gitlab.com>

Merge branch 'security-prevent-leaking-emails-of-newly-created-users-16-0' into '16-0-stable-ee'
97bc8664 · Reuben Pereira · afc3f9a6 · b2872b39 · 97bc8664 · 97bc8664
Commit 97bc8664 authored 1 year ago by Reuben Pereira
--- a/ee/app/models/ee/member.rb
+++ b/ee/app/models/ee/member.rb
@@ -171,7 +171,7 @@ def validate_email_verified
      return if group_saml_identity(root_ancestor: true).present?
      return if group.root_ancestor.scim_identities.for_user(user).exists?
  
-      errors.add(:user, email_not_verified)
+      errors.add(:user, _('is not verified.'))
    end
  
    def email_does_not_match_any_allowed_domains(email)
@@ -188,10 +188,6 @@ def matches_at_least_one_group_allowed_email_domain?(email)
      end
    end
  
-    def email_not_verified
-      _("email '%{email}' is not a verified email." % { email: user.email })
-    end
-
    def set_membership_activation
      self.state = ::Member::STATE_AWAITING unless has_capacity_left?
    end

--- a/ee/spec/controllers/groups/group_members_controller_spec.rb
+++ b/ee/spec/controllers/groups/group_members_controller_spec.rb
@@ -173,7 +173,7 @@
            post :request_access, params: { group_id: group }
  
            expect(controller).to set_flash.to "Your request for access could not be processed: "\
-              "The member's email address email 'unverified@gitlab.com' is not a verified email."
+              "The member's email address is not verified."
            expect(response).to redirect_to(group_path(group))
            expect(group.requesters.exists?(user_id: requesting_user)).to be_falsey
            expect(group.users).not_to include requesting_user

--- a/ee/spec/support/shared_examples/models/member_shared_examples.rb
+++ b/ee/spec/support/shared_examples/models/member_shared_examples.rb
@@ -72,7 +72,7 @@
      create(:allowed_email_domain, group: group, domain: 'acme.com')
    end
  
-    context 'when project parent has email domain feature switched on' do
+    context 'when group_allowed_email_domains is turned on' do
      before do
        stub_licensed_features(group_allowed_email_domains: true)
      end
@@ -113,11 +113,11 @@
        expect(build(member_type, source: source, user: nil, invite_email: 'invite@acme.com')).to be_valid
      end
  
-      it 'user emails matching allowed domain must be verified' do
-        project_member = build(member_type, source: source, user: unconfirmed_gitlab_user)
+      it 'user email must be verified' do
+        member = build(member_type, source: source, user: unconfirmed_gitlab_user)
  
-        expect(project_member).to be_invalid
-        expect(project_member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+        expect(member).to be_invalid
+        expect(member.errors[:user]).to include('is not verified.')
      end
  
      context 'with project bot users' do
@@ -167,11 +167,11 @@
          expect(build(member_type, source: nested_source, user: nil, invite_email: 'invite@acme.com')).to be_valid
        end
  
-        it 'user emails matching allowed domain must be verified' do
+        it 'user email must be verified' do
          member = build(member_type, source: nested_source, user: unconfirmed_gitlab_user)
  
          expect(member).to be_invalid
-          expect(member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+          expect(member.errors[:user]).to include('is not verified.')
        end
  
        context 'with group SCIM users' do
@@ -198,7 +198,7 @@
      end
    end
  
-    context 'when project parent group has email domain feature switched off' do
+    context 'when group_allowed_email_domains is turned off' do
      before do
        stub_licensed_features(group_allowed_email_domains: false)
      end

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -53174,9 +53174,6 @@ msgstr ""
 msgid "eligible users"
 msgstr ""
  
-msgid "email '%{email}' is not a verified email."
-msgstr ""
-
 msgid "email address settings"
 msgstr ""
  
@@ -53482,6 +53479,9 @@ msgstr ""
 msgid "is not valid. The iteration group has to match the iteration cadence group."
 msgstr ""
  
+msgid "is not verified."
+msgstr ""
+
 msgid "is one of"
 msgstr ""