Prevent leaking emails of newly created users

Merge branch 'security-prevent-leaking-emails-of-newly-created-users-16-0' into '16-0-stable-ee'

See merge request gitlab-org/security/gitlab!3451

Changelog: security

ee/app/models/ee/member.rb

@@ -171,7 +171,7 @@ def validate_email_verified
       return if group_saml_identity(root_ancestor: true).present?
       return if group.root_ancestor.scim_identities.for_user(user).exists?
-      errors.add(:user, email_not_verified)
+      errors.add(:user, _('is not verified.'))
     end
     def email_does_not_match_any_allowed_domains(email)
@@ -188,10 +188,6 @@ def matches_at_least_one_group_allowed_email_domain?(email)
       end
     end
-    def email_not_verified
-      _("email '%{email}' is not a verified email." % { email: user.email })
-    end
-
     def set_membership_activation
       self.state = ::Member::STATE_AWAITING unless has_capacity_left?
     end

ee/spec/controllers/groups/group_members_controller_spec.rb

@@ -173,7 +173,7 @@
             post :request_access, params: { group_id: group }
             expect(controller).to set_flash.to "Your request for access could not be processed: "\
-              "The member's email address email 'unverified@gitlab.com' is not a verified email."
+              "The member's email address is not verified."
             expect(response).to redirect_to(group_path(group))
             expect(group.requesters.exists?(user_id: requesting_user)).to be_falsey
             expect(group.users).not_to include requesting_user

ee/spec/support/shared_examples/models/member_shared_examples.rb

@@ -72,7 +72,7 @@
       create(:allowed_email_domain, group: group, domain: 'acme.com')
     end
-    context 'when project parent has email domain feature switched on' do
+    context 'when group_allowed_email_domains is turned on' do
       before do
         stub_licensed_features(group_allowed_email_domains: true)
       end
@@ -113,11 +113,11 @@
         expect(build(member_type, source: source, user: nil, invite_email: 'invite@acme.com')).to be_valid
       end
-      it 'user emails matching allowed domain must be verified' do
-        project_member = build(member_type, source: source, user: unconfirmed_gitlab_user)
-        expect(project_member).to be_invalid
-        expect(project_member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+      it 'user email must be verified' do
+        member = build(member_type, source: source, user: unconfirmed_gitlab_user)
+        expect(member).to be_invalid
+        expect(member.errors[:user]).to include('is not verified.')
       end
       context 'with project bot users' do
@@ -167,11 +167,11 @@
           expect(build(member_type, source: nested_source, user: nil, invite_email: 'invite@acme.com')).to be_valid
         end
-        it 'user emails matching allowed domain must be verified' do
+        it 'user email must be verified' do
           member = build(member_type, source: nested_source, user: unconfirmed_gitlab_user)
           expect(member).to be_invalid
-          expect(member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+          expect(member.errors[:user]).to include('is not verified.')
         end
         context 'with group SCIM users' do
@@ -198,7 +198,7 @@
       end
     end
-    context 'when project parent group has email domain feature switched off' do
+    context 'when group_allowed_email_domains is turned off' do
       before do
         stub_licensed_features(group_allowed_email_domains: false)
       end

locale/gitlab.pot

@@ -53168,9 +53168,6 @@ msgstr ""
 msgid "eligible users"
 msgstr ""
-msgid "email '%{email}' is not a verified email."
-msgstr ""
-
 msgid "email address settings"
 msgstr ""
@@ -53476,6 +53473,9 @@ msgstr ""
 msgid "is not valid. The iteration group has to match the iteration cadence group."
 msgstr ""
+msgid "is not verified."
+msgstr ""
+
 msgid "is one of"
 msgstr ""