debian-mirror-gitlab/app/models/user.rb

2452 lines
83 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
require 'carrierwave/orm/activerecord'
2019-03-02 22:35:43 +05:30
class User < ApplicationRecord
2015-04-26 12:48:37 +05:30
extend Gitlab::ConfigHelper
2015-09-11 14:41:01 +05:30
include Gitlab::ConfigHelper
2018-03-17 18:26:18 +05:30
include Gitlab::SQL::Pattern
include AfterCommitQueue
2017-09-10 17:25:29 +05:30
include Avatarable
2022-08-13 15:12:31 +05:30
include Awareness
2015-09-11 14:41:01 +05:30
include Referable
include Sortable
2015-10-24 18:46:33 +05:30
include CaseSensitivity
2015-12-23 02:04:40 +05:30
include TokenAuthenticatable
2017-09-10 17:25:29 +05:30
include FeatureGate
include CreatedAtFilterable
2018-03-17 18:26:18 +05:30
include BulkMemberAccessLoad
2022-05-07 20:08:51 +05:30
include BlocksUnsafeSerialization
2018-11-08 19:23:39 +05:30
include WithUploads
2018-11-20 20:47:30 +05:30
include OptionallySearch
2018-12-05 23:21:45 +05:30
include FromUnion
2020-03-13 15:44:24 +05:30
include BatchDestroyDependentAssociations
2022-06-21 17:19:12 +05:30
include BatchNullifyDependentAssociations
2020-04-22 19:07:51 +05:30
include HasUniqueInternalUsers
include IgnorableColumns
include UpdateHighestRole
2020-05-24 23:13:21 +05:30
include HasUserType
2021-02-22 17:27:13 +05:30
include Gitlab::Auth::Otp::Fortinet
2023-05-27 22:25:52 +05:30
include Gitlab::Auth::Otp::DuoAuth
2021-10-27 15:23:28 +05:30
include RestrictedSignup
2022-01-26 12:08:38 +05:30
include StripAttribute
2022-08-27 11:52:29 +05:30
include EachBatch
2015-12-23 02:04:40 +05:30
DEFAULT_NOTIFICATION_LEVEL = :participating
2021-01-29 00:20:46 +05:30
INSTANCE_ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT = 10
2021-03-08 18:12:59 +05:30
BLOCKED_PENDING_APPROVAL_STATE = 'blocked_pending_approval'
2021-02-22 17:27:13 +05:30
2021-06-08 01:23:25 +05:30
COUNT_CACHE_VALIDITY_PERIOD = 24.hours
2022-06-21 17:19:12 +05:30
OTP_SECRET_LENGTH = 32
OTP_SECRET_TTL = 2.minutes
2021-09-04 01:27:46 +05:30
MAX_USERNAME_LENGTH = 255
MIN_USERNAME_LENGTH = 2
2023-03-04 22:38:38 +05:30
MAX_LIMIT_FOR_ASSIGNEED_ISSUES_COUNT = 100
2021-11-11 11:23:49 +05:30
SECONDARY_EMAIL_ATTRIBUTES = [
:commit_email,
:notification_email,
:public_email
].freeze
2022-06-21 17:19:12 +05:30
FORBIDDEN_SEARCH_STATES = %w(blocked banned ldap_blocked).freeze
2018-11-18 11:00:15 +05:30
add_authentication_token_field :incoming_email_token, token_generator: -> { SecureRandom.hex.to_i(16).to_s(36) }
2018-11-08 19:23:39 +05:30
add_authentication_token_field :feed_token
2022-03-02 08:16:31 +05:30
add_authentication_token_field :static_object_token, encrypted: :optional
2014-09-02 18:07:02 +05:30
2023-03-04 22:38:38 +05:30
attribute :admin, default: false
attribute :external, default: -> { Gitlab::CurrentSettings.user_default_external }
attribute :can_create_group, default: -> { Gitlab::CurrentSettings.can_create_group }
2023-03-17 16:20:25 +05:30
attribute :private_profile, default: -> { Gitlab::CurrentSettings.user_defaults_to_private_profile }
2023-03-04 22:38:38 +05:30
attribute :can_create_team, default: false
attribute :hide_no_ssh_key, default: false
attribute :hide_no_password, default: false
attribute :project_view, default: :files
attribute :notified_of_own_activity, default: false
2023-03-17 16:20:25 +05:30
attribute :preferred_language, default: -> { Gitlab::CurrentSettings.default_preferred_language }
2023-03-04 22:38:38 +05:30
attribute :theme_id, default: -> { gitlab_config.default_theme }
2023-05-27 22:25:52 +05:30
attribute :color_scheme_id, default: -> { Gitlab::CurrentSettings.default_syntax_highlighting_theme }
2014-09-02 18:07:02 +05:30
attr_encrypted :otp_secret,
2022-08-27 11:52:29 +05:30
key: Gitlab::Application.secrets.otp_key_base,
mode: :per_attribute_iv_and_salt,
2016-08-24 12:49:21 +05:30
insecure_mode: true,
algorithm: 'aes-256-cbc'
2015-09-11 14:41:01 +05:30
devise :two_factor_authenticatable,
2016-09-13 17:45:13 +05:30
otp_secret_encryption_key: Gitlab::Application.secrets.otp_key_base
2015-09-11 14:41:01 +05:30
devise :two_factor_backupable, otp_number_of_backup_codes: 10
2022-11-25 23:54:43 +05:30
devise :two_factor_backupable_pbkdf2
2017-09-10 17:25:29 +05:30
serialize :otp_backup_codes, JSON # rubocop:disable Cop/ActiveRecordSerialize
2015-09-11 14:41:01 +05:30
devise :lockable, :recoverable, :rememberable, :trackable,
2023-01-13 00:05:48 +05:30
:validatable, :omniauthable, :confirmable, :registerable
# Must be included after `devise`
include EncryptedUserPassword
2014-09-02 18:07:02 +05:30
2020-11-24 15:15:51 +05:30
include AdminChangedPasswordNotifier
2020-05-24 23:13:21 +05:30
# This module adds async behaviour to Devise emails
# and should be added after Devise modules are initialized.
include AsyncDeviseEmail
2022-03-02 08:16:31 +05:30
include ForcedEmailConfirmation
2022-08-13 15:12:31 +05:30
include RequireEmailVerification
2020-05-24 23:13:21 +05:30
2022-07-23 23:45:48 +05:30
MINIMUM_DAYS_CREATED = 7
2020-04-22 19:07:51 +05:30
2017-09-10 17:25:29 +05:30
# Override Devise::Models::Trackable#update_tracked_fields!
# to limit database writes to at most once every hour
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
def update_tracked_fields!(request)
2018-03-17 18:26:18 +05:30
return if Gitlab::Database.read_only?
2017-09-10 17:25:29 +05:30
update_tracked_fields(request)
2021-09-04 01:27:46 +05:30
Gitlab::ExclusiveLease.throttle(id) do
::Ability.forgetting(/admin/) do
Users::UpdateService.new(self, user: self).execute(validate: false)
end
end
2017-09-10 17:25:29 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
2014-09-02 18:07:02 +05:30
attr_accessor :force_random_password
# Virtual attribute for authenticating by either username or email
attr_accessor :login
2020-05-24 23:13:21 +05:30
# Virtual attribute for impersonator
attr_accessor :impersonator
2014-09-02 18:07:02 +05:30
#
# Relations
#
# Namespace for personal projects
2021-11-18 22:05:49 +05:30
has_one :namespace,
2022-01-26 12:08:38 +05:30
-> { where(type: Namespaces::UserNamespace.sti_name) },
2021-11-18 22:05:49 +05:30
dependent: :destroy, # rubocop:disable Cop/ActiveRecordDependent
foreign_key: :owner_id,
inverse_of: :owner,
autosave: true # rubocop:disable Cop/ActiveRecordDependent
2014-09-02 18:07:02 +05:30
# Profile
2018-12-13 13:39:08 +05:30
has_many :keys, -> { regular_keys }, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2021-12-11 22:18:48 +05:30
has_many :expired_today_and_unnotified_keys, -> { expired_today_and_not_notified }, class_name: 'Key'
2021-04-29 21:17:54 +05:30
has_many :expiring_soon_and_unnotified_keys, -> { expiring_soon_and_not_notified }, class_name: 'Key'
2018-05-09 12:01:36 +05:30
has_many :deploy_keys, -> { where(type: 'DeployKey') }, dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent
2020-10-24 23:57:45 +05:30
has_many :group_deploy_keys
2017-09-10 17:25:29 +05:30
has_many :gpg_keys
2017-08-17 22:00:37 +05:30
2020-11-24 15:15:51 +05:30
has_many :emails
2017-09-10 17:25:29 +05:30
has_many :personal_access_tokens, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :identities, dependent: :destroy, autosave: true # rubocop:disable Cop/ActiveRecordDependent
has_many :u2f_registrations, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2020-11-24 15:15:51 +05:30
has_many :webauthn_registrations
2017-09-10 17:25:29 +05:30
has_many :chat_names, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2022-05-07 20:08:51 +05:30
has_many :saved_replies, class_name: '::Users::SavedReply'
2018-03-17 18:26:18 +05:30
has_one :user_synced_attributes_metadata, autosave: true
2019-12-21 20:55:43 +05:30
has_one :aws_role, class_name: 'Aws::Role'
2014-09-02 18:07:02 +05:30
2021-03-11 19:13:27 +05:30
# Followers
has_many :followed_users, foreign_key: :follower_id, class_name: 'Users::UserFollowUser'
has_many :followees, through: :followed_users
has_many :following_users, foreign_key: :followee_id, class_name: 'Users::UserFollowUser'
has_many :followers, through: :following_users
2014-09-02 18:07:02 +05:30
# Groups
2018-03-17 18:26:18 +05:30
has_many :members
2021-04-29 21:17:54 +05:30
has_many :group_members, -> { where(requested_at: nil).where("access_level >= ?", Gitlab::Access::GUEST) }, class_name: 'GroupMember'
2015-04-26 12:48:37 +05:30
has_many :groups, through: :group_members
2022-04-04 11:22:00 +05:30
has_many :groups_with_active_memberships, -> { where(members: { state: ::Member::STATE_ACTIVE }) }, through: :group_members, source: :group
2018-05-09 12:01:36 +05:30
has_many :owned_groups, -> { where(members: { access_level: Gitlab::Access::OWNER }) }, through: :group_members, source: :group
2018-11-18 11:00:15 +05:30
has_many :maintainers_groups, -> { where(members: { access_level: Gitlab::Access::MAINTAINER }) }, through: :group_members, source: :group
2019-07-07 11:18:12 +05:30
has_many :developer_groups, -> { where(members: { access_level: ::Gitlab::Access::DEVELOPER }) }, through: :group_members, source: :group
2018-11-20 20:47:30 +05:30
has_many :owned_or_maintainers_groups,
-> { where(members: { access_level: [Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
through: :group_members,
source: :group
2018-11-18 11:00:15 +05:30
alias_attribute :masters_groups, :maintainers_groups
2022-11-25 23:54:43 +05:30
has_many :developer_maintainer_owned_groups,
-> { where(members: { access_level: [Gitlab::Access::DEVELOPER, Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
through: :group_members,
source: :group
2020-01-01 13:55:28 +05:30
has_many :reporter_developer_maintainer_owned_groups,
-> { where(members: { access_level: [Gitlab::Access::REPORTER, Gitlab::Access::DEVELOPER, Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
through: :group_members,
source: :group
2021-04-29 21:17:54 +05:30
has_many :minimal_access_group_members, -> { where(access_level: [Gitlab::Access::MINIMAL_ACCESS]) }, class_name: 'GroupMember'
2021-01-03 14:25:43 +05:30
has_many :minimal_access_groups, through: :minimal_access_group_members, source: :group
2014-09-02 18:07:02 +05:30
# Projects
has_many :groups_projects, through: :groups, source: :projects
has_many :personal_projects, through: :namespace, source: :projects
2018-03-17 18:26:18 +05:30
has_many :project_members, -> { where(requested_at: nil) }
2015-04-26 12:48:37 +05:30
has_many :projects, through: :project_members
2023-01-13 00:05:48 +05:30
has_many :created_projects, foreign_key: :creator_id, class_name: 'Project', dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent
2022-04-04 11:22:00 +05:30
has_many :projects_with_active_memberships, -> { where(members: { state: ::Member::STATE_ACTIVE }) }, through: :project_members, source: :project
2017-09-10 17:25:29 +05:30
has_many :users_star_projects, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2014-09-02 18:07:02 +05:30
has_many :starred_projects, through: :users_star_projects, source: :project
2018-11-08 19:23:39 +05:30
has_many :project_authorizations, dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent
2017-08-17 22:00:37 +05:30
has_many :authorized_projects, through: :project_authorizations, source: :project
2014-09-02 18:07:02 +05:30
2018-03-27 19:54:05 +05:30
has_many :user_interacted_projects
has_many :project_interactions, through: :user_interacted_projects, source: :project, class_name: 'Project'
2017-09-10 17:25:29 +05:30
has_many :snippets, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
has_many :notes, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
has_many :issues, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2022-11-25 23:54:43 +05:30
has_many :legacy_assigned_merge_requests, class_name: 'MergeRequest', dependent: :nullify, foreign_key: :assignee_id # rubocop:disable Cop/ActiveRecordDependent
has_many :merged_merge_requests, class_name: 'MergeRequest::Metrics', dependent: :nullify, foreign_key: :merged_by_id # rubocop:disable Cop/ActiveRecordDependent
has_many :closed_merge_requests, class_name: 'MergeRequest::Metrics', dependent: :nullify, foreign_key: :latest_closed_by_id # rubocop:disable Cop/ActiveRecordDependent
has_many :updated_merge_requests, class_name: 'MergeRequest', dependent: :nullify, foreign_key: :updated_by_id # rubocop:disable Cop/ActiveRecordDependent
2022-06-21 17:19:12 +05:30
has_many :updated_issues, class_name: 'Issue', dependent: :nullify, foreign_key: :updated_by_id # rubocop:disable Cop/ActiveRecordDependent
has_many :closed_issues, class_name: 'Issue', dependent: :nullify, foreign_key: :closed_by_id # rubocop:disable Cop/ActiveRecordDependent
2017-09-10 17:25:29 +05:30
has_many :merge_requests, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2019-12-04 20:38:33 +05:30
has_many :events, dependent: :delete_all, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2019-02-15 15:39:39 +05:30
has_many :releases, dependent: :nullify, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2017-09-10 17:25:29 +05:30
has_many :subscriptions, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :oauth_applications, class_name: 'Doorkeeper::Application', as: :owner, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2023-03-17 16:20:25 +05:30
has_many :abuse_reports, dependent: :destroy, foreign_key: :user_id # rubocop:disable Cop/ActiveRecordDependent
2017-09-10 17:25:29 +05:30
has_many :reported_abuse_reports, dependent: :destroy, foreign_key: :reporter_id, class_name: "AbuseReport" # rubocop:disable Cop/ActiveRecordDependent
has_many :spam_logs, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2022-01-26 12:08:38 +05:30
has_many :builds, class_name: 'Ci::Build'
has_many :pipelines, class_name: 'Ci::Pipeline'
2022-11-25 23:54:43 +05:30
has_many :todos, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :authored_todos, class_name: 'Todo', dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2018-11-18 11:00:15 +05:30
has_many :notification_settings
2017-09-10 17:25:29 +05:30
has_many :award_emoji, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2021-11-11 11:23:49 +05:30
has_many :triggers, class_name: 'Ci::Trigger', foreign_key: :owner_id
2023-05-27 22:25:52 +05:30
has_many :audit_events, foreign_key: :author_id, inverse_of: :user
2017-08-17 22:00:37 +05:30
2023-05-27 22:25:52 +05:30
has_many :alert_assignees, class_name: '::AlertManagement::AlertAssignee', inverse_of: :assignee
2020-07-28 23:09:34 +05:30
has_many :issue_assignees, inverse_of: :assignee
2022-11-25 23:54:43 +05:30
has_many :merge_request_assignees, inverse_of: :assignee, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :merge_request_reviewers, inverse_of: :reviewer, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2017-08-17 22:00:37 +05:30
has_many :assigned_issues, class_name: "Issue", through: :issue_assignees, source: :issue
2020-07-28 23:09:34 +05:30
has_many :assigned_merge_requests, class_name: "MergeRequest", through: :merge_request_assignees, source: :merge_request
2021-04-17 20:07:23 +05:30
has_many :created_custom_emoji, class_name: 'CustomEmoji', inverse_of: :creator
2014-09-02 18:07:02 +05:30
2021-01-03 14:25:43 +05:30
has_many :bulk_imports
2018-03-17 18:26:18 +05:30
has_many :custom_attributes, class_name: 'UserCustomAttribute'
2022-01-26 12:08:38 +05:30
has_many :callouts, class_name: 'Users::Callout'
2021-11-11 11:23:49 +05:30
has_many :group_callouts, class_name: 'Users::GroupCallout'
2022-08-27 11:52:29 +05:30
has_many :project_callouts, class_name: 'Users::ProjectCallout'
2018-10-15 14:42:47 +05:30
has_many :term_agreements
belongs_to :accepted_term, class_name: 'ApplicationSetting::Term'
2018-03-17 18:26:18 +05:30
2020-05-24 23:13:21 +05:30
has_many :metrics_users_starred_dashboards, class_name: 'Metrics::UsersStarredDashboard', inverse_of: :user
2018-11-18 11:00:15 +05:30
has_one :status, class_name: 'UserStatus'
2018-12-13 13:39:08 +05:30
has_one :user_preference
2020-04-08 14:13:33 +05:30
has_one :user_detail
has_one :user_highest_role
2020-04-22 19:07:51 +05:30
has_one :user_canonical_email
2021-06-08 01:23:25 +05:30
has_one :credit_card_validation, class_name: '::Users::CreditCardValidation'
2022-11-25 23:54:43 +05:30
has_one :phone_number_validation, class_name: '::Users::PhoneNumberValidation'
2020-11-24 15:15:51 +05:30
has_one :atlassian_identity, class_name: 'Atlassian::Identity'
2021-10-27 15:23:28 +05:30
has_one :banned_user, class_name: '::Users::BannedUser'
2018-11-18 11:00:15 +05:30
2020-06-23 00:09:42 +05:30
has_many :reviews, foreign_key: :author_id, inverse_of: :author
2021-04-29 21:17:54 +05:30
has_many :in_product_marketing_emails, class_name: '::Users::InProductMarketingEmail'
2021-10-27 15:23:28 +05:30
has_many :timelogs
2022-07-16 23:28:13 +05:30
has_many :resource_label_events, dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent
2022-11-25 23:54:43 +05:30
has_many :resource_state_events, dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent
has_many :authored_events, class_name: 'Event', dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2023-03-17 16:20:25 +05:30
has_many :namespace_commit_emails, class_name: 'Users::NamespaceCommitEmail'
has_many :user_achievements, class_name: 'Achievements::UserAchievement', inverse_of: :user
has_many :awarded_user_achievements, class_name: 'Achievements::UserAchievement', foreign_key: 'awarded_by_user_id', inverse_of: :awarded_by_user
has_many :revoked_user_achievements, class_name: 'Achievements::UserAchievement', foreign_key: 'revoked_by_user_id', inverse_of: :revoked_by_user
has_many :achievements, through: :user_achievements, class_name: 'Achievements::Achievement', inverse_of: :users
2023-01-13 00:05:48 +05:30
2014-09-02 18:07:02 +05:30
#
# Validations
#
2017-08-17 22:00:37 +05:30
# Note: devise :validatable above adds validations for :email and :password
2020-03-13 15:44:24 +05:30
validates :name, presence: true, length: { maximum: 255 }
validates :first_name, length: { maximum: 127 }
validates :last_name, length: { maximum: 127 }
2017-08-17 22:00:37 +05:30
validates :email, confirmation: true
2021-11-18 22:05:49 +05:30
validates :notification_email, devise_email: true, allow_blank: true
2021-10-27 15:23:28 +05:30
validates :public_email, uniqueness: true, devise_email: true, allow_blank: true
2021-11-18 22:05:49 +05:30
validates :commit_email, devise_email: true, allow_blank: true, unless: ->(user) { user.commit_email == Gitlab::PrivateCommitEmail::TOKEN }
2017-08-17 22:00:37 +05:30
validates :projects_limit,
presence: true,
numericality: { greater_than_or_equal_to: 0, less_than_or_equal_to: Gitlab::Database::MAX_INT_VALUE }
2018-03-17 18:26:18 +05:30
validates :username, presence: true
2022-10-11 01:57:18 +05:30
validate :check_password_weakness, if: :encrypted_password_changed?
2018-03-17 18:26:18 +05:30
validates :namespace, presence: true
2023-05-27 22:25:52 +05:30
validate :namespace_move_dir_allowed, if: :username_changed?, unless: :new_record?
2014-09-02 18:07:02 +05:30
2017-09-10 17:25:29 +05:30
validate :unique_email, if: :email_changed?
2021-10-27 15:23:28 +05:30
validate :notification_email_verified, if: :notification_email_changed?
validate :public_email_verified, if: :public_email_changed?
validate :commit_email_verified, if: :commit_email_changed?
2022-03-02 08:16:31 +05:30
validate :email_allowed_by_restrictions?, if: ->(user) { user.new_record? ? !user.created_by_id : user.email_changed? }
2021-07-02 01:05:55 +05:30
validate :check_username_format, if: :username_changed?
2014-09-02 18:07:02 +05:30
2020-03-13 15:44:24 +05:30
validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids,
2022-11-25 23:54:43 +05:30
message: ->(*) { _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } } }
2020-03-13 15:44:24 +05:30
validates :color_scheme_id, allow_nil: true, inclusion: { in: Gitlab::ColorSchemes.valid_ids,
2022-11-25 23:54:43 +05:30
message: ->(*) { _("%{placeholder} is not a valid color scheme") % { placeholder: '%{value}' } } }
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
after_initialize :set_projects_limit
2014-09-02 18:07:02 +05:30
before_validation :sanitize_attrs
2023-03-04 22:38:38 +05:30
before_validation :ensure_namespace_correct
after_validation :set_username_errors
2018-03-17 18:26:18 +05:30
before_save :ensure_incoming_email_token
before_save :ensure_user_rights_and_limits, if: ->(user) { user.new_record? || user.external_changed? }
before_save :skip_reconfirmation!, if: ->(user) { user.email_changed? && user.read_only_attribute?(:email) }
before_save :check_for_verified_email, if: ->(user) { user.email_changed? && !user.new_record? }
2018-05-09 12:01:36 +05:30
before_save :ensure_namespace_correct # in case validation is skipped
2019-07-31 22:56:46 +05:30
after_update :username_changed_hook, if: :saved_change_to_username?
2018-03-17 18:26:18 +05:30
after_destroy :post_destroy_hook
after_destroy :remove_key_cache
2022-06-21 17:19:12 +05:30
after_save if: -> { (saved_change_to_email? || saved_change_to_confirmed_at?) && confirmed? } do
2022-05-07 20:08:51 +05:30
email_to_confirm = self.emails.find_by(email: self.email)
2018-11-08 19:23:39 +05:30
2022-05-07 20:08:51 +05:30
if email_to_confirm.present?
if skip_confirmation_period_expiry_check
email_to_confirm.force_confirm
else
email_to_confirm.confirm
end
else
add_primary_email_to_emails!
2018-11-08 19:23:39 +05:30
end
end
2022-05-07 20:08:51 +05:30
after_commit(on: :update) do
update_invalid_gpg_signatures if previous_changes.key?('email')
end
2018-03-17 18:26:18 +05:30
2015-10-24 18:46:33 +05:30
# User's Layout preference
2020-03-13 15:44:24 +05:30
enum layout: { fixed: 0, fluid: 1 }
2015-10-24 18:46:33 +05:30
2015-09-11 14:41:01 +05:30
# User's Dashboard preference
2023-04-23 21:23:45 +05:30
enum dashboard: { projects: 0, stars: 1, your_activity: 10, project_activity: 2, starred_project_activity: 3, groups: 4, todos: 5, issues: 6, merge_requests: 7, operations: 8, followed_user_activity: 9 }
2015-09-11 14:41:01 +05:30
# User's Project preference
2020-03-13 15:44:24 +05:30
enum project_view: { readme: 0, activity: 1, files: 2 }
2014-09-02 18:07:02 +05:30
2019-12-21 20:55:43 +05:30
# User's role
2020-03-13 15:44:24 +05:30
enum role: { software_developer: 0, development_team_lead: 1, devops_engineer: 2, systems_administrator: 3, security_analyst: 4, data_analyst: 5, product_manager: 6, product_designer: 7, other: 8 }, _suffix: true
2019-12-21 20:55:43 +05:30
2020-06-23 00:09:42 +05:30
delegate :notes_filter_for,
:set_notes_filter,
:first_day_of_week, :first_day_of_week=,
:timezone, :timezone=,
:time_display_relative, :time_display_relative=,
:time_format_in_24h, :time_format_in_24h=,
:show_whitespace_in_diffs, :show_whitespace_in_diffs=,
2020-07-28 23:09:34 +05:30
:view_diffs_file_by_file, :view_diffs_file_by_file=,
2020-06-23 00:09:42 +05:30
:tab_width, :tab_width=,
:sourcegraph_enabled, :sourcegraph_enabled=,
2020-11-24 15:15:51 +05:30
:gitpod_enabled, :gitpod_enabled=,
2020-06-23 00:09:42 +05:30
:setup_for_company, :setup_for_company=,
:render_whitespace_in_code, :render_whitespace_in_code=,
2021-04-17 20:07:23 +05:30
:markdown_surround_selection, :markdown_surround_selection=,
2022-11-25 23:54:43 +05:30
:markdown_automatic_lists, :markdown_automatic_lists=,
2022-06-21 17:19:12 +05:30
:diffs_deletion_color, :diffs_deletion_color=,
:diffs_addition_color, :diffs_addition_color=,
2022-11-25 23:54:43 +05:30
:use_legacy_web_ide, :use_legacy_web_ide=,
2023-03-04 22:38:38 +05:30
:use_new_navigation, :use_new_navigation=,
2020-06-23 00:09:42 +05:30
to: :user_preference
2014-09-02 18:07:02 +05:30
delegate :path, to: :namespace, allow_nil: true, prefix: true
2020-04-08 14:13:33 +05:30
delegate :job_title, :job_title=, to: :user_detail, allow_nil: true
2021-11-11 11:23:49 +05:30
delegate :bio, :bio=, to: :user_detail, allow_nil: true
2020-11-24 15:15:51 +05:30
delegate :webauthn_xid, :webauthn_xid=, to: :user_detail, allow_nil: true
2021-09-04 01:27:46 +05:30
delegate :pronouns, :pronouns=, to: :user_detail, allow_nil: true
2021-10-27 15:23:28 +05:30
delegate :pronunciation, :pronunciation=, to: :user_detail, allow_nil: true
2021-11-18 22:05:49 +05:30
delegate :registration_objective, :registration_objective=, to: :user_detail, allow_nil: true
2022-03-02 08:16:31 +05:30
delegate :requires_credit_card_verification, :requires_credit_card_verification=, to: :user_detail, allow_nil: true
2023-03-17 16:20:25 +05:30
delegate :linkedin, :linkedin=, to: :user_detail, allow_nil: true
delegate :twitter, :twitter=, to: :user_detail, allow_nil: true
delegate :skype, :skype=, to: :user_detail, allow_nil: true
delegate :website_url, :website_url=, to: :user_detail, allow_nil: true
delegate :location, :location=, to: :user_detail, allow_nil: true
delegate :organization, :organization=, to: :user_detail, allow_nil: true
2023-04-23 21:23:45 +05:30
delegate :discord, :discord=, to: :user_detail, allow_nil: true
2019-03-02 22:35:43 +05:30
accepts_nested_attributes_for :user_preference, update_only: true
2020-04-08 14:13:33 +05:30
accepts_nested_attributes_for :user_detail, update_only: true
2021-09-04 01:27:46 +05:30
accepts_nested_attributes_for :credit_card_validation, update_only: true, allow_destroy: true
2014-09-02 18:07:02 +05:30
state_machine :state, initial: :active do
2023-03-04 22:38:38 +05:30
# state_machine uses this method at class loading time to fetch the default
# value for the `state` column but in doing so it also evaluates all other
# columns default values which could trigger the recursive generation of
# ApplicationSetting records. We're setting it to `nil` here because we
# don't have a database default for the `state` column.
#
def owner_class_attribute_default; end
2014-09-02 18:07:02 +05:30
event :block do
transition active: :blocked
2019-12-21 20:55:43 +05:30
transition deactivated: :blocked
transition ldap_blocked: :blocked
2021-01-03 14:25:43 +05:30
transition blocked_pending_approval: :blocked
end
event :ldap_block do
transition active: :ldap_blocked
2019-12-21 20:55:43 +05:30
transition deactivated: :ldap_blocked
2014-09-02 18:07:02 +05:30
end
2023-04-23 21:23:45 +05:30
# aliasing system_block to set ldap_blocked statuses
# ldap_blocked is used for LDAP, SAML, and SCIM blocked users
# Issue for improving this naming:
# https://gitlab.com/gitlab-org/gitlab/-/issues/388487
event :system_block do
transition active: :ldap_blocked
transition deactivated: :ldap_blocked
end
2014-09-02 18:07:02 +05:30
event :activate do
2019-12-21 20:55:43 +05:30
transition deactivated: :active
2014-09-02 18:07:02 +05:30
transition blocked: :active
transition ldap_blocked: :active
2021-01-03 14:25:43 +05:30
transition blocked_pending_approval: :active
2021-06-08 01:23:25 +05:30
transition banned: :active
2021-01-03 14:25:43 +05:30
end
event :block_pending_approval do
transition active: :blocked_pending_approval
end
2021-06-08 01:23:25 +05:30
event :ban do
transition active: :banned
end
2021-11-11 11:23:49 +05:30
event :unban do
transition banned: :active
end
2019-12-21 20:55:43 +05:30
event :deactivate do
2021-06-08 01:23:25 +05:30
# Any additional changes to this event should be also
# reflected in app/workers/users/deactivate_dormant_users_worker.rb
2019-12-21 20:55:43 +05:30
transition active: :deactivated
end
2021-06-08 01:23:25 +05:30
state :blocked, :ldap_blocked, :blocked_pending_approval, :banned do
def blocked?
true
end
2014-09-02 18:07:02 +05:30
end
2019-09-30 23:59:55 +05:30
2020-03-13 15:44:24 +05:30
before_transition do
!Gitlab::Database.read_only?
end
2019-09-30 23:59:55 +05:30
# rubocop: disable CodeReuse/ServiceClass
after_transition any => :blocked do |user|
2022-01-26 12:08:38 +05:30
user.run_after_commit do
Ci::DropPipelineService.new.execute_async_for_all(user.pipelines, :user_blocked, user)
Ci::DisableUserPipelineSchedulesService.new.execute(user)
end
2019-09-30 23:59:55 +05:30
end
2021-09-30 23:02:18 +05:30
after_transition any => :deactivated do |user|
2021-11-11 11:23:49 +05:30
next unless Gitlab::CurrentSettings.user_deactivation_emails_enabled
2022-07-23 23:45:48 +05:30
user.run_after_commit do
NotificationService.new.user_deactivated(user.name, user.notification_email_or_default)
end
2021-09-30 23:02:18 +05:30
end
2019-09-30 23:59:55 +05:30
# rubocop: enable CodeReuse/ServiceClass
2021-10-27 15:23:28 +05:30
after_transition active: :banned do |user|
user.create_banned_user
end
after_transition banned: :active do |user|
user.banned_user&.destroy
end
2023-01-13 00:05:48 +05:30
after_transition any => :active do |user|
user.starred_projects.update_counters(star_count: 1)
end
after_transition active: any do |user|
user.starred_projects.update_counters(star_count: -1)
end
2014-09-02 18:07:02 +05:30
end
# Scopes
2015-09-11 14:41:01 +05:30
scope :admins, -> { where(admin: true) }
2021-01-29 00:20:46 +05:30
scope :instance_access_request_approvers_to_be_notified, -> { admins.active.order_recent_sign_in.limit(INSTANCE_ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT) }
scope :blocked, -> { with_states(:blocked, :ldap_blocked) }
2021-01-03 14:25:43 +05:30
scope :blocked_pending_approval, -> { with_states(:blocked_pending_approval) }
2021-06-08 01:23:25 +05:30
scope :banned, -> { with_states(:banned) }
2016-06-02 11:05:42 +05:30
scope :external, -> { where(external: true) }
2021-04-17 20:07:23 +05:30
scope :non_external, -> { where(external: false) }
2020-05-24 23:13:21 +05:30
scope :confirmed, -> { where.not(confirmed_at: nil) }
2017-08-17 22:00:37 +05:30
scope :active, -> { with_state(:active).non_internal }
2020-03-13 15:44:24 +05:30
scope :active_without_ghosts, -> { with_state(:active).without_ghosts }
2019-12-21 20:55:43 +05:30
scope :deactivated, -> { with_state(:deactivated).non_internal }
2018-11-08 19:23:39 +05:30
scope :without_projects, -> { joins('LEFT JOIN project_authorizations ON users.id = project_authorizations.user_id').where(project_authorizations: { user_id: nil }) }
2018-12-13 13:39:08 +05:30
scope :by_username, -> (usernames) { iwhere(username: Array(usernames).map(&:to_s)) }
2021-01-29 00:20:46 +05:30
scope :by_name, -> (names) { iwhere(name: Array(names)) }
2022-08-27 11:52:29 +05:30
scope :by_login, -> (login) do
return none if login.blank?
login.include?('@') ? iwhere(email: login) : iwhere(username: login)
end
2021-01-29 00:20:46 +05:30
scope :by_user_email, -> (emails) { iwhere(email: Array(emails)) }
scope :by_emails, -> (emails) { joins(:emails).where(emails: { email: Array(emails).map(&:downcase) }) }
2021-06-08 01:23:25 +05:30
scope :for_todos, -> (todos) { where(id: todos.select(:user_id).distinct) }
2019-07-07 11:18:12 +05:30
scope :with_emails, -> { preload(:emails) }
scope :with_dashboard, -> (dashboard) { where(dashboard: dashboard) }
2019-10-12 21:52:04 +05:30
scope :with_public_profile, -> { where(private_profile: false) }
2020-01-01 13:55:28 +05:30
scope :with_expiring_and_not_notified_personal_access_tokens, ->(at) do
where('EXISTS (?)',
::PersonalAccessToken
.where('personal_access_tokens.user_id = users.id')
2020-06-23 00:09:42 +05:30
.without_impersonation
2020-01-01 13:55:28 +05:30
.expiring_and_not_notified(at).select(1))
end
2020-10-24 23:57:45 +05:30
scope :with_personal_access_tokens_expired_today, -> do
where('EXISTS (?)',
::PersonalAccessToken
.select(1)
.where('personal_access_tokens.user_id = users.id')
.without_impersonation
.expired_today_and_not_notified)
end
2021-09-04 01:27:46 +05:30
2021-04-29 21:17:54 +05:30
scope :with_ssh_key_expiring_soon, -> do
includes(:expiring_soon_and_unnotified_keys)
.where('EXISTS (?)',
::Key
.select(1)
.where('keys.user_id = users.id')
.expiring_soon_and_not_notified)
end
2022-06-21 17:19:12 +05:30
scope :order_recent_sign_in, -> { reorder(arel_table[:current_sign_in_at].desc.nulls_last) }
scope :order_oldest_sign_in, -> { reorder(arel_table[:current_sign_in_at].asc.nulls_last) }
2022-08-13 15:12:31 +05:30
scope :order_recent_last_activity, -> { reorder(arel_table[:last_activity_on].desc.nulls_last, arel_table[:id].asc) }
scope :order_oldest_last_activity, -> { reorder(arel_table[:last_activity_on].asc.nulls_first, arel_table[:id].desc) }
2022-10-11 01:57:18 +05:30
scope :dormant, -> { with_state(:active).human_or_service_user.where('last_activity_on <= ?', Gitlab::CurrentSettings.deactivate_dormant_users_period.day.ago.to_date) }
2022-07-23 23:45:48 +05:30
scope :with_no_activity, -> { with_state(:active).human_or_service_user.where(last_activity_on: nil).where('created_at <= ?', MINIMUM_DAYS_CREATED.day.ago.to_date) }
2021-09-30 23:02:18 +05:30
scope :by_provider_and_extern_uid, ->(provider, extern_uid) { joins(:identities).merge(Identity.with_extern_uid(provider, extern_uid)) }
2022-03-02 08:16:31 +05:30
scope :by_ids_or_usernames, -> (ids, usernames) { where(username: usernames).or(where(id: ids)) }
2022-06-21 17:19:12 +05:30
scope :without_forbidden_states, -> { where.not(state: FORBIDDEN_SEARCH_STATES) }
2020-01-01 13:55:28 +05:30
2022-01-26 12:08:38 +05:30
strip_attributes! :name
2020-10-24 23:57:45 +05:30
def preferred_language
2023-03-17 16:20:25 +05:30
read_attribute('preferred_language').presence || Gitlab::CurrentSettings.default_preferred_language
2020-10-24 23:57:45 +05:30
end
2020-04-22 19:07:51 +05:30
def active_for_authentication?
2021-12-11 22:18:48 +05:30
return false unless super
check_ldap_if_ldap_blocked!
can?(:log_in)
2020-04-22 19:07:51 +05:30
end
2021-01-03 14:25:43 +05:30
# The messages for these keys are defined in `devise.en.yml`
2020-04-22 19:07:51 +05:30
def inactive_message
2021-01-03 14:25:43 +05:30
if blocked_pending_approval?
:blocked_pending_approval
elsif blocked?
:blocked
2020-04-22 19:07:51 +05:30
elsif internal?
2021-01-03 14:25:43 +05:30
:forbidden
2020-04-22 19:07:51 +05:30
else
super
end
end
2019-10-12 21:52:04 +05:30
def self.with_visible_profile(user)
return with_public_profile if user.nil?
if user.admin?
all
else
with_public_profile.or(where(id: user.id))
end
end
2018-11-20 20:47:30 +05:30
# Limits the users to those that have TODOs, optionally in the given state.
#
# user - The user to get the todos for.
#
# with_todos - If we should limit the result set to users that are the
# authors of todos.
#
# todo_state - An optional state to require the todos to be in.
def self.limit_to_todo_authors(user: nil, with_todos: false, todo_state: nil)
if user && with_todos
where(id: Todo.where(user: user, state: todo_state).select(:author_id))
else
all
end
end
# Returns a relation that optionally includes the given user.
#
# user_id - The ID of the user to include.
def self.union_with_user(user_id = nil)
if user_id.present?
# We use "unscoped" here so that any inner conditions are not repeated for
# the outer query, which would be redundant.
2018-12-05 23:21:45 +05:30
User.unscoped.from_union([all, User.unscoped.where(id: user_id)])
2018-11-20 20:47:30 +05:30
else
all
end
2018-11-08 19:23:39 +05:30
end
def self.with_two_factor
2022-03-02 08:16:31 +05:30
where(otp_required_for_login: true)
.or(where_exists(WebauthnRegistration.where(WebauthnRegistration.arel_table[:user_id].eq(arel_table[:id]))))
end
def self.without_two_factor
2022-03-02 08:16:31 +05:30
where
2023-05-27 22:25:52 +05:30
.missing(:webauthn_registrations)
2022-03-02 08:16:31 +05:30
.where(otp_required_for_login: false)
end
2014-09-02 18:07:02 +05:30
#
# Class methods
#
class << self
2020-01-01 13:55:28 +05:30
# Devise method overridden to allow support for dynamic password lengths
def password_length
Gitlab::CurrentSettings.minimum_password_length..Devise.password_length.max
end
2020-03-13 15:44:24 +05:30
# Generate a random password that conforms to the current password length settings
def random_password
Devise.friendly_token(password_length.max)
end
2014-09-02 18:07:02 +05:30
# Devise method overridden to allow sign in with email or username
def find_for_database_authentication(warden_conditions)
conditions = warden_conditions.dup
if login = conditions.delete(:login)
2018-03-27 19:54:05 +05:30
where(conditions).find_by("lower(username) = :value OR lower(email) = :value", value: login.downcase.strip)
2014-09-02 18:07:02 +05:30
else
2015-12-23 02:04:40 +05:30
find_by(conditions)
2014-09-02 18:07:02 +05:30
end
end
2018-05-09 12:01:36 +05:30
def sort_by_attribute(method)
2018-03-17 18:26:18 +05:30
order_method = method || 'id_desc'
case order_method.to_s
2017-08-17 22:00:37 +05:30
when 'recent_sign_in' then order_recent_sign_in
when 'oldest_sign_in' then order_oldest_sign_in
2019-03-02 22:35:43 +05:30
when 'last_activity_on_desc' then order_recent_last_activity
when 'last_activity_on_asc' then order_oldest_last_activity
2015-04-26 12:48:37 +05:30
else
2018-03-17 18:26:18 +05:30
order_by(order_method)
2015-04-26 12:48:37 +05:30
end
end
2022-07-29 17:44:30 +05:30
# Find a User by their primary email or any associated confirmed secondary email
2018-11-18 11:00:15 +05:30
def find_by_any_email(email, confirmed: false)
2018-12-13 13:39:08 +05:30
return unless email
2019-02-15 15:39:39 +05:30
by_any_email(email, confirmed: confirmed).take
2019-01-03 12:48:30 +05:30
end
2015-11-26 14:37:03 +05:30
2022-07-29 17:44:30 +05:30
# Returns a relation containing all found users by their primary email
# or any associated confirmed secondary email
2019-02-15 15:39:39 +05:30
#
# @param emails [String, Array<String>] email addresses to check
2022-07-29 17:44:30 +05:30
# @param confirmed [Boolean] Only return users where the primary email is confirmed
2019-02-15 15:39:39 +05:30
def by_any_email(emails, confirmed: false)
2021-01-29 00:20:46 +05:30
from_users = by_user_email(emails)
2019-02-15 15:39:39 +05:30
from_users = from_users.confirmed if confirmed
2022-07-29 17:44:30 +05:30
from_emails = by_emails(emails).merge(Email.confirmed)
from_emails = from_emails.confirmed if confirmed
2018-12-23 12:14:25 +05:30
2019-02-15 15:39:39 +05:30
items = [from_users, from_emails]
2018-12-23 12:14:25 +05:30
2021-01-29 00:20:46 +05:30
user_ids = Gitlab::PrivateCommitEmail.user_ids_for_emails(Array(emails).map(&:downcase))
2019-02-15 15:39:39 +05:30
items << where(id: user_ids) if user_ids.present?
from_union(items)
2014-09-02 18:07:02 +05:30
end
2018-12-13 13:39:08 +05:30
def find_by_private_commit_email(email)
user_id = Gitlab::PrivateCommitEmail.user_id_for_email(email)
find_by(id: user_id)
end
2019-07-07 11:18:12 +05:30
def filter_items(filter_name)
2014-09-02 18:07:02 +05:30
case filter_name
2015-09-11 14:41:01 +05:30
when 'admins'
2017-08-17 22:00:37 +05:30
admins
2015-09-11 14:41:01 +05:30
when 'blocked'
2017-08-17 22:00:37 +05:30
blocked
2021-01-03 14:25:43 +05:30
when 'blocked_pending_approval'
blocked_pending_approval
2021-06-08 01:23:25 +05:30
when 'banned'
banned
2015-09-11 14:41:01 +05:30
when 'two_factor_disabled'
2017-08-17 22:00:37 +05:30
without_two_factor
2015-09-11 14:41:01 +05:30
when 'two_factor_enabled'
2017-08-17 22:00:37 +05:30
with_two_factor
2015-09-11 14:41:01 +05:30
when 'wop'
2017-08-17 22:00:37 +05:30
without_projects
2016-06-02 11:05:42 +05:30
when 'external'
2017-08-17 22:00:37 +05:30
external
2019-12-21 20:55:43 +05:30
when 'deactivated'
deactivated
2014-09-02 18:07:02 +05:30
else
2020-03-13 15:44:24 +05:30
active_without_ghosts
2014-09-02 18:07:02 +05:30
end
end
2016-06-02 11:05:42 +05:30
# Searches users matching the given query.
#
2020-06-23 00:09:42 +05:30
# This method uses ILIKE on PostgreSQL.
2016-06-02 11:05:42 +05:30
#
# query - The search query as a String
2022-02-05 19:09:49 +05:30
# with_private_emails - include private emails in search
2016-06-02 11:05:42 +05:30
#
# Returns an ActiveRecord::Relation.
2020-04-22 19:07:51 +05:30
def search(query, **options)
2023-01-13 00:05:48 +05:30
return none unless query.is_a?(String)
2019-12-21 20:55:43 +05:30
query = query&.delete_prefix('@')
2018-03-17 18:26:18 +05:30
return none if query.blank?
query = query.downcase
2016-06-02 11:05:42 +05:30
2017-09-10 17:25:29 +05:30
order = <<~SQL
CASE
2022-06-21 17:19:12 +05:30
WHEN LOWER(users.name) = :query THEN 0
WHEN LOWER(users.username) = :query THEN 1
WHEN LOWER(users.public_email) = :query THEN 2
2017-09-10 17:25:29 +05:30
ELSE 3
END
SQL
2019-10-12 21:52:04 +05:30
sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query]))
2022-04-04 11:22:00 +05:30
scope = options[:with_private_emails] ? with_primary_or_secondary_email(query) : with_public_email(query)
scope = scope.or(search_by_name_or_username(query, use_minimum_char_limit: options[:use_minimum_char_limit]))
2022-02-05 19:09:49 +05:30
2022-10-11 01:57:18 +05:30
order = Gitlab::Pagination::Keyset::Order.build(
[
Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(
attribute_name: 'users_match_priority',
order_expression: sanitized_order_sql.asc,
add_to_projections: true,
distinct: false
),
Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(
attribute_name: 'users_name',
order_expression: arel_table[:name].asc,
add_to_projections: true,
nullable: :not_nullable,
distinct: false
),
Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(
attribute_name: 'users_id',
order_expression: arel_table[:id].asc,
add_to_projections: true,
nullable: :not_nullable,
distinct: true
)
])
2022-08-27 11:52:29 +05:30
scope.reorder(order)
2014-09-02 18:07:02 +05:30
end
2018-11-20 20:47:30 +05:30
# Limits the result set to users _not_ in the given query/list of IDs.
#
# users - The list of users to ignore. This can be an
# `ActiveRecord::Relation`, or an Array.
def where_not_in(users = nil)
users ? where.not(id: users) : all
end
def reorder_by_name
reorder(:name)
end
2022-04-04 11:22:00 +05:30
# searches user by given pattern
# it compares name and username fields with given pattern
# This method uses ILIKE on PostgreSQL.
def search_by_name_or_username(query, use_minimum_char_limit: nil)
use_minimum_char_limit = user_search_minimum_char_limit if use_minimum_char_limit.nil?
2022-02-05 19:09:49 +05:30
where(
2022-04-04 11:22:00 +05:30
fuzzy_arel_match(:name, query, use_minimum_char_limit: use_minimum_char_limit)
.or(fuzzy_arel_match(:username, query, use_minimum_char_limit: use_minimum_char_limit))
2022-02-05 19:09:49 +05:30
)
end
2022-04-04 11:22:00 +05:30
def with_public_email(email_address)
where(public_email: email_address)
2021-02-22 17:27:13 +05:30
end
2022-04-04 11:22:00 +05:30
def with_primary_or_secondary_email(email_address)
2017-08-17 22:00:37 +05:30
email_table = Email.arel_table
2021-02-22 17:27:13 +05:30
matched_by_email_user_id = email_table
2018-03-17 18:26:18 +05:30
.project(email_table[:user_id])
2022-04-04 11:22:00 +05:30
.where(email_table[:email].eq(email_address))
2022-07-29 17:44:30 +05:30
.where(email_table[:confirmed_at].not_eq(nil))
2021-02-22 17:27:13 +05:30
.take(1) # at most 1 record as there is a unique constraint
2017-08-17 22:00:37 +05:30
where(
2022-04-04 11:22:00 +05:30
arel_table[:email].eq(email_address)
.or(arel_table[:id].eq(matched_by_email_user_id))
2017-08-17 22:00:37 +05:30
)
end
2022-03-02 08:16:31 +05:30
# This method is overridden in JiHu.
# https://gitlab.com/gitlab-org/gitlab/-/issues/348509
def user_search_minimum_char_limit
true
end
2022-08-27 11:52:29 +05:30
def find_by_login(login)
by_login(login).take
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
def find_by_username(username)
2018-11-20 20:47:30 +05:30
by_username(username).take
2017-08-17 22:00:37 +05:30
end
2015-09-11 14:41:01 +05:30
def find_by_username!(username)
2018-11-20 20:47:30 +05:30
by_username(username).take!
2015-09-11 14:41:01 +05:30
end
2016-11-03 12:29:30 +05:30
# Returns a user for the given SSH key.
def find_by_ssh_key_id(key_id)
2023-03-04 22:38:38 +05:30
find_by('EXISTS (?)', Key.select(1).where('keys.user_id = users.id').auth.where(id: key_id))
2016-11-03 12:29:30 +05:30
end
2017-08-17 22:00:37 +05:30
def find_by_full_path(path, follow_redirects: false)
2021-11-18 22:05:49 +05:30
namespace = Namespace.user_namespaces.find_by_full_path(path, follow_redirects: follow_redirects)
2017-08-17 22:00:37 +05:30
namespace&.owner
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
def reference_prefix
'@'
end
# Pattern used to extract `@user` user references from text
def reference_pattern
2020-07-28 23:09:34 +05:30
@reference_pattern ||=
%r{
(?<!\w)
#{Regexp.escape(reference_prefix)}
(?<user>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})
}x
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
# Return (create if necessary) the ghost user. The ghost user
# owns records previously belonging to deleted users.
def ghost
2017-09-10 17:25:29 +05:30
email = 'ghost%s@example.com'
2020-05-24 23:13:21 +05:30
unique_internal(where(user_type: :ghost), 'ghost', email) do |u|
2019-07-31 22:56:46 +05:30
u.bio = _('This is a "Ghost User", created to hold all issues authored by users that have since been deleted. This user cannot be removed.')
2017-08-17 22:00:37 +05:30
u.name = 'Ghost User'
end
end
2018-11-20 20:47:30 +05:30
2020-03-13 15:44:24 +05:30
def alert_bot
email_pattern = "alert%s@#{Settings.gitlab.host}"
2020-04-22 19:07:51 +05:30
unique_internal(where(user_type: :alert_bot), 'alert-bot', email_pattern) do |u|
2020-03-13 15:44:24 +05:30
u.bio = 'The GitLab alert bot'
u.name = 'GitLab Alert Bot'
2020-07-28 23:09:34 +05:30
u.avatar = bot_avatar(image: 'alert-bot.png')
2020-03-13 15:44:24 +05:30
end
end
2020-05-24 23:13:21 +05:30
def migration_bot
email_pattern = "noreply+gitlab-migration-bot%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :migration_bot), 'migration-bot', email_pattern) do |u|
u.bio = 'The GitLab migration bot'
u.name = 'GitLab Migration Bot'
u.confirmed_at = Time.zone.now
end
end
2021-01-03 14:25:43 +05:30
def security_bot
email_pattern = "security-bot%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :security_bot), 'GitLab-Security-Bot', email_pattern) do |u|
u.bio = 'System bot that monitors detected vulnerabilities for solutions and creates merge requests with the fixes.'
u.name = 'GitLab Security Bot'
u.website_url = Gitlab::Routing.url_helpers.help_page_url('user/application_security/security_bot/index.md')
u.avatar = bot_avatar(image: 'security-bot.png')
2021-02-22 17:27:13 +05:30
u.confirmed_at = Time.zone.now
2021-01-03 14:25:43 +05:30
end
end
2020-07-28 23:09:34 +05:30
def support_bot
email_pattern = "support%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :support_bot), 'support-bot', email_pattern) do |u|
u.bio = 'The GitLab support bot used for Service Desk'
u.name = 'GitLab Support Bot'
u.avatar = bot_avatar(image: 'support-bot.png')
2021-04-29 21:17:54 +05:30
u.confirmed_at = Time.zone.now
2020-07-28 23:09:34 +05:30
end
end
2021-09-04 01:27:46 +05:30
def automation_bot
email_pattern = "automation%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :automation_bot), 'automation-bot', email_pattern) do |u|
u.bio = 'The GitLab automation bot used for automated workflows and tasks'
u.name = 'GitLab Automation Bot'
u.avatar = bot_avatar(image: 'support-bot.png') # todo: add an avatar for automation-bot
end
end
2023-03-04 22:38:38 +05:30
def admin_bot
email_pattern = "admin-bot%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :admin_bot), 'GitLab-Admin-Bot', email_pattern) do |u|
u.bio = 'Admin bot used for tasks that require admin privileges'
u.name = 'GitLab Admin Bot'
u.avatar = bot_avatar(image: 'admin-bot.png')
u.admin = true
u.confirmed_at = Time.zone.now
end
end
2018-11-20 20:47:30 +05:30
# Return true if there is only single non-internal user in the deployment,
# ghost user is ignored.
def single_user?
User.non_internal.limit(2).count == 1
end
def single_user
User.non_internal.first if single_user?
end
2022-03-02 08:16:31 +05:30
def get_ids_by_ids_or_usernames(ids, usernames)
by_ids_or_usernames(ids, usernames).pluck(:id)
end
2017-08-17 22:00:37 +05:30
end
2014-09-02 18:07:02 +05:30
#
# Instance methods
#
2020-05-24 23:13:21 +05:30
def full_path
username
end
2014-09-02 18:07:02 +05:30
def to_param
username
end
2018-03-17 18:26:18 +05:30
def to_reference(_from = nil, target_project: nil, full: nil)
2015-09-11 14:41:01 +05:30
"#{self.class.reference_prefix}#{username}"
end
2017-08-17 22:00:37 +05:30
def skip_confirmation=(bool)
skip_confirmation! if bool
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def skip_reconfirmation=(bool)
skip_reconfirmation! if bool
end
2014-09-02 18:07:02 +05:30
def generate_reset_token
@reset_token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
self.reset_password_token = enc
2020-06-23 00:09:42 +05:30
self.reset_password_sent_at = Time.current.utc
2014-09-02 18:07:02 +05:30
@reset_token
end
2015-10-24 18:46:33 +05:30
def recently_sent_password_reset?
reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
end
2022-04-01 21:47:47 +05:30
# Overwrites valid_password? from Devise::Models::DatabaseAuthenticatable
# In constant-time, check both that the password isn't on a denylist AND
# that the password is the user's password
def valid_password?(password)
2022-08-13 15:12:31 +05:30
return false unless password_allowed?(password)
2022-11-25 23:54:43 +05:30
return false if password_automatically_set?
2022-08-13 15:12:31 +05:30
2023-01-13 00:05:48 +05:30
super
2022-08-13 15:12:31 +05:30
end
2022-11-25 23:54:43 +05:30
def generate_otp_backup_codes!
if Gitlab::FIPS.enabled?
generate_otp_backup_codes_pbkdf2!
else
super
end
end
def invalidate_otp_backup_code!(code)
if Gitlab::FIPS.enabled? && pbkdf2?
invalidate_otp_backup_code_pdkdf2!(code)
else
super(code)
end
end
2022-08-13 15:12:31 +05:30
# See https://gitlab.com/gitlab-org/security/gitlab/-/issues/638
DISALLOWED_PASSWORDS = %w[123qweQWE!@#000000000].freeze
def password_allowed?(password)
2022-04-01 21:47:47 +05:30
password_allowed = true
2022-08-13 15:12:31 +05:30
2022-04-01 21:47:47 +05:30
DISALLOWED_PASSWORDS.each do |disallowed_password|
password_allowed = false if Devise.secure_compare(password, disallowed_password)
end
2022-08-13 15:12:31 +05:30
password_allowed
2022-04-01 21:47:47 +05:30
end
2018-03-17 18:26:18 +05:30
def remember_me!
super if ::Gitlab::Database.read_write?
end
def forget_me!
super if ::Gitlab::Database.read_write?
end
2015-09-11 14:41:01 +05:30
def disable_two_factor!
transaction do
2023-04-23 21:23:45 +05:30
self.u2f_registrations.destroy_all # rubocop:disable Cop/DestroyAll
self.disable_webauthn!
self.disable_two_factor_otp!
self.reset_backup_codes!
end
end
2023-04-23 21:23:45 +05:30
def disable_two_factor_otp!
update(
otp_required_for_login: false,
encrypted_otp_secret: nil,
encrypted_otp_secret_iv: nil,
encrypted_otp_secret_salt: nil,
otp_grace_period_started_at: nil,
otp_secret_expires_at: nil
)
end
def disable_webauthn!
self.webauthn_registrations.destroy_all # rubocop:disable Cop/DestroyAll
end
def reset_backup_codes!
update(otp_backup_codes: nil)
end
def two_factor_enabled?
2023-05-27 22:25:52 +05:30
two_factor_otp_enabled? || two_factor_webauthn_enabled?
end
def two_factor_otp_enabled?
2021-02-22 17:27:13 +05:30
otp_required_for_login? ||
forti_authenticator_enabled?(self) ||
2023-05-27 22:25:52 +05:30
forti_token_cloud_enabled?(self) ||
duo_auth_enabled?(self)
2020-11-24 15:15:51 +05:30
end
def two_factor_webauthn_enabled?
2022-07-16 23:28:13 +05:30
return false unless Feature.enabled?(:webauthn)
2020-11-24 15:15:51 +05:30
(webauthn_registrations.loaded? && webauthn_registrations.any?) || (!webauthn_registrations.loaded? && webauthn_registrations.exists?)
end
2022-06-21 17:19:12 +05:30
def needs_new_otp_secret?
!two_factor_enabled? && otp_secret_expired?
end
def otp_secret_expired?
return true unless otp_secret_expires_at
otp_secret_expires_at < Time.current
end
def update_otp_secret!
self.otp_secret = User.generate_otp_secret(OTP_SECRET_LENGTH)
self.otp_secret_expires_at = Time.current + OTP_SECRET_TTL
end
2018-03-17 18:26:18 +05:30
def namespace_move_dir_allowed
if namespace&.any_project_has_container_registry_tags?
2019-07-31 22:56:46 +05:30
errors.add(:username, _('cannot be changed if a personal project has container registry tags.'))
2014-09-02 18:07:02 +05:30
end
end
2019-09-04 21:01:54 +05:30
# will_save_change_to_attribute? is used by Devise to check if it is necessary
# to clear any existing reset_password_tokens before updating an authentication_key
# and login in our case is a virtual attribute to allow login by username or email.
def will_save_change_to_login?
will_save_change_to_username? || will_save_change_to_email?
end
2014-09-02 18:07:02 +05:30
def unique_email
2021-12-11 22:18:48 +05:30
return if errors.added?(:email, _('has already been taken'))
2017-08-17 22:00:37 +05:30
if !emails.exists?(email: email) && Email.exists?(email: email)
2019-07-31 22:56:46 +05:30
errors.add(:email, _('has already been taken'))
2015-09-11 14:41:01 +05:30
end
2014-09-02 18:07:02 +05:30
end
2021-11-11 11:23:49 +05:30
def commit_email_or_default
if self.commit_email == Gitlab::PrivateCommitEmail::TOKEN
2018-12-13 13:39:08 +05:30
return private_commit_email
end
2018-12-05 23:21:45 +05:30
# The commit email is the same as the primary email if undefined
2021-11-11 11:23:49 +05:30
self.commit_email.presence || self.email
2018-12-05 23:21:45 +05:30
end
2021-11-11 11:23:49 +05:30
def notification_email_or_default
2021-10-27 15:23:28 +05:30
# The notification email is the same as the primary email if undefined
2021-11-11 11:23:49 +05:30
self.notification_email.presence || self.email
2021-10-27 15:23:28 +05:30
end
2018-12-13 13:39:08 +05:30
def private_commit_email
Gitlab::PrivateCommitEmail.for_user(self)
end
2018-03-17 18:26:18 +05:30
# see if the new email is already a verified secondary email
def check_for_verified_email
skip_reconfirmation! if emails.confirmed.where(email: self.email).any?
end
2017-09-10 17:25:29 +05:30
def update_invalid_gpg_signatures
gpg_keys.each(&:update_invalid_gpg_signatures)
end
2018-03-27 19:54:05 +05:30
# Returns the groups a user has access to, either through a membership or a project authorization
2014-09-02 18:07:02 +05:30
def authorized_groups
2018-11-08 19:23:39 +05:30
Group.unscoped do
2021-04-17 20:07:23 +05:30
authorized_groups_with_shared_membership
2018-11-08 19:23:39 +05:30
end
2015-11-26 14:37:03 +05:30
end
2014-09-02 18:07:02 +05:30
2018-03-27 19:54:05 +05:30
# Returns the groups a user is a member of, either directly or through a parent group
def membership_groups
2022-01-26 12:08:38 +05:30
groups.self_and_descendants
2018-03-27 19:54:05 +05:30
end
2017-09-10 17:25:29 +05:30
# Returns a relation of groups the user has access to, including their parent
# and child groups (recursively).
2017-08-17 22:00:37 +05:30
def all_expanded_groups
2021-10-27 15:23:28 +05:30
return groups if groups.empty?
2019-02-15 15:39:39 +05:30
Gitlab::ObjectHierarchy.new(groups).all_objects
2017-08-17 22:00:37 +05:30
end
def expanded_groups_requiring_two_factor_authentication
all_expanded_groups.where(require_two_factor_authentication: true)
end
2020-09-03 11:15:55 +05:30
def source_groups_of_two_factor_authentication_requirement
Gitlab::ObjectHierarchy.new(expanded_groups_requiring_two_factor_authentication)
.all_objects
.where(id: groups)
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2021-03-11 19:13:27 +05:30
def refresh_authorized_projects(source: nil)
Users::RefreshAuthorizedProjectsService.new(self, source: source).execute
2017-08-17 22:00:37 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-08-17 22:00:37 +05:30
def authorized_projects(min_access_level = nil)
2017-09-10 17:25:29 +05:30
# We're overriding an association, so explicitly call super with no
# arguments or it would be passed as `force_reload` to the association
2017-08-17 22:00:37 +05:30
projects = super()
2017-09-10 17:25:29 +05:30
if min_access_level
projects = projects
.where('project_authorizations.access_level >= ?', min_access_level)
end
2017-08-17 22:00:37 +05:30
projects
end
def authorized_project?(project, min_access_level = nil)
authorized_projects(min_access_level).exists?({ id: project.id })
end
2018-03-17 18:26:18 +05:30
# Typically used in conjunction with projects table to get projects
# a user has been given access to.
2019-07-07 11:18:12 +05:30
# The param `related_project_column` is the column to compare to the
# project_authorizations. By default is projects.id
2018-03-17 18:26:18 +05:30
#
# Example use:
# `Project.where('EXISTS(?)', user.authorizations_for_projects)`
2019-07-07 11:18:12 +05:30
def authorizations_for_projects(min_access_level: nil, related_project_column: 'projects.id')
authorizations = project_authorizations
.select(1)
.where("project_authorizations.project_id = #{related_project_column}")
2019-02-15 15:39:39 +05:30
return authorizations unless min_access_level.present?
authorizations.where('project_authorizations.access_level >= ?', min_access_level)
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
# Returns the projects this user has reporter (or greater) access to, limited
# to at most the given projects.
#
# This method is useful when you have a list of projects and want to
# efficiently check to which of these projects the user has at least reporter
# access.
def projects_with_reporter_access_limited_to(projects)
authorized_projects(Gitlab::Access::REPORTER).where(id: projects)
2014-09-02 18:07:02 +05:30
end
def owned_projects
2018-12-05 23:21:45 +05:30
@owned_projects ||= Project.from_union(
[
Project.where(namespace: namespace),
Project.joins(:project_authorizations)
2021-04-29 21:17:54 +05:30
.where.not('projects.namespace_id' => namespace.id)
2018-12-05 23:21:45 +05:30
.where(project_authorizations: { user_id: id, access_level: Gitlab::Access::OWNER })
],
remove_duplicates: false
)
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
# Returns projects which user can admin issues on (for example to move an issue to that project).
#
# This logic is duplicated from `Ability#project_abilities` into a SQL form.
def projects_where_can_admin_issues
2016-09-29 09:46:39 +05:30
authorized_projects(Gitlab::Access::REPORTER).non_archived.with_issues_enabled
2016-09-13 17:45:13 +05:30
end
2023-01-13 00:05:48 +05:30
def preloaded_member_roles_for_projects(projects)
# overridden in EE
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def require_ssh_key?
2018-03-17 18:26:18 +05:30
count = Users::KeysCountService.new(self).count
2020-10-24 23:57:45 +05:30
count == 0 && Gitlab::ProtocolAccess.allowed?('ssh')
2018-03-17 18:26:18 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def require_password_creation_for_web?
allow_password_authentication_for_web? && password_automatically_set?
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def require_password_creation_for_git?
allow_password_authentication_for_git? && password_automatically_set?
2017-09-10 17:25:29 +05:30
end
def require_personal_access_token_creation_for_git_auth?
2021-02-22 17:27:13 +05:30
return false if allow_password_authentication_for_git? || password_based_omniauth_user?
2017-09-10 17:25:29 +05:30
PersonalAccessTokensFinder.new(user: self, impersonation: false, state: 'active').execute.none?
end
2018-03-17 18:26:18 +05:30
def require_extra_setup_for_git_auth?
require_password_creation_for_git? || require_personal_access_token_creation_for_git_auth?
end
2017-09-10 17:25:29 +05:30
def allow_password_authentication?
2018-03-17 18:26:18 +05:30
allow_password_authentication_for_web? || allow_password_authentication_for_git?
end
def allow_password_authentication_for_web?
2020-06-23 00:09:42 +05:30
Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
2018-03-17 18:26:18 +05:30
end
def allow_password_authentication_for_git?
2021-02-22 17:27:13 +05:30
Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !password_based_omniauth_user?
2015-04-26 12:48:37 +05:30
end
2021-06-08 01:23:25 +05:30
# method overriden in EE
def password_based_login_forbidden?
false
end
2014-09-02 18:07:02 +05:30
def can_change_username?
gitlab_config.username_changing_enabled
end
def can_create_project?
projects_limit_left > 0
end
def can_create_group?
2017-08-17 22:00:37 +05:30
can?(:create_group)
2014-09-02 18:07:02 +05:30
end
def can_select_namespace?
several_namespaces? || admin
end
2017-08-17 22:00:37 +05:30
def can?(action, subject = :global)
2016-09-29 09:46:39 +05:30
Ability.allowed?(self, action, subject)
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def confirm_deletion_with_password?
!password_automatically_set? && allow_password_authentication?
end
2014-09-02 18:07:02 +05:30
def first_name
2019-12-04 20:38:33 +05:30
read_attribute(:first_name) || begin
name.split(' ').first unless name.blank?
end
end
def last_name
read_attribute(:last_name) || begin
name.split(' ').drop(1).join(' ') unless name.blank?
end
2014-09-02 18:07:02 +05:30
end
def projects_limit_left
2017-09-10 17:25:29 +05:30
projects_limit - personal_projects_count
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def recent_push(project = nil)
service = Users::LastPushEventService.new(self)
2014-09-02 18:07:02 +05:30
2018-03-17 18:26:18 +05:30
if project
service.last_event_for_project(project)
else
service.last_event_for_user
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def several_namespaces?
2019-07-07 11:18:12 +05:30
union_sql = ::Gitlab::SQL::Union.new(
[owned_groups,
maintainers_groups,
groups_with_developer_maintainer_project_access]).to_sql
::Group.from("(#{union_sql}) #{::Group.table_name}").any?
2014-09-02 18:07:02 +05:30
end
def namespace_id
namespace.try :id
end
def name_with_username
"#{name} (#{username})"
end
2015-04-26 12:48:37 +05:30
def already_forked?(project)
2014-09-02 18:07:02 +05:30
!!fork_of(project)
end
2015-04-26 12:48:37 +05:30
def fork_of(project)
2018-03-17 18:26:18 +05:30
namespace.find_fork_of(project)
2014-09-02 18:07:02 +05:30
end
2021-02-22 17:27:13 +05:30
def password_based_omniauth_user?
ldap_user? || crowd_user?
end
def crowd_user?
if identities.loaded?
identities.find { |identity| identity.provider == 'crowd' && identity.extern_uid.present? }
else
identities.with_any_extern_uid('crowd').exists?
end
end
2014-09-02 18:07:02 +05:30
def ldap_user?
2018-03-17 18:26:18 +05:30
if identities.loaded?
2018-03-27 19:54:05 +05:30
identities.find { |identity| Gitlab::Auth::OAuth::Provider.ldap_provider?(identity.provider) && !identity.extern_uid.nil? }
2018-03-17 18:26:18 +05:30
else
identities.exists?(["provider LIKE ? AND extern_uid IS NOT NULL", "ldap%"])
end
2015-04-26 12:48:37 +05:30
end
def ldap_identity
@ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
end
2020-01-01 13:55:28 +05:30
def matches_identity?(provider, extern_uid)
2021-09-30 23:02:18 +05:30
identities.with_extern_uid(provider, extern_uid).exists?
2020-01-01 13:55:28 +05:30
end
2015-04-26 12:48:37 +05:30
def project_deploy_keys
2020-01-01 13:55:28 +05:30
@project_deploy_keys ||= DeployKey.in_projects(authorized_projects.select(:id)).distinct(:id)
2014-09-02 18:07:02 +05:30
end
2019-07-07 11:18:12 +05:30
def highest_role
2020-04-22 19:07:51 +05:30
user_highest_role&.highest_access_level || Gitlab::Access::NO_ACCESS
2019-07-07 11:18:12 +05:30
end
2021-06-08 01:23:25 +05:30
def credit_card_validated_at
credit_card_validation&.credit_card_validated_at
end
2014-09-02 18:07:02 +05:30
def accessible_deploy_keys
2022-10-11 01:57:18 +05:30
DeployKey.from_union(
[
DeployKey.where(id: project_deploy_keys.select(:deploy_key_id)),
DeployKey.are_public
])
2014-09-02 18:07:02 +05:30
end
def created_by
User.find_by(id: created_by_id) if created_by_id
end
def sanitize_attrs
2021-07-02 01:05:55 +05:30
sanitize_name
end
def sanitize_name
return unless self.name
self.name = self.name.gsub(%r{</?[^>]*>}, '')
end
2021-11-11 11:23:49 +05:30
def unset_secondary_emails_matching_deleted_email!(deleted_email)
secondary_email_attribute_changed = false
SECONDARY_EMAIL_ATTRIBUTES.each do |attribute|
if read_attribute(attribute) == deleted_email
self.write_attribute(attribute, nil)
secondary_email_attribute_changed = true
end
2018-12-05 23:21:45 +05:30
end
2021-11-11 11:23:49 +05:30
save if secondary_email_attribute_changed
2015-09-11 14:41:01 +05:30
end
2021-09-30 23:02:18 +05:30
def admin_unsubscribe!
update_column :admin_email_unsubscribed_at, Time.current
end
2015-04-26 12:48:37 +05:30
def set_projects_limit
2016-11-03 12:29:30 +05:30
# `User.select(:id)` raises
# `ActiveModel::MissingAttributeError: missing attribute: projects_limit`
# without this safeguard!
2018-03-17 18:26:18 +05:30
return unless has_attribute?(:projects_limit) && projects_limit.nil?
2015-04-26 12:48:37 +05:30
2018-03-17 18:26:18 +05:30
self.projects_limit = Gitlab::CurrentSettings.default_projects_limit
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
def requires_ldap_check?
if !Gitlab.config.ldap.enabled
false
elsif ldap_user?
2020-06-23 00:09:42 +05:30
!last_credential_check_at || (last_credential_check_at + ldap_sync_time) < Time.current
2014-09-02 18:07:02 +05:30
else
false
end
end
2018-12-13 13:39:08 +05:30
def ldap_sync_time
# This number resides in this method so it can be redefined in EE.
1.hour
end
2016-04-02 18:10:28 +05:30
def try_obtain_ldap_lease
# After obtaining this lease LDAP checks will be blocked for 600 seconds
# (10 minutes) for this user.
lease = Gitlab::ExclusiveLease.new("user_ldap_check:#{id}", timeout: 600)
lease.try_obtain
end
2014-09-02 18:07:02 +05:30
def solo_owned_groups
2022-07-16 23:28:13 +05:30
# For each owned group, count the owners found in self and ancestors.
counts = GroupMember
.from('unnest(namespaces.traversal_ids) AS ancestors(ancestor_id), members')
.where('members.source_id = ancestors.ancestor_id')
.all_by_access_level(GroupMember::OWNER)
.having('count(members.user_id) = 1')
Group
.from(owned_groups, :namespaces)
.where_exists(counts)
2014-09-02 18:07:02 +05:30
end
def with_defaults
User.defaults.each do |k, v|
2018-03-17 18:26:18 +05:30
public_send("#{k}=", v) # rubocop:disable GitlabSecurity/PublicSend
2014-09-02 18:07:02 +05:30
end
self
end
def can_leave_project?(project)
project.namespace != namespace &&
2022-03-02 08:16:31 +05:30
project.member(self)
2014-09-02 18:07:02 +05:30
end
def full_website_url
2018-03-17 18:26:18 +05:30
return "http://#{website_url}" if website_url !~ %r{\Ahttps?://}
2014-09-02 18:07:02 +05:30
website_url
end
def short_website_url
2018-03-17 18:26:18 +05:30
website_url.sub(%r{\Ahttps?://}, '')
2014-09-02 18:07:02 +05:30
end
def all_ssh_keys
2015-09-11 14:41:01 +05:30
keys.map(&:publishable_key)
2014-09-02 18:07:02 +05:30
end
def temp_oauth_email?
2015-04-26 12:48:37 +05:30
email.start_with?('temp-email-for-oauth')
2014-09-02 18:07:02 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
def avatar_url(size: nil, scale: 2, **args)
2018-03-17 18:26:18 +05:30
GravatarService.new.execute(email, size, scale, username: username)
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def primary_email_verified?
confirmed? && !temp_oauth_email?
2014-09-02 18:07:02 +05:30
end
2018-11-08 19:23:39 +05:30
def accept_pending_invitations!
pending_invitations.select do |member|
member.accept_invite!(self)
end
end
def pending_invitations
Member.where(invite_email: verified_emails).invite
end
2020-04-08 14:13:33 +05:30
def all_emails(include_private_email: true)
2016-01-29 22:53:50 +05:30
all_emails = []
2017-08-17 22:00:37 +05:30
all_emails << email unless temp_oauth_email?
2020-04-08 14:13:33 +05:30
all_emails << private_commit_email if include_private_email
2022-07-29 17:44:30 +05:30
all_emails.concat(emails.filter_map { |email| email.email if email.confirmed? })
2021-12-11 22:18:48 +05:30
all_emails.uniq
2015-04-26 12:48:37 +05:30
end
2020-05-30 21:06:31 +05:30
def verified_emails(include_private_email: true)
2018-03-17 18:26:18 +05:30
verified_emails = []
verified_emails << email if primary_email_verified?
2020-05-30 21:06:31 +05:30
verified_emails << private_commit_email if include_private_email
2018-03-17 18:26:18 +05:30
verified_emails.concat(emails.confirmed.pluck(:email))
2021-12-11 22:18:48 +05:30
verified_emails.uniq
2018-03-17 18:26:18 +05:30
end
2020-05-30 21:06:31 +05:30
def public_verified_emails
2021-04-29 21:17:54 +05:30
strong_memoize(:public_verified_emails) do
emails = verified_emails(include_private_email: false)
emails << email unless temp_oauth_email?
emails.uniq
end
2020-05-30 21:06:31 +05:30
end
2019-02-15 15:39:39 +05:30
def any_email?(check_email)
downcased = check_email.downcase
# handle the outdated private commit email case
return true if persisted? &&
id == Gitlab::PrivateCommitEmail.user_id_for_email(downcased)
all_emails.include?(check_email.downcase)
end
2018-03-17 18:26:18 +05:30
def verified_email?(check_email)
downcased = check_email.downcase
2018-12-13 13:39:08 +05:30
2019-02-15 15:39:39 +05:30
# handle the outdated private commit email case
return true if persisted? &&
id == Gitlab::PrivateCommitEmail.user_id_for_email(downcased)
2018-12-13 13:39:08 +05:30
2019-02-15 15:39:39 +05:30
verified_emails.include?(check_email.downcase)
2018-03-17 18:26:18 +05:30
end
2015-04-26 12:48:37 +05:30
def hook_attrs
{
2021-03-08 18:12:59 +05:30
id: id,
2015-04-26 12:48:37 +05:30
name: name,
username: username,
2020-03-13 15:44:24 +05:30
avatar_url: avatar_url(only_path: false),
2023-01-10 11:22:00 +05:30
email: webhook_email
2015-04-26 12:48:37 +05:30
}
end
2014-09-02 18:07:02 +05:30
def ensure_namespace_correct
2018-03-17 18:26:18 +05:30
if namespace
2019-09-30 21:07:59 +05:30
namespace.path = username if username_changed?
namespace.name = name if name_changed?
2018-03-17 18:26:18 +05:30
else
2021-11-18 22:05:49 +05:30
# TODO: we should no longer need the `type` parameter once we can make the
# the `has_one :namespace` association use the correct class.
# issue https://gitlab.com/gitlab-org/gitlab/-/issues/341070
namespace = build_namespace(path: username, name: name, type: ::Namespaces::UserNamespace.sti_name)
2020-07-28 23:09:34 +05:30
namespace.build_namespace_settings
2014-09-02 18:07:02 +05:30
end
end
2018-03-17 18:26:18 +05:30
def set_username_errors
namespace_path_errors = self.errors.delete(:"namespace.path")
2021-03-08 18:12:59 +05:30
return unless namespace_path_errors&.any?
if namespace_path_errors.include?('has already been taken') && !User.exists?(username: username)
self.errors.add(:base, :username_exists_as_a_different_namespace)
else
2021-06-08 01:23:25 +05:30
namespace_path_errors.each do |msg|
self.errors.add(:username, msg)
end
2021-03-08 18:12:59 +05:30
end
2018-03-17 18:26:18 +05:30
end
def username_changed_hook
system_hook_service.execute_hooks_for(self, :rename)
end
2014-09-02 18:07:02 +05:30
def post_destroy_hook
2017-08-17 22:00:37 +05:30
log_info("User \"#{name}\" (#{email}) was removed")
2018-03-17 18:26:18 +05:30
2014-09-02 18:07:02 +05:30
system_hook_service.execute_hooks_for(self, :destroy)
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def remove_key_cache
Users::KeysCountService.new(self).delete_cache
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
2017-09-10 17:25:29 +05:30
def delete_async(deleted_by:, params: {})
block if params[:hard_delete]
2018-10-15 14:42:47 +05:30
DeleteUserWorker.perform_async(deleted_by.id, id, params.to_h)
2017-09-10 17:25:29 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def notification_service
NotificationService.new
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
def log_info(message)
2014-09-02 18:07:02 +05:30
Gitlab::AppLogger.info message
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def system_hook_service
SystemHooksService.new
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def starred?(project)
2015-12-23 02:04:40 +05:30
starred_projects.exists?(project.id)
2014-09-02 18:07:02 +05:30
end
def toggle_star(project)
2015-11-26 14:37:03 +05:30
UsersStarProject.transaction do
2017-09-10 17:25:29 +05:30
user_star_project = users_star_projects
.where(project: project, user: self).lock(true).first
2015-11-26 14:37:03 +05:30
if user_star_project
user_star_project.destroy
else
UsersStarProject.create!(project: project, user: self)
end
2014-09-02 18:07:02 +05:30
end
end
2015-04-26 12:48:37 +05:30
2021-03-11 19:13:27 +05:30
def following?(user)
self.followees.exists?(user.id)
end
2022-08-13 15:12:31 +05:30
def followed_by?(user)
self.followers.include?(user)
end
2021-03-11 19:13:27 +05:30
def follow(user)
return false if self.id == user.id
begin
followee = Users::UserFollowUser.create(follower_id: self.id, followee_id: user.id)
self.followees.reset if followee.persisted?
2022-11-25 23:54:43 +05:30
followee
2021-03-11 19:13:27 +05:30
rescue ActiveRecord::RecordNotUnique
2022-11-25 23:54:43 +05:30
nil
2021-03-11 19:13:27 +05:30
end
end
def unfollow(user)
if Users::UserFollowUser.where(follower_id: self.id, followee_id: user.id).delete_all > 0
self.followees.reset
else
false
end
end
2022-03-02 08:16:31 +05:30
def forkable_namespaces
2022-08-27 11:52:29 +05:30
strong_memoize(:forkable_namespaces) do
personal_namespace = Namespace.where(id: namespace_id)
2022-10-11 01:57:18 +05:30
Namespace.from_union(
[
manageable_groups(include_groups_with_developer_maintainer_access: true),
personal_namespace
])
2022-08-27 11:52:29 +05:30
end
2018-03-17 18:26:18 +05:30
end
2019-07-07 11:18:12 +05:30
def manageable_groups(include_groups_with_developer_maintainer_access: false)
2023-05-27 22:25:52 +05:30
owned_and_maintainer_group_hierarchy = owned_or_maintainers_groups.self_and_descendants
2019-07-07 11:18:12 +05:30
if include_groups_with_developer_maintainer_access
union_sql = ::Gitlab::SQL::Union.new(
[owned_and_maintainer_group_hierarchy,
groups_with_developer_maintainer_project_access]).to_sql
::Group.from("(#{union_sql}) #{::Group.table_name}")
else
owned_and_maintainer_group_hierarchy
end
end
2021-10-27 15:23:28 +05:30
def namespaces(owned_only: false)
user_groups = owned_only ? owned_groups : groups
personal_namespace = Namespace.where(id: namespace.id)
Namespace.from_union([user_groups, personal_namespace])
2015-09-11 14:41:01 +05:30
end
2015-04-26 12:48:37 +05:30
def oauth_authorized_tokens
2022-08-13 15:12:31 +05:30
OauthAccessToken.where(resource_owner_id: id, revoked_at: nil)
2015-04-26 12:48:37 +05:30
end
2015-11-26 14:37:03 +05:30
# Returns the projects a user contributed to in the last year.
#
# This method relies on a subquery as this performs significantly better
# compared to a JOIN when coupled with, for example,
# `Project.visible_to_user`. That is, consider the following code:
#
# some_user.contributed_projects.visible_to_user(other_user)
#
# If this method were to use a JOIN the resulting query would take roughly 200
# ms on a database with a similar size to GitLab.com's database. On the other
# hand, using a subquery means we can get the exact same data in about 40 ms.
def contributed_projects
2017-09-10 17:25:29 +05:30
events = Event.select(:project_id)
.contributions.where(author_id: self)
2020-06-23 00:09:42 +05:30
.where("created_at > ?", Time.current - 1.year)
2018-12-13 13:39:08 +05:30
.distinct
2017-09-10 17:25:29 +05:30
.reorder(nil)
2015-11-26 14:37:03 +05:30
2022-04-04 11:22:00 +05:30
Project.where(id: events).not_aimed_for_deletion
2015-04-26 12:48:37 +05:30
end
2015-09-11 14:41:01 +05:30
def can_be_removed?
!solo_owned_groups.present?
end
2015-09-25 12:07:36 +05:30
2021-02-22 17:27:13 +05:30
def can_remove_self?
true
end
2022-07-01 11:34:44 +05:30
def authorized_project_mirrors(level)
2022-11-25 23:54:43 +05:30
projects = Ci::ProjectMirror.by_project_id(ci_project_ids_for_project_members(level))
2022-07-01 11:34:44 +05:30
namespace_projects = Ci::ProjectMirror.by_namespace_id(ci_namespace_mirrors_for_group_members(level).select(:namespace_id))
Ci::ProjectMirror.from_union([projects, namespace_projects])
end
2018-11-08 19:23:39 +05:30
def ci_owned_runners
2023-03-04 22:38:38 +05:30
@ci_owned_runners ||= Ci::Runner
2022-07-23 23:45:48 +05:30
.from_union([ci_owned_project_runners_from_project_members,
ci_owned_project_runners_from_group_members,
ci_owned_group_runners])
2015-11-26 14:37:03 +05:30
end
2021-11-11 11:23:49 +05:30
def owns_runner?(runner)
2023-01-13 00:05:48 +05:30
ci_owned_runners.include?(runner)
2021-11-11 11:23:49 +05:30
end
2019-10-12 21:52:04 +05:30
def notification_email_for(notification_group)
# Return group-specific email address if present, otherwise return global notification email address
2023-03-04 22:38:38 +05:30
group_email = if notification_group && notification_group.respond_to?(:notification_email_for)
notification_group.notification_email_for(self)
end
group_email || notification_email_or_default
2019-10-12 21:52:04 +05:30
end
2019-12-21 20:55:43 +05:30
def notification_settings_for(source, inherit: false)
2018-03-17 18:26:18 +05:30
if notification_settings.loaded?
2018-11-08 19:23:39 +05:30
notification_settings.find do |notification|
notification.source_type == source.class.base_class.name &&
notification.source_id == source.id
end
2018-03-17 18:26:18 +05:30
else
2019-12-21 20:55:43 +05:30
notification_settings.find_or_initialize_by(source: source) do |ns|
next unless source.is_a?(Group) && inherit
# If we're here it means we're trying to create a NotificationSetting for a group that doesn't have one.
# Find the closest parent with a notification_setting that's not Global level, or that has an email set.
ancestor_ns = source
.notification_settings(hierarchy_order: :asc)
.where(user: self)
.find_by('level != ? OR notification_email IS NOT NULL', NotificationSetting.levels[:global])
# Use it to seed the settings
ns.assign_attributes(ancestor_ns&.slice(*NotificationSetting.allowed_fields))
ns.source = source
ns.user = self
end
2018-03-17 18:26:18 +05:30
end
2016-06-02 11:05:42 +05:30
end
2020-11-24 15:15:51 +05:30
def notification_settings_for_groups(groups)
ids = groups.is_a?(ActiveRecord::Relation) ? groups.select(:id) : groups.map(&:id)
notification_settings.for_groups.where(source_id: ids)
end
# Lazy load global notification setting
# Initializes User setting with Participating level if setting not persisted
def global_notification_setting
return @global_notification_setting if defined?(@global_notification_setting)
@global_notification_setting = notification_settings.find_or_initialize_by(source: nil)
2018-11-18 11:00:15 +05:30
@global_notification_setting.update(level: NotificationSetting.levels[DEFAULT_NOTIFICATION_LEVEL]) unless @global_notification_setting.persisted?
@global_notification_setting
end
2017-08-17 22:00:37 +05:30
def assigned_open_merge_requests_count(force: false)
2021-06-08 01:23:25 +05:30
Rails.cache.fetch(['users', id, 'assigned_open_merge_requests_count'], force: force, expires_in: COUNT_CACHE_VALIDITY_PERIOD) do
2018-12-05 23:21:45 +05:30
MergeRequestsFinder.new(self, assignee_id: self.id, state: 'opened', non_archived: true).execute.count
end
end
2021-03-08 18:12:59 +05:30
def review_requested_open_merge_requests_count(force: false)
2021-06-08 01:23:25 +05:30
Rails.cache.fetch(['users', id, 'review_requested_open_merge_requests_count'], force: force, expires_in: COUNT_CACHE_VALIDITY_PERIOD) do
2021-03-08 18:12:59 +05:30
MergeRequestsFinder.new(self, reviewer_id: id, state: 'opened', non_archived: true).execute.count
end
end
def assigned_open_issues_count(force: false)
2021-06-08 01:23:25 +05:30
Rails.cache.fetch(['users', id, 'assigned_open_issues_count'], force: force, expires_in: COUNT_CACHE_VALIDITY_PERIOD) do
2018-12-05 23:21:45 +05:30
IssuesFinder.new(self, assignee_id: self.id, state: 'opened', non_archived: true).execute.count
end
end
2018-03-27 19:54:05 +05:30
def todos_done_count(force: false)
2021-06-08 01:23:25 +05:30
Rails.cache.fetch(['users', id, 'todos_done_count'], force: force, expires_in: COUNT_CACHE_VALIDITY_PERIOD) do
2018-03-27 19:54:05 +05:30
TodosFinder.new(self, state: :done).execute.count
end
end
def todos_pending_count(force: false)
2021-06-08 01:23:25 +05:30
Rails.cache.fetch(['users', id, 'todos_pending_count'], force: force, expires_in: COUNT_CACHE_VALIDITY_PERIOD) do
2018-03-27 19:54:05 +05:30
TodosFinder.new(self, state: :pending).execute.count
end
end
2018-05-09 12:01:36 +05:30
def personal_projects_count(force: false)
Rails.cache.fetch(['users', id, 'personal_projects_count'], force: force, expires_in: 24.hours, raw: true) do
personal_projects.count
end.to_i
end
2018-03-27 19:54:05 +05:30
def update_todos_count_cache
todos_done_count(force: true)
todos_pending_count(force: true)
end
2017-08-17 22:00:37 +05:30
def invalidate_cache_counts
invalidate_issue_cache_counts
invalidate_merge_request_cache_counts
2021-04-29 21:17:54 +05:30
invalidate_todos_cache_counts
2018-05-09 12:01:36 +05:30
invalidate_personal_projects_count
2017-08-17 22:00:37 +05:30
end
def invalidate_issue_cache_counts
Rails.cache.delete(['users', id, 'assigned_open_issues_count'])
2023-03-17 16:20:25 +05:30
Rails.cache.delete(['users', id, 'max_assigned_open_issues_count'])
2017-08-17 22:00:37 +05:30
end
def invalidate_merge_request_cache_counts
Rails.cache.delete(['users', id, 'assigned_open_merge_requests_count'])
2021-03-08 18:12:59 +05:30
Rails.cache.delete(['users', id, 'review_requested_open_merge_requests_count'])
2017-08-17 22:00:37 +05:30
end
2021-04-29 21:17:54 +05:30
def invalidate_todos_cache_counts
2018-03-27 19:54:05 +05:30
Rails.cache.delete(['users', id, 'todos_done_count'])
Rails.cache.delete(['users', id, 'todos_pending_count'])
2016-06-22 15:30:34 +05:30
end
2018-05-09 12:01:36 +05:30
def invalidate_personal_projects_count
Rails.cache.delete(['users', id, 'personal_projects_count'])
end
2016-11-03 12:29:30 +05:30
# This is copied from Devise::Models::Lockable#valid_for_authentication?, as our auth
# flow means we don't call that automatically (and can't conveniently do so).
#
# See:
2019-12-26 22:10:19 +05:30
# <https://github.com/plataformatec/devise/blob/v4.7.1/lib/devise/models/lockable.rb#L104>
2016-11-03 12:29:30 +05:30
#
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2016-11-03 12:29:30 +05:30
def increment_failed_attempts!
2018-11-08 19:23:39 +05:30
return if ::Gitlab::Database.read_only?
2019-12-26 22:10:19 +05:30
increment_failed_attempts
2018-11-08 19:23:39 +05:30
2016-11-03 12:29:30 +05:30
if attempts_exceeded?
lock_access! unless access_locked?
else
2018-03-17 18:26:18 +05:30
Users::UpdateService.new(self, user: self).execute(validate: false)
2016-11-03 12:29:30 +05:30
end
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2016-11-03 12:29:30 +05:30
2017-08-17 22:00:37 +05:30
def access_level
if admin?
:admin
else
:regular
end
end
2015-11-26 14:37:03 +05:30
2017-08-17 22:00:37 +05:30
def access_level=(new_level)
new_level = new_level.to_s
return unless %w(admin regular).include?(new_level)
2017-08-17 22:00:37 +05:30
self.admin = (new_level == 'admin')
end
2020-01-01 13:55:28 +05:30
def can_read_all_resources?
2019-12-26 22:10:19 +05:30
can?(:read_all_resources)
2017-09-10 17:25:29 +05:30
end
2021-04-17 20:07:23 +05:30
def can_admin_all_resources?
can?(:admin_all_resources)
end
2017-08-17 22:00:37 +05:30
def update_two_factor_requirement
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
2017-08-17 22:00:37 +05:30
self.require_two_factor_authentication_from_group = periods.any?
self.two_factor_grace_period = periods.min || User.column_defaults['two_factor_grace_period']
save
2015-09-25 12:07:36 +05:30
end
2021-02-22 17:27:13 +05:30
# each existing user needs to have a `feed_token`.
2017-09-10 17:25:29 +05:30
# we do this on read since migrating all existing users is not a feasible
# solution.
2018-11-08 19:23:39 +05:30
def feed_token
2022-01-26 12:08:38 +05:30
ensure_feed_token! unless Gitlab::CurrentSettings.disable_feed_token
2017-09-10 17:25:29 +05:30
end
2019-12-04 20:38:33 +05:30
# Each existing user needs to have a `static_object_token`.
# We do this on read since migrating all existing users is not a feasible
# solution.
def static_object_token
ensure_static_object_token!
end
2022-01-26 12:08:38 +05:30
def enabled_static_object_token
static_object_token if Gitlab::CurrentSettings.static_objects_external_storage_enabled?
end
def enabled_incoming_email_token
incoming_email_token if Gitlab::IncomingEmail.supports_issue_creation?
end
2018-03-17 18:26:18 +05:30
def sync_attribute?(attribute)
return true if ldap_user? && attribute == :email
attributes = Gitlab.config.omniauth.sync_profile_attributes
if attributes.is_a?(Array)
attributes.include?(attribute.to_s)
else
attributes
end
end
def read_only_attribute?(attribute)
user_synced_attributes_metadata&.read_only?(attribute)
end
# override, from Devise
2022-08-13 15:12:31 +05:30
def lock_access!(opts = {})
2018-03-17 18:26:18 +05:30
Gitlab::AppLogger.info("Account Locked: username=#{username}")
super
end
# Determine the maximum access level for a group of projects in bulk.
#
# Returns a Hash mapping project ID -> maximum access level.
def max_member_access_for_project_ids(project_ids)
2022-05-07 20:08:51 +05:30
Gitlab::SafeRequestLoader.execute(resource_key: max_member_access_for_resource_key(Project),
resource_ids: project_ids,
default_value: Gitlab::Access::NO_ACCESS) do |project_ids|
2018-03-17 18:26:18 +05:30
project_authorizations.where(project: project_ids)
.group(:project_id)
.maximum(:access_level)
end
end
def max_member_access_for_project(project_id)
max_member_access_for_project_ids([project_id])[project_id]
end
# Determine the maximum access level for a group of groups in bulk.
#
# Returns a Hash mapping project ID -> maximum access level.
def max_member_access_for_group_ids(group_ids)
2022-05-07 20:08:51 +05:30
Gitlab::SafeRequestLoader.execute(resource_key: max_member_access_for_resource_key(Group),
resource_ids: group_ids,
default_value: Gitlab::Access::NO_ACCESS) do |group_ids|
2018-03-17 18:26:18 +05:30
group_members.where(source: group_ids).group(:source_id).maximum(:access_level)
end
end
def max_member_access_for_group(group_id)
max_member_access_for_group_ids([group_id])[group_id]
end
2018-10-15 14:42:47 +05:30
def terms_accepted?
2021-01-03 14:25:43 +05:30
return true if project_bot?
2018-10-15 14:42:47 +05:30
accepted_term_id.present?
end
def required_terms_not_accepted?
Gitlab::CurrentSettings.current_application_settings.enforce_terms? &&
!terms_accepted?
end
2018-11-20 20:47:30 +05:30
def requires_usage_stats_consent?
2019-09-30 21:07:59 +05:30
self.admin? && 7.days.ago > self.created_at && !has_current_license? && User.single_user? && !consented_usage_stats?
2018-11-08 19:23:39 +05:30
end
2018-12-13 13:39:08 +05:30
# Avoid migrations only building user preference object when needed.
def user_preference
super.presence || build_user_preference
end
2020-04-08 14:13:33 +05:30
def user_detail
super.presence || build_user_detail
end
2019-02-15 15:39:39 +05:30
def pending_todo_for(target)
todos.find_by(target: target, state: :pending)
end
2019-12-21 20:55:43 +05:30
def password_expired?
2020-06-23 00:09:42 +05:30
!!(password_expires_at && password_expires_at < Time.current)
2019-12-21 20:55:43 +05:30
end
2021-07-02 01:05:55 +05:30
def password_expired_if_applicable?
2021-09-30 23:02:18 +05:30
return false if bot?
return false unless password_expired?
return false if password_automatically_set?
2021-07-02 01:05:55 +05:30
return false unless allow_password_authentication?
2021-09-30 23:02:18 +05:30
true
2021-07-02 01:05:55 +05:30
end
2022-03-02 08:16:31 +05:30
def can_log_in_with_non_expired_password?
can?(:log_in) && !password_expired_if_applicable?
end
2019-12-21 20:55:43 +05:30
def can_be_deactivated?
2021-01-03 14:25:43 +05:30
active? && no_recent_activity? && !internal?
2019-12-21 20:55:43 +05:30
end
def last_active_at
last_activity = last_activity_on&.to_time&.in_time_zone
last_sign_in = current_sign_in_at
[last_activity, last_sign_in].compact.max
end
REQUIRES_ROLE_VALUE = 99
def role_required?
role_before_type_cast == REQUIRES_ROLE_VALUE
end
def set_role_required!
update_column(:role, REQUIRES_ROLE_VALUE)
end
2020-03-13 15:44:24 +05:30
def dismissed_callout?(feature_name:, ignore_dismissal_earlier_than: nil)
2021-04-29 21:17:54 +05:30
callout = callouts_by_feature_name[feature_name]
2021-11-11 11:23:49 +05:30
callout_dismissed?(callout, ignore_dismissal_earlier_than)
end
2020-03-13 15:44:24 +05:30
2021-11-11 11:23:49 +05:30
def dismissed_callout_for_group?(feature_name:, group:, ignore_dismissal_earlier_than: nil)
source_feature_name = "#{feature_name}_#{group.id}"
callout = group_callouts_by_feature_name[source_feature_name]
callout_dismissed?(callout, ignore_dismissal_earlier_than)
2020-03-13 15:44:24 +05:30
end
2022-08-27 11:52:29 +05:30
def dismissed_callout_for_project?(feature_name:, project:, ignore_dismissal_earlier_than: nil)
callout = project_callouts.find_by(feature_name: feature_name, project: project)
callout_dismissed?(callout, ignore_dismissal_earlier_than)
end
2020-04-22 19:07:51 +05:30
# Load the current highest access by looking directly at the user's memberships
def current_highest_access_level
members.non_request.maximum(:access_level)
end
def confirmation_required_on_sign_in?
2023-05-27 22:25:52 +05:30
return false if confirmed?
if ::Gitlab::CurrentSettings.email_confirmation_setting_off?
false
elsif ::Gitlab::CurrentSettings.email_confirmation_setting_soft?
!in_confirmation_period?
elsif ::Gitlab::CurrentSettings.email_confirmation_setting_hard?
true
end
2020-04-22 19:07:51 +05:30
end
2020-05-24 23:13:21 +05:30
def impersonated?
impersonator.present?
2020-04-22 19:07:51 +05:30
end
2018-11-18 11:00:15 +05:30
2020-07-28 23:09:34 +05:30
def created_recently?
created_at > Devise.confirm_within.ago
end
2021-04-17 20:07:23 +05:30
def find_or_initialize_callout(feature_name)
2022-01-26 12:08:38 +05:30
callouts.find_or_initialize_by(feature_name: ::Users::Callout.feature_names[feature_name])
2021-04-17 20:07:23 +05:30
end
2021-11-11 11:23:49 +05:30
def find_or_initialize_group_callout(feature_name, group_id)
group_callouts
.find_or_initialize_by(feature_name: ::Users::GroupCallout.feature_names[feature_name], group_id: group_id)
end
2022-08-27 11:52:29 +05:30
def find_or_initialize_project_callout(feature_name, project_id)
project_callouts
.find_or_initialize_by(feature_name: ::Users::ProjectCallout.feature_names[feature_name], project_id: project_id)
end
2021-04-17 20:07:23 +05:30
def can_trigger_notifications?
confirmed? && !blocked? && !ghost?
end
2021-09-04 01:27:46 +05:30
# This attribute hosts a Ci::JobToken::Scope object which is set when
# the user is authenticated successfully via CI_JOB_TOKEN.
def ci_job_token_scope
Gitlab::SafeRequestStore[ci_job_token_scope_cache_key]
end
def set_ci_job_token_scope!(job)
Gitlab::SafeRequestStore[ci_job_token_scope_cache_key] = Ci::JobToken::Scope.new(job.project)
end
def from_ci_job_token?
ci_job_token_scope.present?
end
2021-12-11 22:18:48 +05:30
def user_project
strong_memoize(:user_project) do
personal_projects.find_by(path: username, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
end
def user_readme
strong_memoize(:user_readme) do
user_project&.repository&.readme
end
end
2022-08-27 11:52:29 +05:30
def account_age_in_days
(Date.current - created_at.to_date).to_i
end
2022-10-02 17:18:49 +05:30
def webhook_email
public_email.presence || _('[REDACTED]')
end
2023-03-17 16:20:25 +05:30
def namespace_commit_email_for_project(project)
return if project.nil?
namespace_commit_emails.find_by(namespace: project.project_namespace) ||
namespace_commit_emails.find_by(namespace: project.root_namespace)
end
2017-08-17 22:00:37 +05:30
protected
# override, from Devise::Validatable
def password_required?
2020-04-22 19:07:51 +05:30
return false if internal? || project_bot?
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
super
end
2019-10-12 21:52:04 +05:30
# override from Devise::Confirmable
def confirmation_period_valid?
2023-05-27 22:25:52 +05:30
return super if ::Gitlab::CurrentSettings.email_confirmation_setting_soft?
2019-10-12 21:52:04 +05:30
2023-05-27 22:25:52 +05:30
# Following devise logic for method, we want to return `true`
# See: https://github.com/heartcombo/devise/blob/main/lib/devise/models/confirmable.rb#L191-L218
true
2019-10-12 21:52:04 +05:30
end
2023-05-27 22:25:52 +05:30
alias_method :in_confirmation_period?, :confirmation_period_valid?
2019-10-12 21:52:04 +05:30
2020-04-22 19:07:51 +05:30
# This is copied from Devise::Models::TwoFactorAuthenticatable#consume_otp!
#
# An OTP cannot be used more than once in a given timestep
# Storing timestep of last valid OTP is sufficient to satisfy this requirement
#
# See:
# <https://github.com/tinfoil/devise-two-factor/blob/master/lib/devise_two_factor/models/two_factor_authenticatable.rb#L66>
#
def consume_otp!
if self.consumed_timestep != current_otp_timestep
self.consumed_timestep = current_otp_timestep
return Gitlab::Database.read_only? ? true : save(validate: false)
end
false
end
2017-08-17 22:00:37 +05:30
private
2022-11-25 23:54:43 +05:30
def pbkdf2?
return false unless otp_backup_codes&.any?
otp_backup_codes.first.start_with?("$pbkdf2-sha512$")
end
2021-12-11 22:18:48 +05:30
# rubocop: disable CodeReuse/ServiceClass
def add_primary_email_to_emails!
Emails::CreateService.new(self, user: self, email: self.email).execute(confirmed_at: self.confirmed_at)
end
# rubocop: enable CodeReuse/ServiceClass
2022-11-25 23:54:43 +05:30
def ci_project_ids_for_project_members(level)
2022-07-01 11:34:44 +05:30
project_members.where('access_level >= ?', level).pluck(:source_id)
end
2021-11-11 11:23:49 +05:30
def notification_email_verified
return if notification_email.blank? || temp_oauth_email?
errors.add(:notification_email, _("must be an email you have verified")) unless verified_emails.include?(notification_email_or_default)
end
def public_email_verified
return if public_email.blank?
errors.add(:public_email, _("must be an email you have verified")) unless verified_emails.include?(public_email)
end
def commit_email_verified
return if commit_email.blank?
errors.add(:commit_email, _("must be an email you have verified")) unless verified_emails.include?(commit_email_or_default)
end
def callout_dismissed?(callout, ignore_dismissal_earlier_than)
return false unless callout
return callout.dismissed_after?(ignore_dismissal_earlier_than) if ignore_dismissal_earlier_than
true
end
2021-04-29 21:17:54 +05:30
def callouts_by_feature_name
@callouts_by_feature_name ||= callouts.index_by(&:feature_name)
end
2021-11-11 11:23:49 +05:30
def group_callouts_by_feature_name
@group_callouts_by_feature_name ||= group_callouts.index_by(&:source_feature_name)
end
2021-01-29 00:20:46 +05:30
def authorized_groups_without_shared_membership
2022-10-11 01:57:18 +05:30
Group.from_union(
[
groups.select(*Namespace.cached_column_list),
authorized_projects.joins(:namespace).select(*Namespace.cached_column_list)
])
2021-01-29 00:20:46 +05:30
end
def authorized_groups_with_shared_membership
cte = Gitlab::SQL::CTE.new(:direct_groups, authorized_groups_without_shared_membership)
cte_alias = cte.table.alias(Group.table_name)
Group
.with(cte.to_arel)
.from_union([
2022-10-11 01:57:18 +05:30
Group.from(cte_alias),
Group.joins(:shared_with_group_links)
.where(group_group_links: { shared_with_group_id: Group.from(cte_alias) })
])
2021-01-29 00:20:46 +05:30
end
2018-11-20 20:47:30 +05:30
def has_current_license?
false
end
def consented_usage_stats?
2019-09-30 21:07:59 +05:30
# Bypass the cache here because it's possible the admin enabled the
# usage ping, and we don't want to annoy the user again if they
# already set the value. This is a bit of hack, but the alternative
# would be to put in a more complex cache invalidation step. Since
# this call only gets called in the uncommon situation where the
# user is an admin and the only user in the instance, this shouldn't
# cause too much load on the system.
ApplicationSetting.current_without_cache&.usage_stats_set_by_user_id == self.id
2018-11-20 20:47:30 +05:30
end
2017-09-10 17:25:29 +05:30
def ensure_user_rights_and_limits
if external?
self.can_create_group = false
self.projects_limit = 0
else
2018-03-17 18:26:18 +05:30
# Only revert these back to the default if they weren't specifically changed in this update.
2022-11-25 23:54:43 +05:30
self.can_create_group = Gitlab::CurrentSettings.can_create_group unless can_create_group_changed?
2018-03-17 18:26:18 +05:30
self.projects_limit = Gitlab::CurrentSettings.default_projects_limit unless projects_limit_changed?
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
2016-08-24 12:49:21 +05:30
2022-03-02 08:16:31 +05:30
def email_allowed_by_restrictions?
2021-10-27 15:23:28 +05:30
error = validate_admin_signup_restrictions(email)
2017-08-17 22:00:37 +05:30
2021-10-27 15:23:28 +05:30
errors.add(:email, error) if error
2020-04-08 14:13:33 +05:30
end
2021-11-18 22:05:49 +05:30
def signup_email_invalid_message
2022-05-07 20:08:51 +05:30
self.new_record? ? _('is not allowed for sign-up. Please use your regular email address.') : _('is not allowed. Please use your regular email address.')
2021-11-18 22:05:49 +05:30
end
2021-07-02 01:05:55 +05:30
def check_username_format
2021-09-04 01:27:46 +05:30
return if username.blank? || Mime::EXTENSION_LOOKUP.keys.none? { |type| username.end_with?(".#{type}") }
2021-07-02 01:05:55 +05:30
2021-11-18 22:05:49 +05:30
errors.add(:username, _('ending with a reserved file extension is not allowed.'))
2021-07-02 01:05:55 +05:30
end
2022-10-11 01:57:18 +05:30
def check_password_weakness
2023-03-04 22:38:38 +05:30
if password.present? && Security::WeakPasswords.weak_for_user?(password, self)
2022-10-11 01:57:18 +05:30
errors.add(:password, _('must not contain commonly used combinations of words and letters'))
end
end
2019-07-07 11:18:12 +05:30
def groups_with_developer_maintainer_project_access
project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS]
if ::Gitlab::CurrentSettings.default_project_creation == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
project_creation_levels << nil
end
2022-01-26 12:08:38 +05:30
developer_groups.self_and_descendants.where(project_creation_level: project_creation_levels)
2019-07-07 11:18:12 +05:30
end
2019-12-21 20:55:43 +05:30
def no_recent_activity?
2022-10-11 01:57:18 +05:30
last_active_at.to_i <= Gitlab::CurrentSettings.deactivate_dormant_users_period.days.ago.to_i
2019-12-21 20:55:43 +05:30
end
2020-04-22 19:07:51 +05:30
def update_highest_role?
return false unless persisted?
2020-06-23 00:09:42 +05:30
(previous_changes.keys & %w(state user_type)).any?
2020-04-22 19:07:51 +05:30
end
def update_highest_role_attribute
id
end
2021-09-04 01:27:46 +05:30
def ci_job_token_scope_cache_key
"users:#{id}:ci:job_token_scope"
end
2021-12-11 22:18:48 +05:30
# An `ldap_blocked` user will be unblocked if LDAP indicates they are allowed.
def check_ldap_if_ldap_blocked!
return unless ::Gitlab::Auth::Ldap::Config.enabled? && ldap_blocked?
::Gitlab::Auth::Ldap::Access.allowed?(self)
end
2022-03-02 08:16:31 +05:30
def ci_owned_project_runners_from_project_members
2022-11-25 23:54:43 +05:30
project_ids = ci_project_ids_for_project_members(Gitlab::Access::MAINTAINER)
2022-06-21 17:19:12 +05:30
Ci::Runner
.joins(:runner_projects)
.where(runner_projects: { project: project_ids })
2022-03-02 08:16:31 +05:30
end
def ci_owned_project_runners_from_group_members
2022-06-21 17:19:12 +05:30
cte_namespace_ids = Gitlab::SQL::CTE.new(
:cte_namespace_ids,
ci_namespace_mirrors_for_group_members(Gitlab::Access::MAINTAINER).select(:namespace_id)
)
cte_project_ids = Gitlab::SQL::CTE.new(
:cte_project_ids,
Ci::ProjectMirror
.select(:project_id)
.where('ci_project_mirrors.namespace_id IN (SELECT namespace_id FROM cte_namespace_ids)')
)
Ci::Runner
.with(cte_namespace_ids.to_arel)
.with(cte_project_ids.to_arel)
.joins(:runner_projects)
.where('ci_runner_projects.project_id IN (SELECT project_id FROM cte_project_ids)')
2022-03-02 08:16:31 +05:30
end
def ci_owned_group_runners
2022-06-21 17:19:12 +05:30
cte_namespace_ids = Gitlab::SQL::CTE.new(
:cte_namespace_ids,
ci_namespace_mirrors_for_group_members(Gitlab::Access::OWNER).select(:namespace_id)
)
Ci::Runner
.with(cte_namespace_ids.to_arel)
.joins(:runner_namespaces)
.where('ci_runner_namespaces.namespace_id IN (SELECT namespace_id FROM cte_namespace_ids)')
2022-03-02 08:16:31 +05:30
end
def ci_namespace_mirrors_for_group_members(level)
2022-06-21 17:19:12 +05:30
search_members = group_members.where('access_level >= ?', level)
# This reduces searched prefixes to only shortest ones
# to avoid querying descendants since they are already covered
# by ancestor namespaces. If the FF is not available fallback to
# inefficient search: https://gitlab.com/gitlab-org/gitlab/-/issues/336436
2022-07-16 23:28:13 +05:30
unless Feature.enabled?(:use_traversal_ids)
2022-06-21 17:19:12 +05:30
return Ci::NamespaceMirror.contains_any_of_namespaces(search_members.pluck(:source_id))
end
traversal_ids = Group.joins(:all_group_members)
.merge(search_members)
.shortest_traversal_ids_prefixes
2022-07-23 23:45:48 +05:30
Ci::NamespaceMirror.contains_traversal_ids(traversal_ids)
2022-03-02 08:16:31 +05:30
end
2014-09-02 18:07:02 +05:30
end
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
User.prepend_mod_with('User')