debian-mirror-gitlab/app/models/user.rb

2031 lines
66 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
require 'carrierwave/orm/activerecord'
2019-03-02 22:35:43 +05:30
class User < ApplicationRecord
2015-04-26 12:48:37 +05:30
extend Gitlab::ConfigHelper
2015-09-11 14:41:01 +05:30
include Gitlab::ConfigHelper
2018-03-17 18:26:18 +05:30
include Gitlab::SQL::Pattern
include AfterCommitQueue
2017-09-10 17:25:29 +05:30
include Avatarable
2015-09-11 14:41:01 +05:30
include Referable
include Sortable
2015-10-24 18:46:33 +05:30
include CaseSensitivity
2015-12-23 02:04:40 +05:30
include TokenAuthenticatable
2017-09-10 17:25:29 +05:30
include FeatureGate
include CreatedAtFilterable
2018-03-17 18:26:18 +05:30
include BulkMemberAccessLoad
include BlocksJsonSerialization
2018-11-08 19:23:39 +05:30
include WithUploads
2018-11-20 20:47:30 +05:30
include OptionallySearch
2018-12-05 23:21:45 +05:30
include FromUnion
2020-03-13 15:44:24 +05:30
include BatchDestroyDependentAssociations
2020-04-22 19:07:51 +05:30
include HasUniqueInternalUsers
include IgnorableColumns
include UpdateHighestRole
2020-05-24 23:13:21 +05:30
include HasUserType
2021-02-22 17:27:13 +05:30
include Gitlab::Auth::Otp::Fortinet
2015-12-23 02:04:40 +05:30
DEFAULT_NOTIFICATION_LEVEL = :participating
2021-01-29 00:20:46 +05:30
INSTANCE_ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT = 10
2021-03-08 18:12:59 +05:30
BLOCKED_PENDING_APPROVAL_STATE = 'blocked_pending_approval'
2021-02-22 17:27:13 +05:30
2018-11-18 11:00:15 +05:30
add_authentication_token_field :incoming_email_token, token_generator: -> { SecureRandom.hex.to_i(16).to_s(36) }
2018-11-08 19:23:39 +05:30
add_authentication_token_field :feed_token
2019-12-04 20:38:33 +05:30
add_authentication_token_field :static_object_token
2014-09-02 18:07:02 +05:30
default_value_for :admin, false
2018-03-17 18:26:18 +05:30
default_value_for(:external) { Gitlab::CurrentSettings.user_default_external }
2014-09-02 18:07:02 +05:30
default_value_for :can_create_group, gitlab_config.default_can_create_group
default_value_for :can_create_team, false
default_value_for :hide_no_ssh_key, false
2015-04-26 12:48:37 +05:30
default_value_for :hide_no_password, false
2017-08-17 22:00:37 +05:30
default_value_for :project_view, :files
default_value_for :notified_of_own_activity, false
default_value_for :preferred_language, I18n.default_locale
2018-03-17 18:26:18 +05:30
default_value_for :theme_id, gitlab_config.default_theme
2014-09-02 18:07:02 +05:30
attr_encrypted :otp_secret,
2016-09-13 17:45:13 +05:30
key: Gitlab::Application.secrets.otp_key_base,
mode: :per_attribute_iv_and_salt,
2016-08-24 12:49:21 +05:30
insecure_mode: true,
algorithm: 'aes-256-cbc'
2015-09-11 14:41:01 +05:30
devise :two_factor_authenticatable,
2016-09-13 17:45:13 +05:30
otp_secret_encryption_key: Gitlab::Application.secrets.otp_key_base
2015-09-11 14:41:01 +05:30
devise :two_factor_backupable, otp_number_of_backup_codes: 10
2017-09-10 17:25:29 +05:30
serialize :otp_backup_codes, JSON # rubocop:disable Cop/ActiveRecordSerialize
2015-09-11 14:41:01 +05:30
devise :lockable, :recoverable, :rememberable, :trackable,
2018-03-17 18:26:18 +05:30
:validatable, :omniauthable, :confirmable, :registerable
2014-09-02 18:07:02 +05:30
2020-11-24 15:15:51 +05:30
include AdminChangedPasswordNotifier
2020-05-24 23:13:21 +05:30
# This module adds async behaviour to Devise emails
# and should be added after Devise modules are initialized.
include AsyncDeviseEmail
2021-01-03 14:25:43 +05:30
MINIMUM_INACTIVE_DAYS = 90
2020-04-22 19:07:51 +05:30
2017-09-10 17:25:29 +05:30
# Override Devise::Models::Trackable#update_tracked_fields!
# to limit database writes to at most once every hour
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
def update_tracked_fields!(request)
2018-03-17 18:26:18 +05:30
return if Gitlab::Database.read_only?
2017-09-10 17:25:29 +05:30
update_tracked_fields(request)
lease = Gitlab::ExclusiveLease.new("user_update_tracked_fields:#{id}", timeout: 1.hour.to_i)
return unless lease.try_obtain
2018-03-17 18:26:18 +05:30
Users::UpdateService.new(self, user: self).execute(validate: false)
2017-09-10 17:25:29 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
2014-09-02 18:07:02 +05:30
attr_accessor :force_random_password
# Virtual attribute for authenticating by either username or email
attr_accessor :login
2020-05-24 23:13:21 +05:30
# Virtual attribute for impersonator
attr_accessor :impersonator
2014-09-02 18:07:02 +05:30
#
# Relations
#
# Namespace for personal projects
2018-03-17 18:26:18 +05:30
has_one :namespace, -> { where(type: nil) }, dependent: :destroy, foreign_key: :owner_id, inverse_of: :owner, autosave: true # rubocop:disable Cop/ActiveRecordDependent
2014-09-02 18:07:02 +05:30
# Profile
2018-12-13 13:39:08 +05:30
has_many :keys, -> { regular_keys }, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2018-05-09 12:01:36 +05:30
has_many :deploy_keys, -> { where(type: 'DeployKey') }, dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent
2020-10-24 23:57:45 +05:30
has_many :group_deploy_keys
2017-09-10 17:25:29 +05:30
has_many :gpg_keys
2017-08-17 22:00:37 +05:30
2020-11-24 15:15:51 +05:30
has_many :emails
2017-09-10 17:25:29 +05:30
has_many :personal_access_tokens, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :identities, dependent: :destroy, autosave: true # rubocop:disable Cop/ActiveRecordDependent
has_many :u2f_registrations, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2020-11-24 15:15:51 +05:30
has_many :webauthn_registrations
2017-09-10 17:25:29 +05:30
has_many :chat_names, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2018-03-17 18:26:18 +05:30
has_one :user_synced_attributes_metadata, autosave: true
2019-12-21 20:55:43 +05:30
has_one :aws_role, class_name: 'Aws::Role'
2014-09-02 18:07:02 +05:30
2021-03-11 19:13:27 +05:30
# Followers
has_many :followed_users, foreign_key: :follower_id, class_name: 'Users::UserFollowUser'
has_many :followees, through: :followed_users
has_many :following_users, foreign_key: :followee_id, class_name: 'Users::UserFollowUser'
has_many :followers, through: :following_users
2014-09-02 18:07:02 +05:30
# Groups
2018-03-17 18:26:18 +05:30
has_many :members
2020-11-24 15:15:51 +05:30
has_many :group_members, -> { where(requested_at: nil).where("access_level >= ?", Gitlab::Access::GUEST) }, source: 'GroupMember'
2015-04-26 12:48:37 +05:30
has_many :groups, through: :group_members
2018-05-09 12:01:36 +05:30
has_many :owned_groups, -> { where(members: { access_level: Gitlab::Access::OWNER }) }, through: :group_members, source: :group
2018-11-18 11:00:15 +05:30
has_many :maintainers_groups, -> { where(members: { access_level: Gitlab::Access::MAINTAINER }) }, through: :group_members, source: :group
2019-07-07 11:18:12 +05:30
has_many :developer_groups, -> { where(members: { access_level: ::Gitlab::Access::DEVELOPER }) }, through: :group_members, source: :group
2018-11-20 20:47:30 +05:30
has_many :owned_or_maintainers_groups,
-> { where(members: { access_level: [Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
through: :group_members,
source: :group
2018-11-18 11:00:15 +05:30
alias_attribute :masters_groups, :maintainers_groups
2020-01-01 13:55:28 +05:30
has_many :reporter_developer_maintainer_owned_groups,
-> { where(members: { access_level: [Gitlab::Access::REPORTER, Gitlab::Access::DEVELOPER, Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
through: :group_members,
source: :group
2021-01-03 14:25:43 +05:30
has_many :minimal_access_group_members, -> { where(access_level: [Gitlab::Access::MINIMAL_ACCESS]) }, source: 'GroupMember', class_name: 'GroupMember'
has_many :minimal_access_groups, through: :minimal_access_group_members, source: :group
2014-09-02 18:07:02 +05:30
# Projects
has_many :groups_projects, through: :groups, source: :projects
has_many :personal_projects, through: :namespace, source: :projects
2018-03-17 18:26:18 +05:30
has_many :project_members, -> { where(requested_at: nil) }
2015-04-26 12:48:37 +05:30
has_many :projects, through: :project_members
2014-09-02 18:07:02 +05:30
has_many :created_projects, foreign_key: :creator_id, class_name: 'Project'
2017-09-10 17:25:29 +05:30
has_many :users_star_projects, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
2014-09-02 18:07:02 +05:30
has_many :starred_projects, through: :users_star_projects, source: :project
2018-11-08 19:23:39 +05:30
has_many :project_authorizations, dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent
2017-08-17 22:00:37 +05:30
has_many :authorized_projects, through: :project_authorizations, source: :project
2014-09-02 18:07:02 +05:30
2018-03-27 19:54:05 +05:30
has_many :user_interacted_projects
has_many :project_interactions, through: :user_interacted_projects, source: :project, class_name: 'Project'
2017-09-10 17:25:29 +05:30
has_many :snippets, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
has_many :notes, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
has_many :issues, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
has_many :merge_requests, dependent: :destroy, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2019-12-04 20:38:33 +05:30
has_many :events, dependent: :delete_all, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2019-02-15 15:39:39 +05:30
has_many :releases, dependent: :nullify, foreign_key: :author_id # rubocop:disable Cop/ActiveRecordDependent
2017-09-10 17:25:29 +05:30
has_many :subscriptions, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :oauth_applications, class_name: 'Doorkeeper::Application', as: :owner, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_one :abuse_report, dependent: :destroy, foreign_key: :user_id # rubocop:disable Cop/ActiveRecordDependent
has_many :reported_abuse_reports, dependent: :destroy, foreign_key: :reporter_id, class_name: "AbuseReport" # rubocop:disable Cop/ActiveRecordDependent
has_many :spam_logs, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :builds, dependent: :nullify, class_name: 'Ci::Build' # rubocop:disable Cop/ActiveRecordDependent
has_many :pipelines, dependent: :nullify, class_name: 'Ci::Pipeline' # rubocop:disable Cop/ActiveRecordDependent
2018-03-17 18:26:18 +05:30
has_many :todos
2018-11-18 11:00:15 +05:30
has_many :notification_settings
2017-09-10 17:25:29 +05:30
has_many :award_emoji, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :triggers, dependent: :destroy, class_name: 'Ci::Trigger', foreign_key: :owner_id # rubocop:disable Cop/ActiveRecordDependent
2017-08-17 22:00:37 +05:30
2020-07-28 23:09:34 +05:30
has_many :issue_assignees, inverse_of: :assignee
has_many :merge_request_assignees, inverse_of: :assignee
2021-02-22 17:27:13 +05:30
has_many :merge_request_reviewers, inverse_of: :reviewer
2017-08-17 22:00:37 +05:30
has_many :assigned_issues, class_name: "Issue", through: :issue_assignees, source: :issue
2020-07-28 23:09:34 +05:30
has_many :assigned_merge_requests, class_name: "MergeRequest", through: :merge_request_assignees, source: :merge_request
2021-04-17 20:07:23 +05:30
has_many :created_custom_emoji, class_name: 'CustomEmoji', inverse_of: :creator
2014-09-02 18:07:02 +05:30
2021-01-03 14:25:43 +05:30
has_many :bulk_imports
2018-03-17 18:26:18 +05:30
has_many :custom_attributes, class_name: 'UserCustomAttribute'
has_many :callouts, class_name: 'UserCallout'
2018-10-15 14:42:47 +05:30
has_many :term_agreements
belongs_to :accepted_term, class_name: 'ApplicationSetting::Term'
2018-03-17 18:26:18 +05:30
2020-05-24 23:13:21 +05:30
has_many :metrics_users_starred_dashboards, class_name: 'Metrics::UsersStarredDashboard', inverse_of: :user
2018-11-18 11:00:15 +05:30
has_one :status, class_name: 'UserStatus'
2018-12-13 13:39:08 +05:30
has_one :user_preference
2020-04-08 14:13:33 +05:30
has_one :user_detail
has_one :user_highest_role
2020-04-22 19:07:51 +05:30
has_one :user_canonical_email
2020-11-24 15:15:51 +05:30
has_one :atlassian_identity, class_name: 'Atlassian::Identity'
2018-11-18 11:00:15 +05:30
2020-06-23 00:09:42 +05:30
has_many :reviews, foreign_key: :author_id, inverse_of: :author
2014-09-02 18:07:02 +05:30
#
# Validations
#
2017-08-17 22:00:37 +05:30
# Note: devise :validatable above adds validations for :email and :password
2020-03-13 15:44:24 +05:30
validates :name, presence: true, length: { maximum: 255 }
validates :first_name, length: { maximum: 127 }
validates :last_name, length: { maximum: 127 }
2017-08-17 22:00:37 +05:30
validates :email, confirmation: true
validates :notification_email, presence: true
2019-07-07 11:18:12 +05:30
validates :notification_email, devise_email: true, if: ->(user) { user.notification_email != user.email }
validates :public_email, presence: true, uniqueness: true, devise_email: true, allow_blank: true
validates :commit_email, devise_email: true, allow_nil: true, if: ->(user) { user.commit_email != user.email }
2017-08-17 22:00:37 +05:30
validates :projects_limit,
presence: true,
numericality: { greater_than_or_equal_to: 0, less_than_or_equal_to: Gitlab::Database::MAX_INT_VALUE }
2018-03-17 18:26:18 +05:30
validates :username, presence: true
validates :namespace, presence: true
validate :namespace_move_dir_allowed, if: :username_changed?
2014-09-02 18:07:02 +05:30
2017-09-10 17:25:29 +05:30
validate :unique_email, if: :email_changed?
validate :owns_notification_email, if: :notification_email_changed?
validate :owns_public_email, if: :public_email_changed?
2018-12-05 23:21:45 +05:30
validate :owns_commit_email, if: :commit_email_changed?
2017-08-17 22:00:37 +05:30
validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id }
2020-04-08 14:13:33 +05:30
validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id }
2014-09-02 18:07:02 +05:30
2020-03-13 15:44:24 +05:30
validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids,
message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } }
validates :color_scheme_id, allow_nil: true, inclusion: { in: Gitlab::ColorSchemes.valid_ids,
message: _("%{placeholder} is not a valid color scheme") % { placeholder: '%{value}' } }
2014-09-02 18:07:02 +05:30
before_validation :sanitize_attrs
2018-11-08 19:23:39 +05:30
before_validation :set_notification_email, if: :new_record?
2017-09-10 17:25:29 +05:30
before_validation :set_public_email, if: :public_email_changed?
2018-12-05 23:21:45 +05:30
before_validation :set_commit_email, if: :commit_email_changed?
2019-09-30 21:07:59 +05:30
before_save :default_private_profile_to_false
2018-05-09 12:01:36 +05:30
before_save :set_public_email, if: :public_email_changed? # in case validation is skipped
2018-12-05 23:21:45 +05:30
before_save :set_commit_email, if: :commit_email_changed? # in case validation is skipped
2018-03-17 18:26:18 +05:30
before_save :ensure_incoming_email_token
before_save :ensure_user_rights_and_limits, if: ->(user) { user.new_record? || user.external_changed? }
before_save :skip_reconfirmation!, if: ->(user) { user.email_changed? && user.read_only_attribute?(:email) }
before_save :check_for_verified_email, if: ->(user) { user.email_changed? && !user.new_record? }
before_validation :ensure_namespace_correct
2018-05-09 12:01:36 +05:30
before_save :ensure_namespace_correct # in case validation is skipped
2018-03-17 18:26:18 +05:30
after_validation :set_username_errors
2019-07-31 22:56:46 +05:30
after_update :username_changed_hook, if: :saved_change_to_username?
2018-03-17 18:26:18 +05:30
after_destroy :post_destroy_hook
after_destroy :remove_key_cache
2018-11-08 19:23:39 +05:30
after_commit(on: :update) do
if previous_changes.key?('email')
# Grab previous_email here since previous_changes changes after
# #update_emails_with_primary_email and #update_notification_email are called
2020-05-30 21:06:31 +05:30
previous_confirmed_at = previous_changes.key?('confirmed_at') ? previous_changes['confirmed_at'][0] : confirmed_at
2018-11-08 19:23:39 +05:30
previous_email = previous_changes[:email][0]
2020-05-30 21:06:31 +05:30
update_emails_with_primary_email(previous_confirmed_at, previous_email)
2018-11-08 19:23:39 +05:30
update_invalid_gpg_signatures
if previous_email == notification_email
self.notification_email = email
save
end
end
end
2018-03-17 18:26:18 +05:30
2015-04-26 12:48:37 +05:30
after_initialize :set_projects_limit
2014-09-02 18:07:02 +05:30
2015-10-24 18:46:33 +05:30
# User's Layout preference
2020-03-13 15:44:24 +05:30
enum layout: { fixed: 0, fluid: 1 }
2015-10-24 18:46:33 +05:30
2015-09-11 14:41:01 +05:30
# User's Dashboard preference
2021-04-17 20:07:23 +05:30
enum dashboard: { projects: 0, stars: 1, project_activity: 2, starred_project_activity: 3, groups: 4, todos: 5, issues: 6, merge_requests: 7, operations: 8, followed_user_activity: 9 }
2015-09-11 14:41:01 +05:30
# User's Project preference
2020-03-13 15:44:24 +05:30
enum project_view: { readme: 0, activity: 1, files: 2 }
2014-09-02 18:07:02 +05:30
2019-12-21 20:55:43 +05:30
# User's role
2020-03-13 15:44:24 +05:30
enum role: { software_developer: 0, development_team_lead: 1, devops_engineer: 2, systems_administrator: 3, security_analyst: 4, data_analyst: 5, product_manager: 6, product_designer: 7, other: 8 }, _suffix: true
2019-12-21 20:55:43 +05:30
2020-06-23 00:09:42 +05:30
delegate :notes_filter_for,
:set_notes_filter,
:first_day_of_week, :first_day_of_week=,
:timezone, :timezone=,
:time_display_relative, :time_display_relative=,
:time_format_in_24h, :time_format_in_24h=,
:show_whitespace_in_diffs, :show_whitespace_in_diffs=,
2020-07-28 23:09:34 +05:30
:view_diffs_file_by_file, :view_diffs_file_by_file=,
2020-06-23 00:09:42 +05:30
:tab_width, :tab_width=,
:sourcegraph_enabled, :sourcegraph_enabled=,
2020-11-24 15:15:51 +05:30
:gitpod_enabled, :gitpod_enabled=,
2020-06-23 00:09:42 +05:30
:setup_for_company, :setup_for_company=,
:render_whitespace_in_code, :render_whitespace_in_code=,
:experience_level, :experience_level=,
2021-04-17 20:07:23 +05:30
:markdown_surround_selection, :markdown_surround_selection=,
2020-06-23 00:09:42 +05:30
to: :user_preference
2014-09-02 18:07:02 +05:30
delegate :path, to: :namespace, allow_nil: true, prefix: true
2020-04-08 14:13:33 +05:30
delegate :job_title, :job_title=, to: :user_detail, allow_nil: true
2021-02-22 17:27:13 +05:30
delegate :other_role, :other_role=, to: :user_detail, allow_nil: true
2020-07-28 23:09:34 +05:30
delegate :bio, :bio=, :bio_html, to: :user_detail, allow_nil: true
2020-11-24 15:15:51 +05:30
delegate :webauthn_xid, :webauthn_xid=, to: :user_detail, allow_nil: true
2019-03-02 22:35:43 +05:30
accepts_nested_attributes_for :user_preference, update_only: true
2020-04-08 14:13:33 +05:30
accepts_nested_attributes_for :user_detail, update_only: true
2014-09-02 18:07:02 +05:30
state_machine :state, initial: :active do
event :block do
transition active: :blocked
2019-12-21 20:55:43 +05:30
transition deactivated: :blocked
transition ldap_blocked: :blocked
2021-01-03 14:25:43 +05:30
transition blocked_pending_approval: :blocked
end
event :ldap_block do
transition active: :ldap_blocked
2019-12-21 20:55:43 +05:30
transition deactivated: :ldap_blocked
2014-09-02 18:07:02 +05:30
end
event :activate do
2019-12-21 20:55:43 +05:30
transition deactivated: :active
2014-09-02 18:07:02 +05:30
transition blocked: :active
transition ldap_blocked: :active
2021-01-03 14:25:43 +05:30
transition blocked_pending_approval: :active
end
event :block_pending_approval do
transition active: :blocked_pending_approval
end
2019-12-21 20:55:43 +05:30
event :deactivate do
transition active: :deactivated
end
2021-01-03 14:25:43 +05:30
state :blocked, :ldap_blocked, :blocked_pending_approval do
def blocked?
true
end
2014-09-02 18:07:02 +05:30
end
2019-09-30 23:59:55 +05:30
2020-03-13 15:44:24 +05:30
before_transition do
!Gitlab::Database.read_only?
end
2019-09-30 23:59:55 +05:30
# rubocop: disable CodeReuse/ServiceClass
# Ideally we should not call a service object here but user.block
# is also bcalled by Users::MigrateToGhostUserService which references
# this state transition object in order to do a rollback.
# For this reason the tradeoff is to disable this cop.
after_transition any => :blocked do |user|
Ci::CancelUserPipelinesService.new.execute(user)
end
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
end
# Scopes
2015-09-11 14:41:01 +05:30
scope :admins, -> { where(admin: true) }
2021-01-29 00:20:46 +05:30
scope :instance_access_request_approvers_to_be_notified, -> { admins.active.order_recent_sign_in.limit(INSTANCE_ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT) }
scope :blocked, -> { with_states(:blocked, :ldap_blocked) }
2021-01-03 14:25:43 +05:30
scope :blocked_pending_approval, -> { with_states(:blocked_pending_approval) }
2016-06-02 11:05:42 +05:30
scope :external, -> { where(external: true) }
2021-04-17 20:07:23 +05:30
scope :non_external, -> { where(external: false) }
2020-05-24 23:13:21 +05:30
scope :confirmed, -> { where.not(confirmed_at: nil) }
2017-08-17 22:00:37 +05:30
scope :active, -> { with_state(:active).non_internal }
2020-03-13 15:44:24 +05:30
scope :active_without_ghosts, -> { with_state(:active).without_ghosts }
2019-12-21 20:55:43 +05:30
scope :deactivated, -> { with_state(:deactivated).non_internal }
2018-11-08 19:23:39 +05:30
scope :without_projects, -> { joins('LEFT JOIN project_authorizations ON users.id = project_authorizations.user_id').where(project_authorizations: { user_id: nil }) }
2018-12-13 13:39:08 +05:30
scope :by_username, -> (usernames) { iwhere(username: Array(usernames).map(&:to_s)) }
2021-01-29 00:20:46 +05:30
scope :by_name, -> (names) { iwhere(name: Array(names)) }
scope :by_user_email, -> (emails) { iwhere(email: Array(emails)) }
scope :by_emails, -> (emails) { joins(:emails).where(emails: { email: Array(emails).map(&:downcase) }) }
2018-12-13 13:39:08 +05:30
scope :for_todos, -> (todos) { where(id: todos.select(:user_id)) }
2019-07-07 11:18:12 +05:30
scope :with_emails, -> { preload(:emails) }
scope :with_dashboard, -> (dashboard) { where(dashboard: dashboard) }
2019-10-12 21:52:04 +05:30
scope :with_public_profile, -> { where(private_profile: false) }
2020-01-01 13:55:28 +05:30
scope :with_expiring_and_not_notified_personal_access_tokens, ->(at) do
where('EXISTS (?)',
::PersonalAccessToken
.where('personal_access_tokens.user_id = users.id')
2020-06-23 00:09:42 +05:30
.without_impersonation
2020-01-01 13:55:28 +05:30
.expiring_and_not_notified(at).select(1))
end
2020-10-24 23:57:45 +05:30
scope :with_personal_access_tokens_expired_today, -> do
where('EXISTS (?)',
::PersonalAccessToken
.select(1)
.where('personal_access_tokens.user_id = users.id')
.without_impersonation
.expired_today_and_not_notified)
end
2020-05-24 23:13:21 +05:30
scope :order_recent_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'DESC')) }
scope :order_oldest_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'ASC')) }
scope :order_recent_last_activity, -> { reorder(Gitlab::Database.nulls_last_order('last_activity_on', 'DESC')) }
scope :order_oldest_last_activity, -> { reorder(Gitlab::Database.nulls_first_order('last_activity_on', 'ASC')) }
2020-09-03 11:15:55 +05:30
scope :by_id_and_login, ->(id, login) { where(id: id).where('username = LOWER(:login) OR email = LOWER(:login)', login: login) }
2020-01-01 13:55:28 +05:30
2020-10-24 23:57:45 +05:30
def preferred_language
read_attribute('preferred_language') ||
I18n.default_locale.to_s.presence_in(Gitlab::I18n::AVAILABLE_LANGUAGES.keys) ||
'en'
end
2020-04-22 19:07:51 +05:30
def active_for_authentication?
super && can?(:log_in)
end
2021-01-03 14:25:43 +05:30
# The messages for these keys are defined in `devise.en.yml`
2020-04-22 19:07:51 +05:30
def inactive_message
2021-01-03 14:25:43 +05:30
if blocked_pending_approval?
:blocked_pending_approval
elsif blocked?
:blocked
2020-04-22 19:07:51 +05:30
elsif internal?
2021-01-03 14:25:43 +05:30
:forbidden
2020-04-22 19:07:51 +05:30
else
super
end
end
2019-10-12 21:52:04 +05:30
def self.with_visible_profile(user)
return with_public_profile if user.nil?
if user.admin?
all
else
with_public_profile.or(where(id: user.id))
end
end
2018-11-20 20:47:30 +05:30
# Limits the users to those that have TODOs, optionally in the given state.
#
# user - The user to get the todos for.
#
# with_todos - If we should limit the result set to users that are the
# authors of todos.
#
# todo_state - An optional state to require the todos to be in.
def self.limit_to_todo_authors(user: nil, with_todos: false, todo_state: nil)
if user && with_todos
where(id: Todo.where(user: user, state: todo_state).select(:author_id))
else
all
end
end
# Returns a relation that optionally includes the given user.
#
# user_id - The ID of the user to include.
def self.union_with_user(user_id = nil)
if user_id.present?
# We use "unscoped" here so that any inner conditions are not repeated for
# the outer query, which would be redundant.
2018-12-05 23:21:45 +05:30
User.unscoped.from_union([all, User.unscoped.where(id: user_id)])
2018-11-20 20:47:30 +05:30
else
all
end
2018-11-08 19:23:39 +05:30
end
def self.with_two_factor
2018-11-20 20:47:30 +05:30
with_u2f_registrations = <<-SQL
EXISTS (
SELECT *
FROM u2f_registrations AS u2f
WHERE u2f.user_id = users.id
) OR users.otp_required_for_login = ?
2020-11-24 15:15:51 +05:30
OR
EXISTS (
SELECT *
FROM webauthn_registrations AS webauthn
WHERE webauthn.user_id = users.id
)
2018-11-20 20:47:30 +05:30
SQL
where(with_u2f_registrations, true)
end
def self.without_two_factor
2020-11-24 15:15:51 +05:30
joins("LEFT OUTER JOIN u2f_registrations AS u2f ON u2f.user_id = users.id
LEFT OUTER JOIN webauthn_registrations AS webauthn ON webauthn.user_id = users.id")
.where("u2f.id IS NULL AND webauthn.id IS NULL AND users.otp_required_for_login = ?", false)
end
2014-09-02 18:07:02 +05:30
#
# Class methods
#
class << self
2020-01-01 13:55:28 +05:30
# Devise method overridden to allow support for dynamic password lengths
def password_length
Gitlab::CurrentSettings.minimum_password_length..Devise.password_length.max
end
2020-03-13 15:44:24 +05:30
# Generate a random password that conforms to the current password length settings
def random_password
Devise.friendly_token(password_length.max)
end
2014-09-02 18:07:02 +05:30
# Devise method overridden to allow sign in with email or username
def find_for_database_authentication(warden_conditions)
conditions = warden_conditions.dup
if login = conditions.delete(:login)
2018-03-27 19:54:05 +05:30
where(conditions).find_by("lower(username) = :value OR lower(email) = :value", value: login.downcase.strip)
2014-09-02 18:07:02 +05:30
else
2015-12-23 02:04:40 +05:30
find_by(conditions)
2014-09-02 18:07:02 +05:30
end
end
2018-05-09 12:01:36 +05:30
def sort_by_attribute(method)
2018-03-17 18:26:18 +05:30
order_method = method || 'id_desc'
case order_method.to_s
2017-08-17 22:00:37 +05:30
when 'recent_sign_in' then order_recent_sign_in
when 'oldest_sign_in' then order_oldest_sign_in
2019-03-02 22:35:43 +05:30
when 'last_activity_on_desc' then order_recent_last_activity
when 'last_activity_on_asc' then order_oldest_last_activity
2015-04-26 12:48:37 +05:30
else
2018-03-17 18:26:18 +05:30
order_by(order_method)
2015-04-26 12:48:37 +05:30
end
end
2018-03-17 18:26:18 +05:30
def for_github_id(id)
joins(:identities).merge(Identity.with_extern_uid(:github, id))
end
2015-09-11 14:41:01 +05:30
# Find a User by their primary email or any associated secondary email
2018-11-18 11:00:15 +05:30
def find_by_any_email(email, confirmed: false)
2018-12-13 13:39:08 +05:30
return unless email
2019-02-15 15:39:39 +05:30
by_any_email(email, confirmed: confirmed).take
2019-01-03 12:48:30 +05:30
end
2015-11-26 14:37:03 +05:30
2019-02-15 15:39:39 +05:30
# Returns a relation containing all the users for the given email addresses
#
# @param emails [String, Array<String>] email addresses to check
# @param confirmed [Boolean] Only return users where the email is confirmed
def by_any_email(emails, confirmed: false)
2021-01-29 00:20:46 +05:30
from_users = by_user_email(emails)
2019-02-15 15:39:39 +05:30
from_users = from_users.confirmed if confirmed
2021-01-29 00:20:46 +05:30
from_emails = by_emails(emails)
2019-02-15 15:39:39 +05:30
from_emails = from_emails.confirmed.merge(Email.confirmed) if confirmed
2018-12-23 12:14:25 +05:30
2019-02-15 15:39:39 +05:30
items = [from_users, from_emails]
2018-12-23 12:14:25 +05:30
2021-01-29 00:20:46 +05:30
user_ids = Gitlab::PrivateCommitEmail.user_ids_for_emails(Array(emails).map(&:downcase))
2019-02-15 15:39:39 +05:30
items << where(id: user_ids) if user_ids.present?
from_union(items)
2014-09-02 18:07:02 +05:30
end
2018-12-13 13:39:08 +05:30
def find_by_private_commit_email(email)
user_id = Gitlab::PrivateCommitEmail.user_id_for_email(email)
find_by(id: user_id)
end
2019-07-07 11:18:12 +05:30
def filter_items(filter_name)
2014-09-02 18:07:02 +05:30
case filter_name
2015-09-11 14:41:01 +05:30
when 'admins'
2017-08-17 22:00:37 +05:30
admins
2015-09-11 14:41:01 +05:30
when 'blocked'
2017-08-17 22:00:37 +05:30
blocked
2021-01-03 14:25:43 +05:30
when 'blocked_pending_approval'
blocked_pending_approval
2015-09-11 14:41:01 +05:30
when 'two_factor_disabled'
2017-08-17 22:00:37 +05:30
without_two_factor
2015-09-11 14:41:01 +05:30
when 'two_factor_enabled'
2017-08-17 22:00:37 +05:30
with_two_factor
2015-09-11 14:41:01 +05:30
when 'wop'
2017-08-17 22:00:37 +05:30
without_projects
2016-06-02 11:05:42 +05:30
when 'external'
2017-08-17 22:00:37 +05:30
external
2019-12-21 20:55:43 +05:30
when 'deactivated'
deactivated
2014-09-02 18:07:02 +05:30
else
2020-03-13 15:44:24 +05:30
active_without_ghosts
2014-09-02 18:07:02 +05:30
end
end
2016-06-02 11:05:42 +05:30
# Searches users matching the given query.
#
2020-06-23 00:09:42 +05:30
# This method uses ILIKE on PostgreSQL.
2016-06-02 11:05:42 +05:30
#
# query - The search query as a String
#
# Returns an ActiveRecord::Relation.
2020-04-22 19:07:51 +05:30
def search(query, **options)
2019-12-21 20:55:43 +05:30
query = query&.delete_prefix('@')
2018-03-17 18:26:18 +05:30
return none if query.blank?
query = query.downcase
2016-06-02 11:05:42 +05:30
2017-09-10 17:25:29 +05:30
order = <<~SQL
CASE
2019-10-12 21:52:04 +05:30
WHEN users.name = :query THEN 0
WHEN users.username = :query THEN 1
WHEN users.email = :query THEN 2
2017-09-10 17:25:29 +05:30
ELSE 3
END
SQL
2019-10-12 21:52:04 +05:30
sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query]))
2021-02-22 17:27:13 +05:30
search_with_secondary_emails(query).reorder(sanitized_order_sql, :name)
2014-09-02 18:07:02 +05:30
end
2018-11-20 20:47:30 +05:30
# Limits the result set to users _not_ in the given query/list of IDs.
#
# users - The list of users to ignore. This can be an
# `ActiveRecord::Relation`, or an Array.
def where_not_in(users = nil)
users ? where.not(id: users) : all
end
def reorder_by_name
reorder(:name)
end
2021-02-22 17:27:13 +05:30
def search_without_secondary_emails(query)
return none if query.blank?
query = query.downcase
where(
fuzzy_arel_match(:name, query, lower_exact_match: true)
.or(fuzzy_arel_match(:username, query, lower_exact_match: true))
.or(arel_table[:email].eq(query))
)
end
2017-08-17 22:00:37 +05:30
# searches user by given pattern
# it compares name, email, username fields and user's secondary emails with given pattern
2020-06-23 00:09:42 +05:30
# This method uses ILIKE on PostgreSQL.
2017-08-17 22:00:37 +05:30
def search_with_secondary_emails(query)
2018-03-17 18:26:18 +05:30
return none if query.blank?
query = query.downcase
2017-08-17 22:00:37 +05:30
email_table = Email.arel_table
2021-02-22 17:27:13 +05:30
matched_by_email_user_id = email_table
2018-03-17 18:26:18 +05:30
.project(email_table[:user_id])
.where(email_table[:email].eq(query))
2021-02-22 17:27:13 +05:30
.take(1) # at most 1 record as there is a unique constraint
2017-08-17 22:00:37 +05:30
where(
2018-03-17 18:26:18 +05:30
fuzzy_arel_match(:name, query)
.or(fuzzy_arel_match(:username, query))
.or(arel_table[:email].eq(query))
2021-02-22 17:27:13 +05:30
.or(arel_table[:id].eq(matched_by_email_user_id))
2017-08-17 22:00:37 +05:30
)
end
2015-04-26 12:48:37 +05:30
def by_login(login)
2019-07-07 11:18:12 +05:30
return unless login
2015-10-24 18:46:33 +05:30
2019-12-04 20:38:33 +05:30
if login.include?('@')
2015-10-24 18:46:33 +05:30
unscoped.iwhere(email: login).take
else
unscoped.iwhere(username: login).take
end
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
def find_by_username(username)
2018-11-20 20:47:30 +05:30
by_username(username).take
2017-08-17 22:00:37 +05:30
end
2015-09-11 14:41:01 +05:30
def find_by_username!(username)
2018-11-20 20:47:30 +05:30
by_username(username).take!
2015-09-11 14:41:01 +05:30
end
2016-11-03 12:29:30 +05:30
# Returns a user for the given SSH key.
def find_by_ssh_key_id(key_id)
2019-12-21 20:55:43 +05:30
find_by('EXISTS (?)', Key.select(1).where('keys.user_id = users.id').where(id: key_id))
2016-11-03 12:29:30 +05:30
end
2017-08-17 22:00:37 +05:30
def find_by_full_path(path, follow_redirects: false)
namespace = Namespace.for_user.find_by_full_path(path, follow_redirects: follow_redirects)
namespace&.owner
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
def reference_prefix
'@'
end
# Pattern used to extract `@user` user references from text
def reference_pattern
2020-07-28 23:09:34 +05:30
@reference_pattern ||=
%r{
(?<!\w)
#{Regexp.escape(reference_prefix)}
(?<user>#{Gitlab::PathRegex::FULL_NAMESPACE_FORMAT_REGEX})
}x
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
# Return (create if necessary) the ghost user. The ghost user
# owns records previously belonging to deleted users.
def ghost
2017-09-10 17:25:29 +05:30
email = 'ghost%s@example.com'
2020-05-24 23:13:21 +05:30
unique_internal(where(user_type: :ghost), 'ghost', email) do |u|
2019-07-31 22:56:46 +05:30
u.bio = _('This is a "Ghost User", created to hold all issues authored by users that have since been deleted. This user cannot be removed.')
2017-08-17 22:00:37 +05:30
u.name = 'Ghost User'
end
end
2018-11-20 20:47:30 +05:30
2020-03-13 15:44:24 +05:30
def alert_bot
email_pattern = "alert%s@#{Settings.gitlab.host}"
2020-04-22 19:07:51 +05:30
unique_internal(where(user_type: :alert_bot), 'alert-bot', email_pattern) do |u|
2020-03-13 15:44:24 +05:30
u.bio = 'The GitLab alert bot'
u.name = 'GitLab Alert Bot'
2020-07-28 23:09:34 +05:30
u.avatar = bot_avatar(image: 'alert-bot.png')
2020-03-13 15:44:24 +05:30
end
end
2020-05-24 23:13:21 +05:30
def migration_bot
email_pattern = "noreply+gitlab-migration-bot%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :migration_bot), 'migration-bot', email_pattern) do |u|
u.bio = 'The GitLab migration bot'
u.name = 'GitLab Migration Bot'
u.confirmed_at = Time.zone.now
end
end
2021-01-03 14:25:43 +05:30
def security_bot
email_pattern = "security-bot%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :security_bot), 'GitLab-Security-Bot', email_pattern) do |u|
u.bio = 'System bot that monitors detected vulnerabilities for solutions and creates merge requests with the fixes.'
u.name = 'GitLab Security Bot'
u.website_url = Gitlab::Routing.url_helpers.help_page_url('user/application_security/security_bot/index.md')
u.avatar = bot_avatar(image: 'security-bot.png')
2021-02-22 17:27:13 +05:30
u.confirmed_at = Time.zone.now
2021-01-03 14:25:43 +05:30
end
end
2020-07-28 23:09:34 +05:30
def support_bot
email_pattern = "support%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :support_bot), 'support-bot', email_pattern) do |u|
u.bio = 'The GitLab support bot used for Service Desk'
u.name = 'GitLab Support Bot'
u.avatar = bot_avatar(image: 'support-bot.png')
end
end
2018-11-20 20:47:30 +05:30
# Return true if there is only single non-internal user in the deployment,
# ghost user is ignored.
def single_user?
User.non_internal.limit(2).count == 1
end
def single_user
User.non_internal.first if single_user?
end
2017-08-17 22:00:37 +05:30
end
2014-09-02 18:07:02 +05:30
#
# Instance methods
#
2020-05-24 23:13:21 +05:30
def full_path
username
end
2014-09-02 18:07:02 +05:30
def to_param
username
end
2018-03-17 18:26:18 +05:30
def to_reference(_from = nil, target_project: nil, full: nil)
2015-09-11 14:41:01 +05:30
"#{self.class.reference_prefix}#{username}"
end
2017-08-17 22:00:37 +05:30
def skip_confirmation=(bool)
skip_confirmation! if bool
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def skip_reconfirmation=(bool)
skip_reconfirmation! if bool
end
2014-09-02 18:07:02 +05:30
def generate_reset_token
@reset_token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
self.reset_password_token = enc
2020-06-23 00:09:42 +05:30
self.reset_password_sent_at = Time.current.utc
2014-09-02 18:07:02 +05:30
@reset_token
end
2015-10-24 18:46:33 +05:30
def recently_sent_password_reset?
reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
end
2018-03-17 18:26:18 +05:30
def remember_me!
super if ::Gitlab::Database.read_write?
end
def forget_me!
super if ::Gitlab::Database.read_write?
end
2015-09-11 14:41:01 +05:30
def disable_two_factor!
transaction do
2018-11-18 11:00:15 +05:30
update(
otp_required_for_login: false,
encrypted_otp_secret: nil,
encrypted_otp_secret_iv: nil,
encrypted_otp_secret_salt: nil,
otp_grace_period_started_at: nil,
otp_backup_codes: nil
)
2020-06-23 00:09:42 +05:30
self.u2f_registrations.destroy_all # rubocop: disable Cop/DestroyAll
2020-11-24 15:15:51 +05:30
self.webauthn_registrations.destroy_all # rubocop: disable Cop/DestroyAll
end
end
def two_factor_enabled?
2020-11-24 15:15:51 +05:30
two_factor_otp_enabled? || two_factor_webauthn_u2f_enabled?
end
def two_factor_otp_enabled?
2021-02-22 17:27:13 +05:30
otp_required_for_login? ||
forti_authenticator_enabled?(self) ||
forti_token_cloud_enabled?(self)
end
def two_factor_u2f_enabled?
2018-03-17 18:26:18 +05:30
if u2f_registrations.loaded?
u2f_registrations.any?
else
u2f_registrations.exists?
2014-09-02 18:07:02 +05:30
end
end
2020-11-24 15:15:51 +05:30
def two_factor_webauthn_u2f_enabled?
two_factor_u2f_enabled? || two_factor_webauthn_enabled?
end
def two_factor_webauthn_enabled?
return false unless Feature.enabled?(:webauthn)
(webauthn_registrations.loaded? && webauthn_registrations.any?) || (!webauthn_registrations.loaded? && webauthn_registrations.exists?)
end
2018-03-17 18:26:18 +05:30
def namespace_move_dir_allowed
if namespace&.any_project_has_container_registry_tags?
2019-07-31 22:56:46 +05:30
errors.add(:username, _('cannot be changed if a personal project has container registry tags.'))
2014-09-02 18:07:02 +05:30
end
end
2019-09-04 21:01:54 +05:30
# will_save_change_to_attribute? is used by Devise to check if it is necessary
# to clear any existing reset_password_tokens before updating an authentication_key
# and login in our case is a virtual attribute to allow login by username or email.
def will_save_change_to_login?
will_save_change_to_username? || will_save_change_to_email?
end
2014-09-02 18:07:02 +05:30
def unique_email
2017-08-17 22:00:37 +05:30
if !emails.exists?(email: email) && Email.exists?(email: email)
2019-07-31 22:56:46 +05:30
errors.add(:email, _('has already been taken'))
2015-09-11 14:41:01 +05:30
end
2014-09-02 18:07:02 +05:30
end
2015-04-26 12:48:37 +05:30
def owns_notification_email
2020-05-30 21:06:31 +05:30
return if new_record? || temp_oauth_email?
2016-06-02 11:05:42 +05:30
2020-05-30 21:06:31 +05:30
errors.add(:notification_email, _("is not an email you own")) unless verified_emails.include?(notification_email)
2015-04-26 12:48:37 +05:30
end
2015-09-11 14:41:01 +05:30
def owns_public_email
2017-08-17 22:00:37 +05:30
return if public_email.blank?
2015-09-11 14:41:01 +05:30
2020-05-30 21:06:31 +05:30
errors.add(:public_email, _("is not an email you own")) unless verified_emails.include?(public_email)
2015-09-11 14:41:01 +05:30
end
2018-12-05 23:21:45 +05:30
def owns_commit_email
return if read_attribute(:commit_email).blank?
2019-07-31 22:56:46 +05:30
errors.add(:commit_email, _("is not an email you own")) unless verified_emails.include?(commit_email)
2018-12-05 23:21:45 +05:30
end
# Define commit_email-related attribute methods explicitly instead of relying
# on ActiveRecord to provide them. Some of the specs use the current state of
# the model code but an older database schema, so we need to guard against the
# possibility of the commit_email column not existing.
def commit_email
return self.email unless has_attribute?(:commit_email)
2018-12-13 13:39:08 +05:30
if super == Gitlab::PrivateCommitEmail::TOKEN
return private_commit_email
end
2018-12-05 23:21:45 +05:30
# The commit email is the same as the primary email if undefined
super.presence || self.email
end
def commit_email=(email)
super if has_attribute?(:commit_email)
end
def commit_email_changed?
has_attribute?(:commit_email) && super
end
2018-12-13 13:39:08 +05:30
def private_commit_email
Gitlab::PrivateCommitEmail.for_user(self)
end
2018-03-17 18:26:18 +05:30
# see if the new email is already a verified secondary email
def check_for_verified_email
skip_reconfirmation! if emails.confirmed.where(email: self.email).any?
end
# Note: the use of the Emails services will cause `saves` on the user object, running
# through the callbacks again and can have side effects, such as the `previous_changes`
# hash and `_was` variables getting munged.
# By using an `after_commit` instead of `after_update`, we avoid the recursive callback
# scenario, though it then requires us to use the `previous_changes` hash
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2020-05-30 21:06:31 +05:30
def update_emails_with_primary_email(previous_confirmed_at, previous_email)
2017-08-17 22:00:37 +05:30
primary_email_record = emails.find_by(email: email)
2018-03-17 18:26:18 +05:30
Emails::DestroyService.new(self, user: self).execute(primary_email_record) if primary_email_record
# the original primary email was confirmed, and we want that to carry over. We don't
# have access to the original confirmation values at this point, so just set confirmed_at
2020-05-30 21:06:31 +05:30
Emails::CreateService.new(self, user: self, email: previous_email).execute(confirmed_at: previous_confirmed_at)
update_columns(confirmed_at: primary_email_record.confirmed_at) if primary_email_record&.confirmed_at
2015-09-11 14:41:01 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2015-09-11 14:41:01 +05:30
2017-09-10 17:25:29 +05:30
def update_invalid_gpg_signatures
gpg_keys.each(&:update_invalid_gpg_signatures)
end
2018-03-27 19:54:05 +05:30
# Returns the groups a user has access to, either through a membership or a project authorization
2014-09-02 18:07:02 +05:30
def authorized_groups
2018-11-08 19:23:39 +05:30
Group.unscoped do
2021-04-17 20:07:23 +05:30
authorized_groups_with_shared_membership
2018-11-08 19:23:39 +05:30
end
2015-11-26 14:37:03 +05:30
end
2014-09-02 18:07:02 +05:30
2018-03-27 19:54:05 +05:30
# Returns the groups a user is a member of, either directly or through a parent group
def membership_groups
2019-02-15 15:39:39 +05:30
Gitlab::ObjectHierarchy.new(groups).base_and_descendants
2018-03-27 19:54:05 +05:30
end
2017-09-10 17:25:29 +05:30
# Returns a relation of groups the user has access to, including their parent
# and child groups (recursively).
2017-08-17 22:00:37 +05:30
def all_expanded_groups
2019-02-15 15:39:39 +05:30
Gitlab::ObjectHierarchy.new(groups).all_objects
2017-08-17 22:00:37 +05:30
end
def expanded_groups_requiring_two_factor_authentication
all_expanded_groups.where(require_two_factor_authentication: true)
end
2020-09-03 11:15:55 +05:30
def source_groups_of_two_factor_authentication_requirement
Gitlab::ObjectHierarchy.new(expanded_groups_requiring_two_factor_authentication)
.all_objects
.where(id: groups)
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2021-03-11 19:13:27 +05:30
def refresh_authorized_projects(source: nil)
Users::RefreshAuthorizedProjectsService.new(self, source: source).execute
2017-08-17 22:00:37 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-08-17 22:00:37 +05:30
def remove_project_authorizations(project_ids)
project_authorizations.where(project_id: project_ids).delete_all
end
def authorized_projects(min_access_level = nil)
2017-09-10 17:25:29 +05:30
# We're overriding an association, so explicitly call super with no
# arguments or it would be passed as `force_reload` to the association
2017-08-17 22:00:37 +05:30
projects = super()
2017-09-10 17:25:29 +05:30
if min_access_level
projects = projects
.where('project_authorizations.access_level >= ?', min_access_level)
end
2017-08-17 22:00:37 +05:30
projects
end
def authorized_project?(project, min_access_level = nil)
authorized_projects(min_access_level).exists?({ id: project.id })
end
2018-03-17 18:26:18 +05:30
# Typically used in conjunction with projects table to get projects
# a user has been given access to.
2019-07-07 11:18:12 +05:30
# The param `related_project_column` is the column to compare to the
# project_authorizations. By default is projects.id
2018-03-17 18:26:18 +05:30
#
# Example use:
# `Project.where('EXISTS(?)', user.authorizations_for_projects)`
2019-07-07 11:18:12 +05:30
def authorizations_for_projects(min_access_level: nil, related_project_column: 'projects.id')
authorizations = project_authorizations
.select(1)
.where("project_authorizations.project_id = #{related_project_column}")
2019-02-15 15:39:39 +05:30
return authorizations unless min_access_level.present?
authorizations.where('project_authorizations.access_level >= ?', min_access_level)
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
# Returns the projects this user has reporter (or greater) access to, limited
# to at most the given projects.
#
# This method is useful when you have a list of projects and want to
# efficiently check to which of these projects the user has at least reporter
# access.
def projects_with_reporter_access_limited_to(projects)
authorized_projects(Gitlab::Access::REPORTER).where(id: projects)
2014-09-02 18:07:02 +05:30
end
def owned_projects
2018-12-05 23:21:45 +05:30
@owned_projects ||= Project.from_union(
[
Project.where(namespace: namespace),
Project.joins(:project_authorizations)
.where("projects.namespace_id <> ?", namespace.id)
.where(project_authorizations: { user_id: id, access_level: Gitlab::Access::OWNER })
],
remove_duplicates: false
)
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
# Returns projects which user can admin issues on (for example to move an issue to that project).
#
# This logic is duplicated from `Ability#project_abilities` into a SQL form.
def projects_where_can_admin_issues
2016-09-29 09:46:39 +05:30
authorized_projects(Gitlab::Access::REPORTER).non_archived.with_issues_enabled
2016-09-13 17:45:13 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def require_ssh_key?
2018-03-17 18:26:18 +05:30
count = Users::KeysCountService.new(self).count
2020-10-24 23:57:45 +05:30
count == 0 && Gitlab::ProtocolAccess.allowed?('ssh')
2018-03-17 18:26:18 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def require_password_creation_for_web?
allow_password_authentication_for_web? && password_automatically_set?
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def require_password_creation_for_git?
allow_password_authentication_for_git? && password_automatically_set?
2017-09-10 17:25:29 +05:30
end
def require_personal_access_token_creation_for_git_auth?
2021-02-22 17:27:13 +05:30
return false if allow_password_authentication_for_git? || password_based_omniauth_user?
2017-09-10 17:25:29 +05:30
PersonalAccessTokensFinder.new(user: self, impersonation: false, state: 'active').execute.none?
end
2018-03-17 18:26:18 +05:30
def require_extra_setup_for_git_auth?
require_password_creation_for_git? || require_personal_access_token_creation_for_git_auth?
end
2017-09-10 17:25:29 +05:30
def allow_password_authentication?
2018-03-17 18:26:18 +05:30
allow_password_authentication_for_web? || allow_password_authentication_for_git?
end
def allow_password_authentication_for_web?
2020-06-23 00:09:42 +05:30
Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
2018-03-17 18:26:18 +05:30
end
def allow_password_authentication_for_git?
2021-02-22 17:27:13 +05:30
Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !password_based_omniauth_user?
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
def can_change_username?
gitlab_config.username_changing_enabled
end
def can_create_project?
projects_limit_left > 0
end
def can_create_group?
2017-08-17 22:00:37 +05:30
can?(:create_group)
2014-09-02 18:07:02 +05:30
end
def can_select_namespace?
several_namespaces? || admin
end
2017-08-17 22:00:37 +05:30
def can?(action, subject = :global)
2016-09-29 09:46:39 +05:30
Ability.allowed?(self, action, subject)
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def confirm_deletion_with_password?
!password_automatically_set? && allow_password_authentication?
end
2014-09-02 18:07:02 +05:30
def first_name
2019-12-04 20:38:33 +05:30
read_attribute(:first_name) || begin
name.split(' ').first unless name.blank?
end
end
def last_name
read_attribute(:last_name) || begin
name.split(' ').drop(1).join(' ') unless name.blank?
end
2014-09-02 18:07:02 +05:30
end
def projects_limit_left
2017-09-10 17:25:29 +05:30
projects_limit - personal_projects_count
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def recent_push(project = nil)
service = Users::LastPushEventService.new(self)
2014-09-02 18:07:02 +05:30
2018-03-17 18:26:18 +05:30
if project
service.last_event_for_project(project)
else
service.last_event_for_user
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def several_namespaces?
2019-07-07 11:18:12 +05:30
union_sql = ::Gitlab::SQL::Union.new(
[owned_groups,
maintainers_groups,
groups_with_developer_maintainer_project_access]).to_sql
::Group.from("(#{union_sql}) #{::Group.table_name}").any?
2014-09-02 18:07:02 +05:30
end
def namespace_id
namespace.try :id
end
def name_with_username
"#{name} (#{username})"
end
2015-04-26 12:48:37 +05:30
def already_forked?(project)
2014-09-02 18:07:02 +05:30
!!fork_of(project)
end
2015-04-26 12:48:37 +05:30
def fork_of(project)
2018-03-17 18:26:18 +05:30
namespace.find_fork_of(project)
2014-09-02 18:07:02 +05:30
end
2021-02-22 17:27:13 +05:30
def password_based_omniauth_user?
ldap_user? || crowd_user?
end
def crowd_user?
if identities.loaded?
identities.find { |identity| identity.provider == 'crowd' && identity.extern_uid.present? }
else
identities.with_any_extern_uid('crowd').exists?
end
end
2014-09-02 18:07:02 +05:30
def ldap_user?
2018-03-17 18:26:18 +05:30
if identities.loaded?
2018-03-27 19:54:05 +05:30
identities.find { |identity| Gitlab::Auth::OAuth::Provider.ldap_provider?(identity.provider) && !identity.extern_uid.nil? }
2018-03-17 18:26:18 +05:30
else
identities.exists?(["provider LIKE ? AND extern_uid IS NOT NULL", "ldap%"])
end
2015-04-26 12:48:37 +05:30
end
def ldap_identity
@ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
end
2020-01-01 13:55:28 +05:30
def matches_identity?(provider, extern_uid)
identities.where(provider: provider, extern_uid: extern_uid).exists?
end
2015-04-26 12:48:37 +05:30
def project_deploy_keys
2020-01-01 13:55:28 +05:30
@project_deploy_keys ||= DeployKey.in_projects(authorized_projects.select(:id)).distinct(:id)
2014-09-02 18:07:02 +05:30
end
2019-07-07 11:18:12 +05:30
def highest_role
2020-04-22 19:07:51 +05:30
user_highest_role&.highest_access_level || Gitlab::Access::NO_ACCESS
2019-07-07 11:18:12 +05:30
end
2014-09-02 18:07:02 +05:30
def accessible_deploy_keys
2019-10-12 21:52:04 +05:30
DeployKey.from_union([
DeployKey.where(id: project_deploy_keys.select(:deploy_key_id)),
DeployKey.are_public
])
2014-09-02 18:07:02 +05:30
end
def created_by
User.find_by(id: created_by_id) if created_by_id
end
def sanitize_attrs
2018-03-17 18:26:18 +05:30
%i[skype linkedin twitter].each do |attr|
value = self[attr]
self[attr] = Sanitize.clean(value) if value.present?
2014-09-02 18:07:02 +05:30
end
end
2015-04-26 12:48:37 +05:30
def set_notification_email
2018-11-08 19:23:39 +05:30
if notification_email.blank? || all_emails.exclude?(notification_email)
2017-08-17 22:00:37 +05:30
self.notification_email = email
2015-04-26 12:48:37 +05:30
end
end
def set_public_email
2018-11-08 19:23:39 +05:30
if public_email.blank? || all_emails.exclude?(public_email)
2015-04-26 12:48:37 +05:30
self.public_email = ''
end
end
2018-12-05 23:21:45 +05:30
def set_commit_email
if commit_email.blank? || verified_emails.exclude?(commit_email)
self.commit_email = nil
end
end
2015-09-11 14:41:01 +05:30
def update_secondary_emails!
2017-08-17 22:00:37 +05:30
set_notification_email
set_public_email
2018-12-05 23:21:45 +05:30
set_commit_email
save if notification_email_changed? || public_email_changed? || commit_email_changed?
2015-09-11 14:41:01 +05:30
end
2015-04-26 12:48:37 +05:30
def set_projects_limit
2016-11-03 12:29:30 +05:30
# `User.select(:id)` raises
# `ActiveModel::MissingAttributeError: missing attribute: projects_limit`
# without this safeguard!
2018-03-17 18:26:18 +05:30
return unless has_attribute?(:projects_limit) && projects_limit.nil?
2015-04-26 12:48:37 +05:30
2018-03-17 18:26:18 +05:30
self.projects_limit = Gitlab::CurrentSettings.default_projects_limit
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
def requires_ldap_check?
if !Gitlab.config.ldap.enabled
false
elsif ldap_user?
2020-06-23 00:09:42 +05:30
!last_credential_check_at || (last_credential_check_at + ldap_sync_time) < Time.current
2014-09-02 18:07:02 +05:30
else
false
end
end
2018-12-13 13:39:08 +05:30
def ldap_sync_time
# This number resides in this method so it can be redefined in EE.
1.hour
end
2016-04-02 18:10:28 +05:30
def try_obtain_ldap_lease
# After obtaining this lease LDAP checks will be blocked for 600 seconds
# (10 minutes) for this user.
lease = Gitlab::ExclusiveLease.new("user_ldap_check:#{id}", timeout: 600)
lease.try_obtain
end
2014-09-02 18:07:02 +05:30
def solo_owned_groups
2021-02-22 17:27:13 +05:30
@solo_owned_groups ||= owned_groups.includes(:owners).select do |group|
2014-09-02 18:07:02 +05:30
group.owners == [self]
end
end
def with_defaults
User.defaults.each do |k, v|
2018-03-17 18:26:18 +05:30
public_send("#{k}=", v) # rubocop:disable GitlabSecurity/PublicSend
2014-09-02 18:07:02 +05:30
end
self
end
def can_leave_project?(project)
project.namespace != namespace &&
project.project_member(self)
end
def full_website_url
2018-03-17 18:26:18 +05:30
return "http://#{website_url}" if website_url !~ %r{\Ahttps?://}
2014-09-02 18:07:02 +05:30
website_url
end
def short_website_url
2018-03-17 18:26:18 +05:30
website_url.sub(%r{\Ahttps?://}, '')
2014-09-02 18:07:02 +05:30
end
def all_ssh_keys
2015-09-11 14:41:01 +05:30
keys.map(&:publishable_key)
2014-09-02 18:07:02 +05:30
end
def temp_oauth_email?
2015-04-26 12:48:37 +05:30
email.start_with?('temp-email-for-oauth')
2014-09-02 18:07:02 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2017-09-10 17:25:29 +05:30
def avatar_url(size: nil, scale: 2, **args)
2018-03-17 18:26:18 +05:30
GravatarService.new.execute(email, size, scale, username: username)
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def primary_email_verified?
confirmed? && !temp_oauth_email?
2014-09-02 18:07:02 +05:30
end
2018-11-08 19:23:39 +05:30
def accept_pending_invitations!
pending_invitations.select do |member|
member.accept_invite!(self)
end
end
def pending_invitations
Member.where(invite_email: verified_emails).invite
end
2020-04-08 14:13:33 +05:30
def all_emails(include_private_email: true)
2016-01-29 22:53:50 +05:30
all_emails = []
2017-08-17 22:00:37 +05:30
all_emails << email unless temp_oauth_email?
2020-04-08 14:13:33 +05:30
all_emails << private_commit_email if include_private_email
2017-08-17 22:00:37 +05:30
all_emails.concat(emails.map(&:email))
2016-01-29 22:53:50 +05:30
all_emails
2015-04-26 12:48:37 +05:30
end
2020-05-30 21:06:31 +05:30
def verified_emails(include_private_email: true)
2018-03-17 18:26:18 +05:30
verified_emails = []
verified_emails << email if primary_email_verified?
2020-05-30 21:06:31 +05:30
verified_emails << private_commit_email if include_private_email
2018-03-17 18:26:18 +05:30
verified_emails.concat(emails.confirmed.pluck(:email))
verified_emails
end
2020-05-30 21:06:31 +05:30
def public_verified_emails
emails = verified_emails(include_private_email: false)
emails << email unless temp_oauth_email?
emails.uniq
end
2019-02-15 15:39:39 +05:30
def any_email?(check_email)
downcased = check_email.downcase
# handle the outdated private commit email case
return true if persisted? &&
id == Gitlab::PrivateCommitEmail.user_id_for_email(downcased)
all_emails.include?(check_email.downcase)
end
2018-03-17 18:26:18 +05:30
def verified_email?(check_email)
downcased = check_email.downcase
2018-12-13 13:39:08 +05:30
2019-02-15 15:39:39 +05:30
# handle the outdated private commit email case
return true if persisted? &&
id == Gitlab::PrivateCommitEmail.user_id_for_email(downcased)
2018-12-13 13:39:08 +05:30
2019-02-15 15:39:39 +05:30
verified_emails.include?(check_email.downcase)
2018-03-17 18:26:18 +05:30
end
2015-04-26 12:48:37 +05:30
def hook_attrs
{
2021-03-08 18:12:59 +05:30
id: id,
2015-04-26 12:48:37 +05:30
name: name,
username: username,
2020-03-13 15:44:24 +05:30
avatar_url: avatar_url(only_path: false),
email: email
2015-04-26 12:48:37 +05:30
}
end
2014-09-02 18:07:02 +05:30
def ensure_namespace_correct
2018-03-17 18:26:18 +05:30
if namespace
2019-09-30 21:07:59 +05:30
namespace.path = username if username_changed?
namespace.name = name if name_changed?
2018-03-17 18:26:18 +05:30
else
2020-07-28 23:09:34 +05:30
namespace = build_namespace(path: username, name: name)
namespace.build_namespace_settings
2014-09-02 18:07:02 +05:30
end
end
2018-03-17 18:26:18 +05:30
def set_username_errors
namespace_path_errors = self.errors.delete(:"namespace.path")
2021-03-08 18:12:59 +05:30
return unless namespace_path_errors&.any?
if namespace_path_errors.include?('has already been taken') && !User.exists?(username: username)
self.errors.add(:base, :username_exists_as_a_different_namespace)
else
self.errors[:username].concat(namespace_path_errors)
end
2018-03-17 18:26:18 +05:30
end
def username_changed_hook
system_hook_service.execute_hooks_for(self, :rename)
end
2014-09-02 18:07:02 +05:30
def post_destroy_hook
2017-08-17 22:00:37 +05:30
log_info("User \"#{name}\" (#{email}) was removed")
2018-03-17 18:26:18 +05:30
2014-09-02 18:07:02 +05:30
system_hook_service.execute_hooks_for(self, :destroy)
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
def remove_key_cache
Users::KeysCountService.new(self).delete_cache
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2018-03-17 18:26:18 +05:30
2017-09-10 17:25:29 +05:30
def delete_async(deleted_by:, params: {})
block if params[:hard_delete]
2018-10-15 14:42:47 +05:30
DeleteUserWorker.perform_async(deleted_by.id, id, params.to_h)
2017-09-10 17:25:29 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def notification_service
NotificationService.new
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
def log_info(message)
2014-09-02 18:07:02 +05:30
Gitlab::AppLogger.info message
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def system_hook_service
SystemHooksService.new
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2014-09-02 18:07:02 +05:30
def starred?(project)
2015-12-23 02:04:40 +05:30
starred_projects.exists?(project.id)
2014-09-02 18:07:02 +05:30
end
def toggle_star(project)
2015-11-26 14:37:03 +05:30
UsersStarProject.transaction do
2017-09-10 17:25:29 +05:30
user_star_project = users_star_projects
.where(project: project, user: self).lock(true).first
2015-11-26 14:37:03 +05:30
if user_star_project
user_star_project.destroy
else
UsersStarProject.create!(project: project, user: self)
end
2014-09-02 18:07:02 +05:30
end
end
2015-04-26 12:48:37 +05:30
2021-03-11 19:13:27 +05:30
def following?(user)
self.followees.exists?(user.id)
end
def follow(user)
return false if self.id == user.id
begin
followee = Users::UserFollowUser.create(follower_id: self.id, followee_id: user.id)
self.followees.reset if followee.persisted?
rescue ActiveRecord::RecordNotUnique
false
end
end
def unfollow(user)
if Users::UserFollowUser.where(follower_id: self.id, followee_id: user.id).delete_all > 0
self.followees.reset
else
false
end
end
2015-04-26 12:48:37 +05:30
def manageable_namespaces
2018-03-17 18:26:18 +05:30
@manageable_namespaces ||= [namespace] + manageable_groups
end
2019-07-07 11:18:12 +05:30
def manageable_groups(include_groups_with_developer_maintainer_access: false)
owned_and_maintainer_group_hierarchy = Gitlab::ObjectHierarchy.new(owned_or_maintainers_groups).base_and_descendants
if include_groups_with_developer_maintainer_access
union_sql = ::Gitlab::SQL::Union.new(
[owned_and_maintainer_group_hierarchy,
groups_with_developer_maintainer_project_access]).to_sql
::Group.from("(#{union_sql}) #{::Group.table_name}")
else
owned_and_maintainer_group_hierarchy
end
end
def manageable_groups_with_routes(include_groups_with_developer_maintainer_access: false)
manageable_groups(include_groups_with_developer_maintainer_access: include_groups_with_developer_maintainer_access)
.eager_load(:route)
.order('routes.path')
2015-04-26 12:48:37 +05:30
end
2015-09-11 14:41:01 +05:30
def namespaces
namespace_ids = groups.pluck(:id)
namespace_ids.push(namespace.id)
Namespace.where(id: namespace_ids)
end
2015-04-26 12:48:37 +05:30
def oauth_authorized_tokens
2017-08-17 22:00:37 +05:30
Doorkeeper::AccessToken.where(resource_owner_id: id, revoked_at: nil)
2015-04-26 12:48:37 +05:30
end
2015-11-26 14:37:03 +05:30
# Returns the projects a user contributed to in the last year.
#
# This method relies on a subquery as this performs significantly better
# compared to a JOIN when coupled with, for example,
# `Project.visible_to_user`. That is, consider the following code:
#
# some_user.contributed_projects.visible_to_user(other_user)
#
# If this method were to use a JOIN the resulting query would take roughly 200
# ms on a database with a similar size to GitLab.com's database. On the other
# hand, using a subquery means we can get the exact same data in about 40 ms.
def contributed_projects
2017-09-10 17:25:29 +05:30
events = Event.select(:project_id)
.contributions.where(author_id: self)
2020-06-23 00:09:42 +05:30
.where("created_at > ?", Time.current - 1.year)
2018-12-13 13:39:08 +05:30
.distinct
2017-09-10 17:25:29 +05:30
.reorder(nil)
2015-11-26 14:37:03 +05:30
Project.where(id: events)
2015-04-26 12:48:37 +05:30
end
2015-09-11 14:41:01 +05:30
def can_be_removed?
!solo_owned_groups.present?
end
2015-09-25 12:07:36 +05:30
2021-02-22 17:27:13 +05:30
def can_remove_self?
true
end
2018-11-08 19:23:39 +05:30
def ci_owned_runners
@ci_owned_runners ||= begin
2018-12-05 23:21:45 +05:30
project_runners = Ci::RunnerProject
2018-11-18 11:00:15 +05:30
.where(project: authorized_projects(Gitlab::Access::MAINTAINER))
2018-12-05 23:21:45 +05:30
.joins(:runner)
.select('ci_runners.*')
2018-11-08 19:23:39 +05:30
2018-12-05 23:21:45 +05:30
group_runners = Ci::RunnerNamespace
2020-04-22 19:07:51 +05:30
.where(namespace_id: Gitlab::ObjectHierarchy.new(owned_groups).base_and_descendants.select(:id))
2018-12-05 23:21:45 +05:30
.joins(:runner)
.select('ci_runners.*')
2018-11-08 19:23:39 +05:30
2018-12-05 23:21:45 +05:30
Ci::Runner.from_union([project_runners, group_runners])
2015-11-26 14:37:03 +05:30
end
end
2019-10-12 21:52:04 +05:30
def notification_email_for(notification_group)
# Return group-specific email address if present, otherwise return global notification email address
notification_group&.notification_email_for(self) || notification_email
end
2019-12-21 20:55:43 +05:30
def notification_settings_for(source, inherit: false)
2018-03-17 18:26:18 +05:30
if notification_settings.loaded?
2018-11-08 19:23:39 +05:30
notification_settings.find do |notification|
notification.source_type == source.class.base_class.name &&
notification.source_id == source.id
end
2018-03-17 18:26:18 +05:30
else
2019-12-21 20:55:43 +05:30
notification_settings.find_or_initialize_by(source: source) do |ns|
next unless source.is_a?(Group) && inherit
# If we're here it means we're trying to create a NotificationSetting for a group that doesn't have one.
# Find the closest parent with a notification_setting that's not Global level, or that has an email set.
ancestor_ns = source
.notification_settings(hierarchy_order: :asc)
.where(user: self)
.find_by('level != ? OR notification_email IS NOT NULL', NotificationSetting.levels[:global])
# Use it to seed the settings
ns.assign_attributes(ancestor_ns&.slice(*NotificationSetting.allowed_fields))
ns.source = source
ns.user = self
end
2018-03-17 18:26:18 +05:30
end
2016-06-02 11:05:42 +05:30
end
2020-11-24 15:15:51 +05:30
def notification_settings_for_groups(groups)
ids = groups.is_a?(ActiveRecord::Relation) ? groups.select(:id) : groups.map(&:id)
notification_settings.for_groups.where(source_id: ids)
end
# Lazy load global notification setting
# Initializes User setting with Participating level if setting not persisted
def global_notification_setting
return @global_notification_setting if defined?(@global_notification_setting)
@global_notification_setting = notification_settings.find_or_initialize_by(source: nil)
2018-11-18 11:00:15 +05:30
@global_notification_setting.update(level: NotificationSetting.levels[DEFAULT_NOTIFICATION_LEVEL]) unless @global_notification_setting.persisted?
@global_notification_setting
end
2017-08-17 22:00:37 +05:30
def assigned_open_merge_requests_count(force: false)
Rails.cache.fetch(['users', id, 'assigned_open_merge_requests_count'], force: force, expires_in: 20.minutes) do
2018-12-05 23:21:45 +05:30
MergeRequestsFinder.new(self, assignee_id: self.id, state: 'opened', non_archived: true).execute.count
end
end
2021-03-08 18:12:59 +05:30
def review_requested_open_merge_requests_count(force: false)
Rails.cache.fetch(['users', id, 'review_requested_open_merge_requests_count'], force: force, expires_in: 20.minutes) do
MergeRequestsFinder.new(self, reviewer_id: id, state: 'opened', non_archived: true).execute.count
end
end
def assigned_open_issues_count(force: false)
2017-08-17 22:00:37 +05:30
Rails.cache.fetch(['users', id, 'assigned_open_issues_count'], force: force, expires_in: 20.minutes) do
2018-12-05 23:21:45 +05:30
IssuesFinder.new(self, assignee_id: self.id, state: 'opened', non_archived: true).execute.count
end
end
2018-03-27 19:54:05 +05:30
def todos_done_count(force: false)
Rails.cache.fetch(['users', id, 'todos_done_count'], force: force, expires_in: 20.minutes) do
TodosFinder.new(self, state: :done).execute.count
end
end
def todos_pending_count(force: false)
Rails.cache.fetch(['users', id, 'todos_pending_count'], force: force, expires_in: 20.minutes) do
TodosFinder.new(self, state: :pending).execute.count
end
end
2018-05-09 12:01:36 +05:30
def personal_projects_count(force: false)
Rails.cache.fetch(['users', id, 'personal_projects_count'], force: force, expires_in: 24.hours, raw: true) do
personal_projects.count
end.to_i
end
2018-03-27 19:54:05 +05:30
def update_todos_count_cache
todos_done_count(force: true)
todos_pending_count(force: true)
end
2017-08-17 22:00:37 +05:30
def invalidate_cache_counts
invalidate_issue_cache_counts
invalidate_merge_request_cache_counts
2018-03-27 19:54:05 +05:30
invalidate_todos_done_count
invalidate_todos_pending_count
2018-05-09 12:01:36 +05:30
invalidate_personal_projects_count
2017-08-17 22:00:37 +05:30
end
def invalidate_issue_cache_counts
Rails.cache.delete(['users', id, 'assigned_open_issues_count'])
end
def invalidate_merge_request_cache_counts
Rails.cache.delete(['users', id, 'assigned_open_merge_requests_count'])
2021-03-08 18:12:59 +05:30
Rails.cache.delete(['users', id, 'review_requested_open_merge_requests_count'])
2017-08-17 22:00:37 +05:30
end
2018-03-27 19:54:05 +05:30
def invalidate_todos_done_count
Rails.cache.delete(['users', id, 'todos_done_count'])
2016-06-22 15:30:34 +05:30
end
2018-03-27 19:54:05 +05:30
def invalidate_todos_pending_count
Rails.cache.delete(['users', id, 'todos_pending_count'])
2016-06-22 15:30:34 +05:30
end
2018-05-09 12:01:36 +05:30
def invalidate_personal_projects_count
Rails.cache.delete(['users', id, 'personal_projects_count'])
end
2016-11-03 12:29:30 +05:30
# This is copied from Devise::Models::Lockable#valid_for_authentication?, as our auth
# flow means we don't call that automatically (and can't conveniently do so).
#
# See:
2019-12-26 22:10:19 +05:30
# <https://github.com/plataformatec/devise/blob/v4.7.1/lib/devise/models/lockable.rb#L104>
2016-11-03 12:29:30 +05:30
#
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2016-11-03 12:29:30 +05:30
def increment_failed_attempts!
2018-11-08 19:23:39 +05:30
return if ::Gitlab::Database.read_only?
2019-12-26 22:10:19 +05:30
increment_failed_attempts
2018-11-08 19:23:39 +05:30
2016-11-03 12:29:30 +05:30
if attempts_exceeded?
lock_access! unless access_locked?
else
2018-03-17 18:26:18 +05:30
Users::UpdateService.new(self, user: self).execute(validate: false)
2016-11-03 12:29:30 +05:30
end
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2016-11-03 12:29:30 +05:30
2017-08-17 22:00:37 +05:30
def access_level
if admin?
:admin
else
:regular
end
end
2015-11-26 14:37:03 +05:30
2017-08-17 22:00:37 +05:30
def access_level=(new_level)
new_level = new_level.to_s
return unless %w(admin regular).include?(new_level)
2017-08-17 22:00:37 +05:30
self.admin = (new_level == 'admin')
end
2020-01-01 13:55:28 +05:30
def can_read_all_resources?
2019-12-26 22:10:19 +05:30
can?(:read_all_resources)
2017-09-10 17:25:29 +05:30
end
2021-04-17 20:07:23 +05:30
def can_admin_all_resources?
can?(:admin_all_resources)
end
2017-08-17 22:00:37 +05:30
def update_two_factor_requirement
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
2017-08-17 22:00:37 +05:30
self.require_two_factor_authentication_from_group = periods.any?
self.two_factor_grace_period = periods.min || User.column_defaults['two_factor_grace_period']
save
2015-09-25 12:07:36 +05:30
end
2021-02-22 17:27:13 +05:30
# each existing user needs to have a `feed_token`.
2017-09-10 17:25:29 +05:30
# we do this on read since migrating all existing users is not a feasible
# solution.
2018-11-08 19:23:39 +05:30
def feed_token
2021-02-22 17:27:13 +05:30
Gitlab::CurrentSettings.disable_feed_token ? nil : ensure_feed_token!
2017-09-10 17:25:29 +05:30
end
2019-12-04 20:38:33 +05:30
# Each existing user needs to have a `static_object_token`.
# We do this on read since migrating all existing users is not a feasible
# solution.
def static_object_token
ensure_static_object_token!
end
2018-03-17 18:26:18 +05:30
def sync_attribute?(attribute)
return true if ldap_user? && attribute == :email
attributes = Gitlab.config.omniauth.sync_profile_attributes
if attributes.is_a?(Array)
attributes.include?(attribute.to_s)
else
attributes
end
end
def read_only_attribute?(attribute)
user_synced_attributes_metadata&.read_only?(attribute)
end
# override, from Devise
def lock_access!
Gitlab::AppLogger.info("Account Locked: username=#{username}")
super
end
# Determine the maximum access level for a group of projects in bulk.
#
# Returns a Hash mapping project ID -> maximum access level.
def max_member_access_for_project_ids(project_ids)
max_member_access_for_resource_ids(Project, project_ids) do |project_ids|
project_authorizations.where(project: project_ids)
.group(:project_id)
.maximum(:access_level)
end
end
def max_member_access_for_project(project_id)
max_member_access_for_project_ids([project_id])[project_id]
end
# Determine the maximum access level for a group of groups in bulk.
#
# Returns a Hash mapping project ID -> maximum access level.
def max_member_access_for_group_ids(group_ids)
max_member_access_for_resource_ids(Group, group_ids) do |group_ids|
group_members.where(source: group_ids).group(:source_id).maximum(:access_level)
end
end
def max_member_access_for_group(group_id)
max_member_access_for_group_ids([group_id])[group_id]
end
2018-10-15 14:42:47 +05:30
def terms_accepted?
2021-01-03 14:25:43 +05:30
return true if project_bot?
2018-10-15 14:42:47 +05:30
accepted_term_id.present?
end
def required_terms_not_accepted?
Gitlab::CurrentSettings.current_application_settings.enforce_terms? &&
!terms_accepted?
end
2018-11-20 20:47:30 +05:30
def requires_usage_stats_consent?
2019-09-30 21:07:59 +05:30
self.admin? && 7.days.ago > self.created_at && !has_current_license? && User.single_user? && !consented_usage_stats?
2018-11-08 19:23:39 +05:30
end
2018-12-13 13:39:08 +05:30
# Avoid migrations only building user preference object when needed.
def user_preference
super.presence || build_user_preference
end
2020-04-08 14:13:33 +05:30
def user_detail
super.presence || build_user_detail
end
2019-02-15 15:39:39 +05:30
def pending_todo_for(target)
todos.find_by(target: target, state: :pending)
end
2019-12-21 20:55:43 +05:30
def password_expired?
2020-06-23 00:09:42 +05:30
!!(password_expires_at && password_expires_at < Time.current)
2019-12-21 20:55:43 +05:30
end
def can_be_deactivated?
2021-01-03 14:25:43 +05:30
active? && no_recent_activity? && !internal?
2019-12-21 20:55:43 +05:30
end
def last_active_at
last_activity = last_activity_on&.to_time&.in_time_zone
last_sign_in = current_sign_in_at
[last_activity, last_sign_in].compact.max
end
REQUIRES_ROLE_VALUE = 99
def role_required?
role_before_type_cast == REQUIRES_ROLE_VALUE
end
def set_role_required!
update_column(:role, REQUIRES_ROLE_VALUE)
end
2020-03-13 15:44:24 +05:30
def dismissed_callout?(feature_name:, ignore_dismissal_earlier_than: nil)
callouts = self.callouts.with_feature_name(feature_name)
callouts = callouts.with_dismissed_after(ignore_dismissal_earlier_than) if ignore_dismissal_earlier_than
callouts.any?
end
2020-04-22 19:07:51 +05:30
# Load the current highest access by looking directly at the user's memberships
def current_highest_access_level
members.non_request.maximum(:access_level)
end
def confirmation_required_on_sign_in?
!confirmed? && !confirmation_period_valid?
end
2020-05-24 23:13:21 +05:30
def impersonated?
impersonator.present?
2020-04-22 19:07:51 +05:30
end
2018-11-18 11:00:15 +05:30
2020-07-28 23:09:34 +05:30
def created_recently?
created_at > Devise.confirm_within.ago
end
2021-04-17 20:07:23 +05:30
def find_or_initialize_callout(feature_name)
callouts.find_or_initialize_by(feature_name: ::UserCallout.feature_names[feature_name])
end
def can_trigger_notifications?
confirmed? && !blocked? && !ghost?
end
2017-08-17 22:00:37 +05:30
protected
# override, from Devise::Validatable
def password_required?
2020-04-22 19:07:51 +05:30
return false if internal? || project_bot?
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
super
end
2019-10-12 21:52:04 +05:30
# override from Devise::Confirmable
def confirmation_period_valid?
return false if Feature.disabled?(:soft_email_confirmation)
super
end
2020-04-22 19:07:51 +05:30
# This is copied from Devise::Models::TwoFactorAuthenticatable#consume_otp!
#
# An OTP cannot be used more than once in a given timestep
# Storing timestep of last valid OTP is sufficient to satisfy this requirement
#
# See:
# <https://github.com/tinfoil/devise-two-factor/blob/master/lib/devise_two_factor/models/two_factor_authenticatable.rb#L66>
#
def consume_otp!
if self.consumed_timestep != current_otp_timestep
self.consumed_timestep = current_otp_timestep
return Gitlab::Database.read_only? ? true : save(validate: false)
end
false
end
2017-08-17 22:00:37 +05:30
private
2021-01-29 00:20:46 +05:30
def authorized_groups_without_shared_membership
Group.from_union([
groups,
authorized_projects.joins(:namespace).select('namespaces.*')
])
end
def authorized_groups_with_shared_membership
cte = Gitlab::SQL::CTE.new(:direct_groups, authorized_groups_without_shared_membership)
cte_alias = cte.table.alias(Group.table_name)
Group
.with(cte.to_arel)
.from_union([
Group.from(cte_alias),
Group.joins(:shared_with_group_links)
.where(group_group_links: { shared_with_group_id: Group.from(cte_alias) })
])
end
2019-09-30 21:07:59 +05:30
def default_private_profile_to_false
return unless private_profile_changed? && private_profile.nil?
self.private_profile = false
end
2018-11-20 20:47:30 +05:30
def has_current_license?
false
end
def consented_usage_stats?
2019-09-30 21:07:59 +05:30
# Bypass the cache here because it's possible the admin enabled the
# usage ping, and we don't want to annoy the user again if they
# already set the value. This is a bit of hack, but the alternative
# would be to put in a more complex cache invalidation step. Since
# this call only gets called in the uncommon situation where the
# user is an admin and the only user in the instance, this shouldn't
# cause too much load on the system.
ApplicationSetting.current_without_cache&.usage_stats_set_by_user_id == self.id
2018-11-20 20:47:30 +05:30
end
2017-09-10 17:25:29 +05:30
def ensure_user_rights_and_limits
if external?
self.can_create_group = false
self.projects_limit = 0
else
2018-03-17 18:26:18 +05:30
# Only revert these back to the default if they weren't specifically changed in this update.
self.can_create_group = gitlab_config.default_can_create_group unless can_create_group_changed?
self.projects_limit = Gitlab::CurrentSettings.default_projects_limit unless projects_limit_changed?
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
2016-08-24 12:49:21 +05:30
def signup_domain_valid?
valid = true
error = nil
2021-01-29 00:20:46 +05:30
if Gitlab::CurrentSettings.domain_denylist_enabled?
blocked_domains = Gitlab::CurrentSettings.domain_denylist
2017-08-17 22:00:37 +05:30
if domain_matches?(blocked_domains, email)
2016-08-24 12:49:21 +05:30
error = 'is not from an allowed domain.'
valid = false
end
end
2021-01-29 00:20:46 +05:30
allowed_domains = Gitlab::CurrentSettings.domain_allowlist
2016-08-24 12:49:21 +05:30
unless allowed_domains.blank?
2017-08-17 22:00:37 +05:30
if domain_matches?(allowed_domains, email)
2016-08-24 12:49:21 +05:30
valid = true
else
2016-11-03 12:29:30 +05:30
error = "domain is not authorized for sign-up"
2016-08-24 12:49:21 +05:30
valid = false
end
end
2017-08-17 22:00:37 +05:30
errors.add(:email, error) unless valid
2016-08-24 12:49:21 +05:30
valid
end
def domain_matches?(email_domains, email)
signup_domain = Mail::Address.new(email).domain
email_domains.any? do |domain|
escaped = Regexp.escape(domain).gsub('\*', '.*?')
regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE
signup_domain =~ regexp
end
end
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
def check_email_restrictions
return unless Gitlab::CurrentSettings.email_restrictions_enabled?
restrictions = Gitlab::CurrentSettings.email_restrictions
return if restrictions.blank?
if Gitlab::UntrustedRegexp.new(restrictions).match?(email)
2020-04-22 19:07:51 +05:30
errors.add(:email, _('is not allowed. Try again with a different email address, or contact your GitLab admin.'))
2020-04-08 14:13:33 +05:30
end
end
2019-07-07 11:18:12 +05:30
def groups_with_developer_maintainer_project_access
project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS]
if ::Gitlab::CurrentSettings.default_project_creation == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
project_creation_levels << nil
end
developer_groups_hierarchy = ::Gitlab::ObjectHierarchy.new(developer_groups).base_and_descendants
::Group.where(id: developer_groups_hierarchy.select(:id),
project_creation_level: project_creation_levels)
end
2019-12-21 20:55:43 +05:30
def no_recent_activity?
last_active_at.to_i <= MINIMUM_INACTIVE_DAYS.days.ago.to_i
end
2020-04-22 19:07:51 +05:30
def update_highest_role?
return false unless persisted?
2020-06-23 00:09:42 +05:30
(previous_changes.keys & %w(state user_type)).any?
2020-04-22 19:07:51 +05:30
end
def update_highest_role_attribute
id
end
2014-09-02 18:07:02 +05:30
end
2019-12-04 20:38:33 +05:30
User.prepend_if_ee('EE::User')