gitlab-org--gitlab-foss/app/controllers/registrations_controller.rb

# frozen_string_literal: true

class RegistrationsController < Devise::RegistrationsController
  include Recaptcha::Verify
  include AcceptsPendingInvitations
  include RecaptchaExperimentHelper
  include InvisibleCaptcha

  layout :choose_layout

  prepend_before_action :check_captcha, only: :create
  before_action :whitelist_query_limiting, only: [:destroy]
  before_action :ensure_terms_accepted,
    if: -> { action_name == 'create' && Gitlab::CurrentSettings.current_application_settings.enforce_terms? }

  def new
    if helpers.use_experimental_separate_sign_up_flow?
      @resource = build_resource
    else
      redirect_to new_user_session_path(anchor: 'register-pane')
    end
  end

  def create
    accept_pending_invitations

    super do |new_user|
      persist_accepted_terms_if_required(new_user)
      yield new_user if block_given?
    end
  rescue Gitlab::Access::AccessDeniedError
    redirect_to(new_user_session_path)
  end

  def destroy
    if destroy_confirmation_valid?
      current_user.delete_async(deleted_by: current_user)
      session.try(:destroy)
      redirect_to new_user_session_path, status: 303, notice: s_('Profiles|Account scheduled for removal.')
    else
      redirect_to profile_account_path, status: 303, alert: destroy_confirmation_failure_message
    end
  end

  protected

  def persist_accepted_terms_if_required(new_user)
    return unless new_user.persisted?
    return unless Gitlab::CurrentSettings.current_application_settings.enforce_terms?

    if terms_accepted?
      terms = ApplicationSetting::Term.latest
      Users::RespondToTermsService.new(new_user, terms).execute(accepted: true)
    end
  end

  def destroy_confirmation_valid?
    if current_user.confirm_deletion_with_password?
      current_user.valid_password?(params[:password])
    else
      current_user.username == params[:username]
    end
  end

  def destroy_confirmation_failure_message
    if current_user.confirm_deletion_with_password?
      s_('Profiles|Invalid password')
    else
      s_('Profiles|Invalid username')
    end
  end

  def build_resource(hash = nil)
    super
  end

  def after_sign_up_path_for(user)
    Gitlab::AppLogger.info(user_created_message(confirmed: user.confirmed?))
    confirmed_or_unconfirmed_access_allowed(user) ? stored_location_or_dashboard(user) : users_almost_there_path
  end

  def after_inactive_sign_up_path_for(resource)
    Gitlab::AppLogger.info(user_created_message)
    Feature.enabled?(:soft_email_confirmation) ? dashboard_projects_path : users_almost_there_path
  end

  private

  def user_created_message(confirmed: false)
    "User Created: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip} confirmed:#{confirmed}"
  end

  def ensure_correct_params!
    # To avoid duplicate form fields on the login page, the registration form
    # names fields using `new_user`, but Devise still wants the params in
    # `user`.
    if params["new_#{resource_name}"].present? && params[resource_name].blank?
      params[resource_name] = params.delete(:"new_#{resource_name}")
    end
  end

  def check_captcha
    ensure_correct_params!

    return unless Feature.enabled?(:registrations_recaptcha, default_enabled: true) # reCAPTCHA on the UI will still display however
    return unless show_recaptcha_sign_up?
    return unless Gitlab::Recaptcha.load_configurations!

    return if verify_recaptcha

    flash[:alert] = _('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.')
    flash.delete :recaptcha_error
    render action: 'new'
  end

  def sign_up_params
    params.require(:user).permit(:username, :email, :email_confirmation, :name, :password)
  end

  def resource_name
    :user
  end

  def resource
    @resource ||= Users::BuildService.new(current_user, sign_up_params).execute
  end

  def devise_mapping
    @devise_mapping ||= Devise.mappings[:user]
  end

  def whitelist_query_limiting
    Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42380')
  end

  def ensure_terms_accepted
    return if terms_accepted?

    redirect_to new_user_session_path, alert: _('You must accept our Terms of Service and privacy policy in order to register an account')
  end

  def terms_accepted?
    Gitlab::Utils.to_boolean(params[:terms_opt_in])
  end

  def confirmed_or_unconfirmed_access_allowed(user)
    user.confirmed? || Feature.enabled?(:soft_email_confirmation)
  end

  def stored_location_or_dashboard(user)
    stored_location_for(user) || dashboard_projects_path
  end

  # Part of an experiment to build a new sign up flow. Will be resolved
  # with https://gitlab.com/gitlab-org/growth/engineering/issues/64
  def choose_layout
    if helpers.use_experimental_separate_sign_up_flow?
      'devise_experimental_separate_sign_up_flow'
    else
      'devise'
    end
  end
end

RegistrationsController.prepend_if_ee('EE::RegistrationsController')
Enable frozen string in app/controllers/*/.rb Enables frozen string for the following: * app/controllers/.rb app/controllers/admin/*/.rb * app/controllers/boards/*/.rb * app/controllers/ci/*/.rb * app/controllers/concerns/*/.rb Partially addresses #47424. 2018-09-14 05:42:05 +00:00			`# frozen_string_literal: true`

Add optional signup. 2012-11-06 13:30:48 +00:00			`class RegistrationsController < Devise::RegistrationsController`
Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00			`include Recaptcha::Verify`
Resolve "Opening Project with invite but without accepting leads to 404 error page" 2018-05-17 09:19:47 +00:00			`include AcceptsPendingInvitations`
New RecaptchaExperimentHelper modules RecaptchaExperimentHelper contains helper methods to assist in the controller and view layers. 2019-06-25 22:32:54 +00:00			`include RecaptchaExperimentHelper`
Add logging and counter for invisible captcha 2019-08-14 12:05:24 +00:00			`include InvisibleCaptcha`
Add optional signup. 2012-11-06 13:30:48 +00:00
Add latest changes from gitlab-org/gitlab@master 2019-10-07 15:05:59 +00:00			`layout :choose_layout`

Add :registrations_recaptcha feature flag Allows instance owners to toggle the recaptcha requirement on the user registration page by feature flag. Allows GitLab Growth team to measure reCAPTCHA's impact on registrations. 2019-05-13 16:04:09 +00:00			`prepend_before_action :check_captcha, only: :create`
Track and act upon the number of executed queries This ensures that we have more visibility in the number of SQL queries that are executed in web requests. The current threshold is hardcoded to 100 as we will rarely (maybe once or twice) change it. In production and development we use Sentry if enabled, in the test environment we raise an error. This feature is also only enabled in production/staging when running on GitLab.com as it's not very useful to other users. 2018-01-15 15:21:04 +00:00			`before_action :whitelist_query_limiting, only: [:destroy]`
Users can accept terms during registration When a user checks the `accept` checkbox, we will track that acceptance as usual. That way they don't need to accept again after they complete the registration. When an unauthenticated user visits the `/-/users/terms` page, there is no button to accept, decline or continue. The 'current-user menu' is also hidden from the top bar. 2018-06-08 11:20:44 +00:00			`before_action :ensure_terms_accepted,`
Rewrite `if:` argument in before_action and alike when `only:` is also used Closes #55564 This is first discovered in #54739 (comment 122609857) that if both if: and only: are used in a before_action or after_action or alike, if: is completely ignored. 2019-02-27 07:41:14 +00:00			`if: -> { action_name == 'create' && Gitlab::CurrentSettings.current_application_settings.enforce_terms? }`
Track and act upon the number of executed queries This ensures that we have more visibility in the number of SQL queries that are executed in web requests. The current threshold is hardcoded to 100 as we will rarely (maybe once or twice) change it. In production and development we use Sentry if enabled, in the test environment we raise an error. This feature is also only enabled in production/staging when running on GitLab.com as it's not very useful to other users. 2018-01-15 15:21:04 +00:00
Redirect signup page to signin page. Resolves #1916. 2015-02-05 14:56:28 +00:00			`def new`
Add latest changes from gitlab-org/gitlab@master 2019-10-07 15:05:59 +00:00			`if helpers.use_experimental_separate_sign_up_flow?`
			`@resource = build_resource`
			`else`
			`redirect_to new_user_session_path(anchor: 'register-pane')`
			`end`
Redirect signup page to signin page. Resolves #1916. 2015-02-05 14:56:28 +00:00			`end`

Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00			`def create`
Add :registrations_recaptcha feature flag Allows instance owners to toggle the recaptcha requirement on the user registration page by feature flag. Allows GitLab Growth team to measure reCAPTCHA's impact on registrations. 2019-05-13 16:04:09 +00:00			`accept_pending_invitations`

			`super do \|new_user\|`
			`persist_accepted_terms_if_required(new_user)`
Back porting changes to trigger user create event on Trial sign up 2019-09-06 16:23:14 +00:00			`yield new_user if block_given?`
Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00			`end`
Implement new service for creating user 2017-03-27 09:37:24 +00:00			`rescue Gitlab::Access::AccessDeniedError`
			`redirect_to(new_user_session_path)`
Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00			`end`

Add user delete option. 2013-02-06 11:44:09 +00:00			`def destroy`
Show confirmation modal before deleting account 2017-10-06 20:40:41 +00:00			`if destroy_confirmation_valid?`
			`current_user.delete_async(deleted_by: current_user)`
			`session.try(:destroy)`
			`redirect_to new_user_session_path, status: 303, notice: s_('Profiles\|Account scheduled for removal.')`
			`else`
			`redirect_to profile_account_path, status: 303, alert: destroy_confirmation_failure_message`
Add user delete option. 2013-02-06 11:44:09 +00:00			`end`
			`end`

Fix project_limit being ignored on signup 2013-03-18 11:22:41 +00:00			`protected`

Users can accept terms during registration When a user checks the `accept` checkbox, we will track that acceptance as usual. That way they don't need to accept again after they complete the registration. When an unauthenticated user visits the `/-/users/terms` page, there is no button to accept, decline or continue. The 'current-user menu' is also hidden from the top bar. 2018-06-08 11:20:44 +00:00			`def persist_accepted_terms_if_required(new_user)`
			`return unless new_user.persisted?`
			`return unless Gitlab::CurrentSettings.current_application_settings.enforce_terms?`

			`if terms_accepted?`
			`terms = ApplicationSetting::Term.latest`
			`Users::RespondToTermsService.new(new_user, terms).execute(accepted: true)`
			`end`
			`end`

Show confirmation modal before deleting account 2017-10-06 20:40:41 +00:00			`def destroy_confirmation_valid?`
			`if current_user.confirm_deletion_with_password?`
			`current_user.valid_password?(params[:password])`
			`else`
			`current_user.username == params[:username]`
			`end`
			`end`

			`def destroy_confirmation_failure_message`
			`if current_user.confirm_deletion_with_password?`
			`s_('Profiles\|Invalid password')`
			`else`
			`s_('Profiles\|Invalid username')`
			`end`
			`end`

Enable Style/SpaceAroundEqualsInParameterDefault cop 2016-08-06 02:03:01 +00:00			`def build_resource(hash = nil)`
Fix project_limit being ignored on signup 2013-03-18 11:22:41 +00:00			`super`
			`end`

Change landing page when skipping confirmation email and add documentation 2016-05-06 20:59:45 +00:00			`def after_sign_up_path_for(user)`
New RecaptchaExperimentHelper modules RecaptchaExperimentHelper contains helper methods to assist in the controller and view layers. 2019-06-25 22:32:54 +00:00			`Gitlab::AppLogger.info(user_created_message(confirmed: user.confirmed?))`
Incorporate feedback fixes 2019-08-12 15:40:24 +00:00			`confirmed_or_unconfirmed_access_allowed(user) ? stored_location_or_dashboard(user) : users_almost_there_path`
Redirect to sign in page after signup, this will show the correct flash message. 2014-07-04 12:19:59 +00:00			`end`

# This is a combination of 1 commit. # This is the 1st commit message: Add logging for all web authentication events # This is the commit message #2: Re-add underscore to after_inactive_sign_up_path_for # This is the commit message #3: Standardize on username= # This is the commit message #4: after_filter -> after_action, _resource -> resource # This is the commit message #5: Add two-factor login failures and account lockouts # This is the commit message #6: Move logging from two-factor concern to user model # This is the commit message #7: Add spaces around default parameter assignments # This is the commit message #8: Move logs out of user model # This is the commit message #9: Replace filtered_params with user_params # This is the commit message #10: Standardize case # This is the commit message #1: Fixes for username and AppLogger.info 2017-08-23 04:40:16 +00:00			`def after_inactive_sign_up_path_for(resource)`
New RecaptchaExperimentHelper modules RecaptchaExperimentHelper contains helper methods to assist in the controller and view layers. 2019-06-25 22:32:54 +00:00			`Gitlab::AppLogger.info(user_created_message)`
Don't redirect to the Almost there page Don't redirect to the Almost there page after registration and after resending confirmation instructions 2019-07-31 14:49:52 +00:00			`Feature.enabled?(:soft_email_confirmation) ? dashboard_projects_path : users_almost_there_path`
Redirect to sign in page after signup, this will show the correct flash message. 2014-07-04 12:19:59 +00:00			`end`

Add optional signup. 2012-11-06 13:30:48 +00:00			`private`

New RecaptchaExperimentHelper modules RecaptchaExperimentHelper contains helper methods to assist in the controller and view layers. 2019-06-25 22:32:54 +00:00			`def user_created_message(confirmed: false)`
			`"User Created: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip} confirmed:#{confirmed}"`
			`end`

			`def ensure_correct_params!`
			`# To avoid duplicate form fields on the login page, the registration form`
			# names fields using `new_user`, but Devise still wants the params in
			# `user`.
			`if params["new_#{resource_name}"].present? && params[resource_name].blank?`
			`params[resource_name] = params.delete(:"new_#{resource_name}")`
			`end`
			`end`

Add :registrations_recaptcha feature flag Allows instance owners to toggle the recaptcha requirement on the user registration page by feature flag. Allows GitLab Growth team to measure reCAPTCHA's impact on registrations. 2019-05-13 16:04:09 +00:00			`def check_captcha`
New RecaptchaExperimentHelper modules RecaptchaExperimentHelper contains helper methods to assist in the controller and view layers. 2019-06-25 22:32:54 +00:00			`ensure_correct_params!`

			`return unless Feature.enabled?(:registrations_recaptcha, default_enabled: true) # reCAPTCHA on the UI will still display however`
			`return unless show_recaptcha_sign_up?`
Add :registrations_recaptcha feature flag Allows instance owners to toggle the recaptcha requirement on the user registration page by feature flag. Allows GitLab Growth team to measure reCAPTCHA's impact on registrations. 2019-05-13 16:04:09 +00:00			`return unless Gitlab::Recaptcha.load_configurations!`

			`return if verify_recaptcha`

			`flash[:alert] = _('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.')`
			`flash.delete :recaptcha_error`
			`render action: 'new'`
			`end`

Override strong params for sign up. 2014-07-10 17:31:05 +00:00			`def sign_up_params`
Add email and password confirmation fields to registration form It's too easy to mistype an email or password when signing up. The support team is receiving an increasing number of requests because users mistype their email. We can eliminate this problem by requiring users to confirm the email before registering. The same issue can occur for the password field so we should add this, too. We should note that password confirmation is part of the default Devise forms. I don't know why/when GitLab removed it. 2016-11-12 00:47:32 +00:00			`params.require(:user).permit(:username, :email, :email_confirmation, :name, :password)`
Override strong params for sign up. 2014-07-10 17:31:05 +00:00			`end`
Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00
			`def resource_name`
			`:user`
			`end`

			`def resource`
Implement Users::BuildService 2017-04-13 08:47:52 +00:00			`@resource \|\|= Users::BuildService.new(current_user, sign_up_params).execute`
Add support for Google reCAPTCHA in user registration to prevent spammers 2015-12-27 17:03:06 +00:00			`end`

			`def devise_mapping`
			`@devise_mapping \|\|= Devise.mappings[:user]`
			`end`
Track and act upon the number of executed queries This ensures that we have more visibility in the number of SQL queries that are executed in web requests. The current threshold is hardcoded to 100 as we will rarely (maybe once or twice) change it. In production and development we use Sentry if enabled, in the test environment we raise an error. This feature is also only enabled in production/staging when running on GitLab.com as it's not very useful to other users. 2018-01-15 15:21:04 +00:00
			`def whitelist_query_limiting`
Add latest changes from gitlab-org/gitlab@master 2019-09-18 14:02:45 +00:00			`Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42380')`
Track and act upon the number of executed queries This ensures that we have more visibility in the number of SQL queries that are executed in web requests. The current threshold is hardcoded to 100 as we will rarely (maybe once or twice) change it. In production and development we use Sentry if enabled, in the test environment we raise an error. This feature is also only enabled in production/staging when running on GitLab.com as it's not very useful to other users. 2018-01-15 15:21:04 +00:00			`end`
Users can accept terms during registration When a user checks the `accept` checkbox, we will track that acceptance as usual. That way they don't need to accept again after they complete the registration. When an unauthenticated user visits the `/-/users/terms` page, there is no button to accept, decline or continue. The 'current-user menu' is also hidden from the top bar. 2018-06-08 11:20:44 +00:00
			`def ensure_terms_accepted`
			`return if terms_accepted?`

			`redirect_to new_user_session_path, alert: _('You must accept our Terms of Service and privacy policy in order to register an account')`
			`end`

			`def terms_accepted?`
			`Gitlab::Utils.to_boolean(params[:terms_opt_in])`
			`end`
Incorporate feedback fixes 2019-08-12 15:40:24 +00:00
			`def confirmed_or_unconfirmed_access_allowed(user)`
			`user.confirmed? \|\| Feature.enabled?(:soft_email_confirmation)`
			`end`

			`def stored_location_or_dashboard(user)`
			`stored_location_for(user) \|\| dashboard_projects_path`
			`end`
Add latest changes from gitlab-org/gitlab@master 2019-10-07 15:05:59 +00:00
			`# Part of an experiment to build a new sign up flow. Will be resolved`
			`# with https://gitlab.com/gitlab-org/growth/engineering/issues/64`
			`def choose_layout`
			`if helpers.use_experimental_separate_sign_up_flow?`
			`'devise_experimental_separate_sign_up_flow'`
			`else`
			`'devise'`
			`end`
			`end`
Fix project_limit being ignored on signup 2013-03-18 11:22:41 +00:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 13:26:31 +00:00
			`RegistrationsController.prepend_if_ee('EE::RegistrationsController')`