User email is not always released and causes conflicts when person comes back at CERN with new account
For about 1/3 of accounts, trying to change the email address via API silently fails and the old email is kept. This happens despite Daniel's upstream fix that added the skip_reconfirmation
option.
Upstream issue: https://gitlab.com/gitlab-org/gitlab-foss/issues/17797
All users where this fails have a UserSyncedAttributesMetadata
with email_synced: true
, and almost all (but not all) users where email was updated from API did NOT have a UserSyncedAttributesMetadata
for some reason.
Removing UserSyncedAttributesMetadata
from an affected does not help, it's still impossible to update from API.
When it's not possible to update from API, it also does not work from the web admin interface with admin account. The only way to change the email to <account>@cern.ch
and release the old "full email" is to use the rails console. Even after fixing in the rails console, the API keeps not working...
It's not clear what causes this. Not all accounts are affected. UserSyncedAttributesMetadata
seemed a clue but it's apparently not the only thing involved.
To manually fix all "cleaned up" accounts in the rails console:
# find all GitLab users that have been cleaned up (state: `ldap_blocked` and no identity)
# but still have an email other than `<account>@cern.ch`
users=User.where(state: ['ldap_blocked', 'blocked']).where.not(username: 'ghost').preload(:identities).select do |u|
# check that there aren't any identity (if an identity has empty extern_uid, count as no identity
# since we cannot delete identities via API at the moment and set extern_uid to empty string instead)
u.identities.select{|i| i.extern_uid.present?}.blank? &&
u.email != "#{u.username}@cern.ch"
end
users.each do |u|
u.email="#{u.username}@cern.ch"
u.skip_reconfirmation=true
u.save
# remove secondary emails
u.emails.map(&:destroy)
end
NB: in gitlab-dev, only fixed 1 account pgr
; 5 other broken accounts are left behind for troubleshooting/testing. 782 prod accounts found on October 21 were fixed - see attached list
Repro unability to change email with pgr
:
curl -v -X PUT https://gitlab-dev.cern.ch/api/v4/users/2504 -d '{"email":"pgr_new@cern.ch", "skip_reconfirmation":"true"}' -H "Private-Token: <admin token>"
In the output, we still see the old email