Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42

4 files changed, 54 insertions, 4 deletions

diff --git a/app/services/users/approve_service.rb b/app/services/users/approve_service.rb
index debd1e8cd17..fea7fc55d90 100644
--- a/app/services/users/approve_service.rb
+++ b/app/services/users/approve_service.rb
@@ -8,8 +8,7 @@ module Users
 
     def execute(user)
       return error(_('You are not allowed to approve a user'), :forbidden) unless allowed?
-      return error(_('The user you are trying to approve is not pending an approval'), :conflict) if user.active?
-      return error(_('The user you are trying to approve is not pending an approval'), :conflict) unless approval_required?(user)
+      return error(_('The user you are trying to approve is not pending approval'), :conflict) if user.active? || !approval_required?(user)
 
       if user.activate
         # Resends confirmation email if the user isn't confirmed yet.
@@ -18,6 +17,7 @@ module Users
         user.accept_pending_invitations! if user.active_for_authentication?
         DeviseMailer.user_admin_approval(user).deliver_later
 
+        log_event(user)
         after_approve_hook(user)
         success(message: 'Success', http_status: :created)
       else
@@ -40,6 +40,10 @@ module Users
     def approval_required?(user)
       user.blocked_pending_approval?
     end
+
+    def log_event(user)
+      Gitlab::AppLogger.info(message: "User instance access request approved", user: "#{user.username}", email: "#{user.email}", approved_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+    end
   end
 end
 
diff --git a/app/services/users/batch_status_cleaner_service.rb b/app/services/users/batch_status_cleaner_service.rb
new file mode 100644
index 00000000000..ea6142f13cc
--- /dev/null
+++ b/app/services/users/batch_status_cleaner_service.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Users
+  class BatchStatusCleanerService
+    BATCH_SIZE = 100.freeze
+
+    # Cleanup BATCH_SIZE user_statuses records
+    # rubocop: disable CodeReuse/ActiveRecord
+    def self.execute(batch_size: BATCH_SIZE)
+      scope = UserStatus
+        .select(:user_id)
+        .scheduled_for_cleanup
+        .lock('FOR UPDATE SKIP LOCKED')
+        .limit(batch_size)
+
+      deleted_rows = UserStatus.where(user_id: scope).delete_all
+
+      { deleted_rows: deleted_rows }
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+  end
+end
diff --git a/app/services/users/refresh_authorized_projects_service.rb b/app/services/users/refresh_authorized_projects_service.rb
index d0939d5a542..24e3fb73370 100644
--- a/app/services/users/refresh_authorized_projects_service.rb
+++ b/app/services/users/refresh_authorized_projects_service.rb
@@ -14,13 +14,14 @@ module Users
   #     service = Users::RefreshAuthorizedProjectsService.new(some_user)
   #     service.execute
   class RefreshAuthorizedProjectsService
-    attr_reader :user
+    attr_reader :user, :source
 
     LEASE_TIMEOUT = 1.minute.to_i
 
     # user - The User for which to refresh the authorized projects.
-    def initialize(user, incorrect_auth_found_callback: nil, missing_auth_found_callback: nil)
+    def initialize(user, source: nil, incorrect_auth_found_callback: nil, missing_auth_found_callback: nil)
       @user = user
+      @source = source
       @incorrect_auth_found_callback = incorrect_auth_found_callback
       @missing_auth_found_callback = missing_auth_found_callback
 
@@ -91,6 +92,8 @@ module Users
     # remove - The IDs of the authorization rows to remove.
     # add - Rows to insert in the form `[user id, project id, access level]`
     def update_authorizations(remove = [], add = [])
+      log_refresh_details(remove.length, add.length)
+
       User.transaction do
         user.remove_project_authorizations(remove) unless remove.empty?
         ProjectAuthorization.insert_authorizations(add) unless add.empty?
@@ -101,6 +104,13 @@ module Users
       user.reset
     end
 
+    def log_refresh_details(rows_deleted, rows_added)
+      Gitlab::AppJsonLogger.info(event: 'authorized_projects_refresh',
+                                 'authorized_projects_refresh.source': source,
+                                 'authorized_projects_refresh.rows_deleted': rows_deleted,
+                                 'authorized_projects_refresh.rows_added': rows_added)
+    end
+
     def fresh_access_levels_per_project
       fresh_authorizations.each_with_object({}) do |row, hash|
         hash[row.project_id] = row.access_level
diff --git a/app/services/users/reject_service.rb b/app/services/users/reject_service.rb
index dd72547c688..0e3eb3e5dde 100644
--- a/app/services/users/reject_service.rb
+++ b/app/services/users/reject_service.rb
@@ -12,8 +12,12 @@ module Users
 
       user.delete_async(deleted_by: current_user, params: { hard_delete: true })
 
+      after_reject_hook(user)
+
       NotificationService.new.user_admin_rejection(user.name, user.email)
 
+      log_event(user)
+
       success
     end
 
@@ -24,5 +28,15 @@ module Users
     def allowed?
       can?(current_user, :reject_user)
     end
+
+    def after_reject_hook(user)
+      # overridden by EE module
+    end
+
+    def log_event(user)
+      Gitlab::AppLogger.info(message: "User instance access request rejected", user: "#{user.username}", email: "#{user.email}", rejected_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+    end
   end
 end
+
+Users::RejectService.prepend_if_ee('EE::Users::RejectService')