9 files changed, 55 insertions, 7 deletions

diff --git a/app/assets/javascripts/filtered_search/dropdown_user.js b/app/assets/javascripts/filtered_search/dropdown_user.js
index f1e7be6bde1..a65c0012b4d 100644
--- a/app/assets/javascripts/filtered_search/dropdown_user.js
+++ b/app/assets/javascripts/filtered_search/dropdown_user.js
@@ -18,6 +18,7 @@ export default class DropdownUser extends DropdownAjaxFilter {
         group_id: this.getGroupId(),
         project_id: this.getProjectId(),
         current_user: true,
+        ...this.projectOrGroupId(),
       },
       onLoadingFinished: () => {
         this.hideCurrentUser();
@@ -36,4 +37,17 @@ export default class DropdownUser extends DropdownAjaxFilter {
   getProjectId() {
     return this.input.getAttribute('data-project-id');
   }
+
+  projectOrGroupId() {
+    const projectId = this.getProjectId();
+    const groupId = this.getGroupId();
+    if (groupId) {
+      return {
+        group_id: groupId,
+      };
+    }
+    return {
+      project_id: projectId,
+    };
+  }
 }
diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
index 71bdef8ce03..0fddf15d197 100644
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -16,7 +16,7 @@ module EnforcesTwoFactorAuthentication
   end
 
   def check_two_factor_requirement
-    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled? && !skip_two_factor?
+    if two_factor_authentication_required? && current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled? && !skip_two_factor?
       redirect_to profile_two_factor_auth_path
     end
   end
diff --git a/app/views/admin/users/_form.html.haml b/app/views/admin/users/_form.html.haml
index 296ef073144..0656feb79cb 100644
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -48,6 +48,10 @@
 
     = render partial: 'access_levels', locals: { f: f }
 
+    = render_if_exists 'admin/users/namespace_plan_fieldset', f: f
+
+    = render_if_exists 'admin/users/limits', f: f
+
     %fieldset
       %legend Profile
       .form-group.row
@@ -73,6 +77,8 @@
           = f.label :website_url, 'Website', class: 'col-form-label'
         .col-sm-10= f.text_field :website_url, class: 'form-control'
 
+    = render_if_exists 'admin/users/admin_notes', f: f
+
     .form-actions
       - if @user.new_record?
         = f.submit 'Create user', class: "btn btn-success"
diff --git a/app/views/devise/shared/_signin_box.html.haml b/app/views/devise/shared/_signin_box.html.haml
index ec968e435cd..f8f36a8bfff 100644
--- a/app/views/devise/shared/_signin_box.html.haml
+++ b/app/views/devise/shared/_signin_box.html.haml
@@ -3,17 +3,21 @@
     .login-box.tab-pane{ id: "crowd", role: 'tabpanel', class: active_when(form_based_auth_provider_has_active_class?(:crowd)) }
       .login-body
         = render 'devise/sessions/new_crowd'
+
+  = render_if_exists 'devise/sessions/new_kerberos_tab'
+
   - @ldap_servers.each_with_index do |server, i|
     .login-box.tab-pane{ id: "#{server['provider_name']}", role: 'tabpanel', class: active_when(i.zero? && form_based_auth_provider_has_active_class?(:ldapmain)) }
       .login-body
         = render 'devise/sessions/new_ldap', server: server
+
+  = render_if_exists 'devise/sessions/new_smartcard'
+
   - if password_authentication_enabled_for_web?
     .login-box.tab-pane{ id: 'login-pane', role: 'tabpanel' }
       .login-body
         = render 'devise/sessions/new_base'
 
-  = render_if_exists 'devise/sessions/new_smartcard'
-
 - elsif password_authentication_enabled_for_web?
   .login-box.tab-pane.active{ id: 'login-pane', role: 'tabpanel' }
     .login-body
diff --git a/app/views/shared/_import_form.html.haml b/app/views/shared/_import_form.html.haml
index 7b593ca4f76..3ee713cf499 100644
--- a/app/views/shared/_import_form.html.haml
+++ b/app/views/shared/_import_form.html.haml
@@ -18,3 +18,6 @@
           = import_will_timeout_message(ci_cd_only)
         %li
           = import_svn_message(ci_cd_only)
+        = render_if_exists 'shared/ci_cd_only_link', ci_cd_only: ci_cd_only
+
+= render_if_exists 'shared/ee/import_form', f: f, ci_cd_only: ci_cd_only
diff --git a/app/views/shared/_label_row.html.haml b/app/views/shared/_label_row.html.haml
index a1aab2e6a08..af11ce94ec5 100644
--- a/app/views/shared/_label_row.html.haml
+++ b/app/views/shared/_label_row.html.haml
@@ -22,3 +22,4 @@
         ·
         %li.label-link-item.priority-badge.js-priority-badge.inline.prepend-left-10
           .label-badge.label-badge-blue= _('Prioritized label')
+      = render_if_exists 'shared/label_row_epics_link', label: label
diff --git a/changelogs/unreleased/61441.yml b/changelogs/unreleased/61441.yml
new file mode 100644
index 00000000000..2ad0c6f62d3
--- /dev/null
+++ b/changelogs/unreleased/61441.yml
@@ -0,0 +1,5 @@
+---
+title: Allow user to set primary email first when 2FA is required
+merge_request: 28097
+author: Kartikey Tanna
+type: fixed
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 7296a4b4526..5ecd1b6b7c8 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -206,8 +206,19 @@ describe ApplicationController do
     describe '#check_two_factor_requirement' do
       subject { controller.send :check_two_factor_requirement }
 
+      it 'does not redirect if user has temporary oauth email' do
+        oauth_user = create(:user, email: 'temp-email-for-oauth@email.com')
+        allow(controller).to receive(:two_factor_authentication_required?).and_return(true)
+        allow(controller).to receive(:current_user).and_return(oauth_user)
+
+        expect(controller).not_to receive(:redirect_to)
+
+        subject
+      end
+
       it 'does not redirect if 2FA is not required' do
         allow(controller).to receive(:two_factor_authentication_required?).and_return(false)
+
         expect(controller).not_to receive(:redirect_to)
 
         subject
@@ -216,6 +227,7 @@ describe ApplicationController do
       it 'does not redirect if user is not logged in' do
         allow(controller).to receive(:two_factor_authentication_required?).and_return(true)
         allow(controller).to receive(:current_user).and_return(nil)
+
         expect(controller).not_to receive(:redirect_to)
 
         subject
@@ -223,8 +235,9 @@ describe ApplicationController do
 
       it 'does not redirect if user has 2FA enabled' do
         allow(controller).to receive(:two_factor_authentication_required?).and_return(true)
-        allow(controller).to receive(:current_user).twice.and_return(user)
+        allow(controller).to receive(:current_user).thrice.and_return(user)
         allow(user).to receive(:two_factor_enabled?).and_return(true)
+
         expect(controller).not_to receive(:redirect_to)
 
         subject
@@ -232,9 +245,10 @@ describe ApplicationController do
 
       it 'does not redirect if 2FA setup can be skipped' do
         allow(controller).to receive(:two_factor_authentication_required?).and_return(true)
-        allow(controller).to receive(:current_user).twice.and_return(user)
+        allow(controller).to receive(:current_user).thrice.and_return(user)
         allow(user).to receive(:two_factor_enabled?).and_return(false)
         allow(controller).to receive(:skip_two_factor?).and_return(true)
+
         expect(controller).not_to receive(:redirect_to)
 
         subject
@@ -242,10 +256,11 @@ describe ApplicationController do
 
       it 'redirects to 2FA setup otherwise' do
         allow(controller).to receive(:two_factor_authentication_required?).and_return(true)
-        allow(controller).to receive(:current_user).twice.and_return(user)
+        allow(controller).to receive(:current_user).thrice.and_return(user)
         allow(user).to receive(:two_factor_enabled?).and_return(false)
         allow(controller).to receive(:skip_two_factor?).and_return(false)
         allow(controller).to receive(:profile_two_factor_auth_path)
+
         expect(controller).to receive(:redirect_to)
 
         subject
diff --git a/spec/javascripts/api_spec.js b/spec/javascripts/api_spec.js
index 494b3b934a8..805bb10bda6 100644
--- a/spec/javascripts/api_spec.js
+++ b/spec/javascripts/api_spec.js
@@ -288,7 +288,7 @@ describe('Api', () => {
     it('creates a group label', done => {
       const namespace = 'group/subgroup';
       const labelData = { some: 'data' };
-      const expectedUrl = `${dummyUrlRoot}/groups/${namespace}/-/labels`;
+      const expectedUrl = Api.buildUrl(Api.groupLabelsPath).replace(':namespace_path', namespace);
       const expectedData = {
         label: labelData,
       };