From 908136c5575f1facf030b1a4084744f6cd31a9f9 Mon Sep 17 00:00:00 2001 From: Richard Nienaber Date: Thu, 15 Jul 2021 20:19:48 +0100 Subject: [PATCH] add configuration option to restrict users by default (#16256) * add configuration option to restrict users by default * default IsRestricted permission only set on sign up setting this in the model messes with other workflows (e.g. syncing LDAP users) where the IsRestricted permission needs to be explicitly set and not overridden by a config value * fix formatting * Apply suggestions from code review * ensure newly created user is set to restricted * ensure imports are in the correct order Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick --- custom/conf/app.example.ini | 3 +++ .../doc/advanced/config-cheat-sheet.en-us.md | 1 + integrations/signup_test.go | 23 +++++++++++++++++++ modules/setting/service.go | 2 ++ routers/web/user/auth.go | 9 ++++---- 5 files changed, 34 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 1917f1f123..576414d193 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -652,6 +652,9 @@ PATH = ;; Default value for AllowCreateOrganization ;; Every new user will have rights set to create organizations depending on this setting ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true +;; Default value for IsRestricted +;; Every new user will have restricted permissions depending on this setting +;DEFAULT_USER_IS_RESTRICTED = false ;; ;; Either "public", "limited" or "private", default is "public" ;; Limited is for users visible only to signed users diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 1ec5164662..274c97543a 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -502,6 +502,7 @@ relation to port exhaustion. - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha. - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private. - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default. +- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default. - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access. - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles. diff --git a/integrations/signup_test.go b/integrations/signup_test.go index 5208a42ce5..66ff8ac2d7 100644 --- a/integrations/signup_test.go +++ b/integrations/signup_test.go @@ -10,6 +10,7 @@ import ( "strings" "testing" + "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/setting" "github.com/stretchr/testify/assert" "github.com/unknwon/i18n" @@ -33,6 +34,28 @@ func TestSignup(t *testing.T) { MakeRequest(t, req, http.StatusOK) } +func TestSignupAsRestricted(t *testing.T) { + defer prepareTestEnv(t)() + + setting.Service.EnableCaptcha = false + setting.Service.DefaultUserIsRestricted = true + + req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{ + "user_name": "restrictedUser", + "email": "restrictedUser@example.com", + "password": "examplePassword!1", + "retype": "examplePassword!1", + }) + MakeRequest(t, req, http.StatusFound) + + // should be able to view new user's page + req = NewRequest(t, "GET", "/restrictedUser") + MakeRequest(t, req, http.StatusOK) + + user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User) + assert.True(t, user2.IsRestricted) +} + func TestSignupEmail(t *testing.T) { defer prepareTestEnv(t)() diff --git a/modules/setting/service.go b/modules/setting/service.go index dbabfb8400..a391926382 100644 --- a/modules/setting/service.go +++ b/modules/setting/service.go @@ -49,6 +49,7 @@ var Service = struct { HcaptchaSitekey string DefaultKeepEmailPrivate bool DefaultAllowCreateOrganization bool + DefaultUserIsRestricted bool EnableTimetracking bool DefaultEnableTimetracking bool DefaultEnableDependencies bool @@ -134,6 +135,7 @@ func newService() { Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("") Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool() Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true) + Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false) Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true) if Service.EnableTimetracking { Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true) diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 4095d2956e..7a205853bd 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -1204,10 +1204,11 @@ func SignUpPost(ctx *context.Context) { } u := &models.User{ - Name: form.UserName, - Email: form.Email, - Passwd: form.Password, - IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), + Name: form.UserName, + Email: form.Email, + Passwd: form.Password, + IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), + IsRestricted: setting.Service.DefaultUserIsRestricted, } if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {