add configuration option to restrict users by default (#16256)

* add configuration option to restrict users by default

* default IsRestricted permission only set on sign up

setting this in the model messes with other workflows (e.g. syncing LDAP users) where the IsRestricted permission needs to be explicitly set and not overridden by a config value

* fix formatting

* Apply suggestions from code review

* ensure newly created user is set to restricted

* ensure imports are in the correct order

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
Richard Nienaber 2021-07-15 20:19:48 +01:00 committed by GitHub
parent 251d7f524a
commit 908136c557
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 4 deletions

View File

@ -652,6 +652,9 @@ PATH =
;; Default value for AllowCreateOrganization
;; Every new user will have rights set to create organizations depending on this setting
;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
;; Default value for IsRestricted
;; Every new user will have restricted permissions depending on this setting
;DEFAULT_USER_IS_RESTRICTED = false
;;
;; Either "public", "limited" or "private", default is "public"
;; Limited is for users visible only to signed users

View File

@ -502,6 +502,7 @@ relation to port exhaustion.
- `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
- `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
- `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
- `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
- `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
- `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.

View File

@ -10,6 +10,7 @@ import (
"strings"
"testing"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/setting"
"github.com/stretchr/testify/assert"
"github.com/unknwon/i18n"
@ -33,6 +34,28 @@ func TestSignup(t *testing.T) {
MakeRequest(t, req, http.StatusOK)
}
func TestSignupAsRestricted(t *testing.T) {
defer prepareTestEnv(t)()
setting.Service.EnableCaptcha = false
setting.Service.DefaultUserIsRestricted = true
req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
"user_name": "restrictedUser",
"email": "restrictedUser@example.com",
"password": "examplePassword!1",
"retype": "examplePassword!1",
})
MakeRequest(t, req, http.StatusFound)
// should be able to view new user's page
req = NewRequest(t, "GET", "/restrictedUser")
MakeRequest(t, req, http.StatusOK)
user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User)
assert.True(t, user2.IsRestricted)
}
func TestSignupEmail(t *testing.T) {
defer prepareTestEnv(t)()

View File

@ -49,6 +49,7 @@ var Service = struct {
HcaptchaSitekey string
DefaultKeepEmailPrivate bool
DefaultAllowCreateOrganization bool
DefaultUserIsRestricted bool
EnableTimetracking bool
DefaultEnableTimetracking bool
DefaultEnableDependencies bool
@ -134,6 +135,7 @@ func newService() {
Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("")
Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool()
Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true)
Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false)
Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true)
if Service.EnableTimetracking {
Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true)

View File

@ -1204,10 +1204,11 @@ func SignUpPost(ctx *context.Context) {
}
u := &models.User{
Name: form.UserName,
Email: form.Email,
Passwd: form.Password,
IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
Name: form.UserName,
Email: form.Email,
Passwd: form.Password,
IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
IsRestricted: setting.Service.DefaultUserIsRestricted,
}
if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {