mirror of
				https://gitcode.com/gitea/gitea.git
				synced 2025-10-26 13:16:28 +08:00 
			
		
		
		
	add configuration option to restrict users by default (#16256)
* add configuration option to restrict users by default * default IsRestricted permission only set on sign up setting this in the model messes with other workflows (e.g. syncing LDAP users) where the IsRestricted permission needs to be explicitly set and not overridden by a config value * fix formatting * Apply suggestions from code review * ensure newly created user is set to restricted * ensure imports are in the correct order Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
		| @ -652,6 +652,9 @@ PATH = | |||||||
| ;; Default value for AllowCreateOrganization | ;; Default value for AllowCreateOrganization | ||||||
| ;; Every new user will have rights set to create organizations depending on this setting | ;; Every new user will have rights set to create organizations depending on this setting | ||||||
| ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true | ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true | ||||||
|  | ;; Default value for IsRestricted | ||||||
|  | ;; Every new user will have restricted permissions depending on this setting | ||||||
|  | ;DEFAULT_USER_IS_RESTRICTED = false | ||||||
| ;; | ;; | ||||||
| ;; Either "public", "limited" or "private", default is "public" | ;; Either "public", "limited" or "private", default is "public" | ||||||
| ;; Limited is for users visible only to signed users | ;; Limited is for users visible only to signed users | ||||||
|  | |||||||
| @ -502,6 +502,7 @@ relation to port exhaustion. | |||||||
| - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha. | - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha. | ||||||
| - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private. | - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private. | ||||||
| - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default. | - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default. | ||||||
|  | - `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default | ||||||
| - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default. | - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default. | ||||||
| - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access. | - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access. | ||||||
| - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles. | - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles. | ||||||
|  | |||||||
| @ -10,6 +10,7 @@ import ( | |||||||
| 	"strings" | 	"strings" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
|  | 	"code.gitea.io/gitea/models" | ||||||
| 	"code.gitea.io/gitea/modules/setting" | 	"code.gitea.io/gitea/modules/setting" | ||||||
| 	"github.com/stretchr/testify/assert" | 	"github.com/stretchr/testify/assert" | ||||||
| 	"github.com/unknwon/i18n" | 	"github.com/unknwon/i18n" | ||||||
| @ -33,6 +34,28 @@ func TestSignup(t *testing.T) { | |||||||
| 	MakeRequest(t, req, http.StatusOK) | 	MakeRequest(t, req, http.StatusOK) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func TestSignupAsRestricted(t *testing.T) { | ||||||
|  | 	defer prepareTestEnv(t)() | ||||||
|  |  | ||||||
|  | 	setting.Service.EnableCaptcha = false | ||||||
|  | 	setting.Service.DefaultUserIsRestricted = true | ||||||
|  |  | ||||||
|  | 	req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{ | ||||||
|  | 		"user_name": "restrictedUser", | ||||||
|  | 		"email":     "restrictedUser@example.com", | ||||||
|  | 		"password":  "examplePassword!1", | ||||||
|  | 		"retype":    "examplePassword!1", | ||||||
|  | 	}) | ||||||
|  | 	MakeRequest(t, req, http.StatusFound) | ||||||
|  |  | ||||||
|  | 	// should be able to view new user's page | ||||||
|  | 	req = NewRequest(t, "GET", "/restrictedUser") | ||||||
|  | 	MakeRequest(t, req, http.StatusOK) | ||||||
|  |  | ||||||
|  | 	user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User) | ||||||
|  | 	assert.True(t, user2.IsRestricted) | ||||||
|  | } | ||||||
|  |  | ||||||
| func TestSignupEmail(t *testing.T) { | func TestSignupEmail(t *testing.T) { | ||||||
| 	defer prepareTestEnv(t)() | 	defer prepareTestEnv(t)() | ||||||
|  |  | ||||||
|  | |||||||
| @ -49,6 +49,7 @@ var Service = struct { | |||||||
| 	HcaptchaSitekey                         string | 	HcaptchaSitekey                         string | ||||||
| 	DefaultKeepEmailPrivate                 bool | 	DefaultKeepEmailPrivate                 bool | ||||||
| 	DefaultAllowCreateOrganization          bool | 	DefaultAllowCreateOrganization          bool | ||||||
|  | 	DefaultUserIsRestricted                 bool | ||||||
| 	EnableTimetracking                      bool | 	EnableTimetracking                      bool | ||||||
| 	DefaultEnableTimetracking               bool | 	DefaultEnableTimetracking               bool | ||||||
| 	DefaultEnableDependencies               bool | 	DefaultEnableDependencies               bool | ||||||
| @ -134,6 +135,7 @@ func newService() { | |||||||
| 	Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("") | 	Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("") | ||||||
| 	Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool() | 	Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool() | ||||||
| 	Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true) | 	Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true) | ||||||
|  | 	Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false) | ||||||
| 	Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true) | 	Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true) | ||||||
| 	if Service.EnableTimetracking { | 	if Service.EnableTimetracking { | ||||||
| 		Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true) | 		Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true) | ||||||
|  | |||||||
| @ -1204,10 +1204,11 @@ func SignUpPost(ctx *context.Context) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	u := &models.User{ | 	u := &models.User{ | ||||||
| 		Name:     form.UserName, | 		Name:         form.UserName, | ||||||
| 		Email:    form.Email, | 		Email:        form.Email, | ||||||
| 		Passwd:   form.Password, | 		Passwd:       form.Password, | ||||||
| 		IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), | 		IsActive:     !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), | ||||||
|  | 		IsRestricted: setting.Service.DefaultUserIsRestricted, | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) { | 	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) { | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user
	 Richard Nienaber
					Richard Nienaber