Allow only internal registration (#15795)

* Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings

* OpenID respect setting too
tokarchuk/v1.17
6543 4 years ago committed by GitHub
parent e818e9150f
commit a229e34387
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      custom/conf/app.example.ini
  2. 1
      docs/content/doc/advanced/config-cheat-sheet.en-us.md
  3. 6
      modules/setting/service.go
  4. 1
      options/locale/locale_en-US.ini
  5. 5
      routers/user/auth.go
  6. 9
      routers/user/auth_openid.go
  7. 2
      templates/admin/config.tmpl
  8. 2
      templates/user/auth/link_account.tmpl
  9. 2
      templates/user/auth/signup_openid_navbar.tmpl

@ -659,6 +659,8 @@ EMAIL_DOMAIN_WHITELIST =
EMAIL_DOMAIN_BLOCKLIST = EMAIL_DOMAIN_BLOCKLIST =
; Disallow registration, only allow admins to create accounts. ; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = false DISABLE_REGISTRATION = false
; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_INTERNAL_REGISTRATION = false
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false ALLOW_ONLY_EXTERNAL_REGISTRATION = false
; User must sign in to view anything. ; User must sign in to view anything.

@ -497,6 +497,7 @@ relation to port exhaustion.
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it - `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private". - `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation. - `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services. - `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN. - `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.

@ -23,6 +23,7 @@ var Service struct {
EmailDomainWhitelist []string EmailDomainWhitelist []string
EmailDomainBlocklist []string EmailDomainBlocklist []string
DisableRegistration bool DisableRegistration bool
AllowOnlyInternalRegistration bool
AllowOnlyExternalRegistration bool AllowOnlyExternalRegistration bool
ShowRegistrationButton bool ShowRegistrationButton bool
ShowMilestonesDashboardPage bool ShowMilestonesDashboardPage bool
@ -73,7 +74,12 @@ func newService() {
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180) Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180) Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool() Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
Service.AllowOnlyInternalRegistration = sec.Key("ALLOW_ONLY_INTERNAL_REGISTRATION").MustBool()
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool() Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
if Service.AllowOnlyExternalRegistration && Service.AllowOnlyInternalRegistration {
log.Warn("ALLOW_ONLY_INTERNAL_REGISTRATION and ALLOW_ONLY_EXTERNAL_REGISTRATION are true - disabling registration")
Service.DisableRegistration = true
}
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() { if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false) Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
} else { } else {

@ -2412,6 +2412,7 @@ config.db_path = Path
config.service_config = Service Configuration config.service_config = Service Configuration
config.register_email_confirm = Require Email Confirmation to Register config.register_email_confirm = Require Email Confirmation to Register
config.disable_register = Disable Self-Registration config.disable_register = Disable Self-Registration
config.allow_only_internal_registration = Allow Registration Only Through Gitea itself
config.allow_only_external_registration = Allow Registration Only Through External Services config.allow_only_external_registration = Allow Registration Only Through External Services
config.enable_openid_signup = Enable OpenID Self-Registration config.enable_openid_signup = Enable OpenID Self-Registration
config.enable_openid_signin = Enable OpenID Sign-In config.enable_openid_signin = Enable OpenID Sign-In

@ -617,7 +617,7 @@ func SignInOAuthCallback(ctx *context.Context) {
} }
if u == nil { if u == nil {
if setting.OAuth2Client.EnableAutoRegistration { if !(setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration) && setting.OAuth2Client.EnableAutoRegistration {
// create new user with details from oauth2 provider // create new user with details from oauth2 provider
var missingFields []string var missingFields []string
if gothUser.UserID == "" { if gothUser.UserID == "" {
@ -828,6 +828,7 @@ func LinkAccount(ctx *context.Context) {
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["ShowRegistrationButton"] = false ctx.Data["ShowRegistrationButton"] = false
// use this to set the right link into the signIn and signUp templates in the link_account template // use this to set the right link into the signIn and signUp templates in the link_account template
@ -993,7 +994,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
return return
} }
if setting.Service.DisableRegistration { if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden) ctx.Error(http.StatusForbidden)
return return
} }

@ -249,7 +249,7 @@ func signInOpenIDVerify(ctx *context.Context) {
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err) log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
} }
if u != nil || !setting.Service.EnableOpenIDSignUp { if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
ctx.Redirect(setting.AppSubURL + "/user/openid/connect") ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
} else { } else {
ctx.Redirect(setting.AppSubURL + "/user/openid/register") ctx.Redirect(setting.AppSubURL + "/user/openid/register")
@ -267,6 +267,7 @@ func ConnectOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDConnect"] = true ctx.Data["PageIsOpenIDConnect"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["OpenID"] = oid ctx.Data["OpenID"] = oid
userName, _ := ctx.Session.Get("openid_determined_username").(string) userName, _ := ctx.Session.Get("openid_determined_username").(string)
if userName != "" { if userName != "" {
@ -328,6 +329,7 @@ func RegisterOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDRegister"] = true ctx.Data["PageIsOpenIDRegister"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
ctx.Data["Captcha"] = context.GetImageCaptcha() ctx.Data["Captcha"] = context.GetImageCaptcha()
ctx.Data["CaptchaType"] = setting.Service.CaptchaType ctx.Data["CaptchaType"] = setting.Service.CaptchaType
@ -367,6 +369,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["OpenID"] = oid ctx.Data["OpenID"] = oid
if setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden)
return
}
if setting.Service.EnableCaptcha { if setting.Service.EnableCaptcha {
var valid bool var valid bool
var err error var err error

@ -149,6 +149,8 @@
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd> <dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt> <dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd> <dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_internal_registration"}}</dt>
<dd>{{if .Service.AllowOnlyInternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt> <dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd> <dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt> <dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>

@ -3,10 +3,12 @@
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar"> <div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
<div class="new-menu-inner"> <div class="new-menu-inner">
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed --> <!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
{{if not .AllowOnlyInternalRegistration}}
<a class="item {{if not .user_exists}}active{{end}}" <a class="item {{if not .user_exists}}active{{end}}"
data-tab="auth-link-signup-tab"> data-tab="auth-link-signup-tab">
{{.i18n.Tr "auth.oauth_signup_tab"}} {{.i18n.Tr "auth.oauth_signup_tab"}}
</a> </a>
{{end}}
<a class="item {{if .user_exists}}active{{end}}" <a class="item {{if .user_exists}}active{{end}}"
data-tab="auth-link-signin-tab"> data-tab="auth-link-signin-tab">
{{.i18n.Tr "auth.oauth_signin_tab"}} {{.i18n.Tr "auth.oauth_signin_tab"}}

@ -3,7 +3,7 @@
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect"> <a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
{{.i18n.Tr "auth.openid_connect_title"}} {{.i18n.Tr "auth.openid_connect_title"}}
</a> </a>
{{if .EnableOpenIDSignUp}} {{if and .EnableOpenIDSignUp (not .AllowOnlyInternalRegistration)}}
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register"> <a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
{{.i18n.Tr "auth.openid_register_title"}} {{.i18n.Tr "auth.openid_register_title"}}
</a> </a>

Loading…
Cancel
Save