Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow only internal registration #15795

Merged
merged 8 commits into from
May 9, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions custom/conf/app.example.ini
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,8 @@ EMAIL_DOMAIN_WHITELIST =
EMAIL_DOMAIN_BLOCKLIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = false
; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_INTERNAL_REGISTRATION = false
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
; User must sign in to view anything.
Expand Down
1 change: 1 addition & 0 deletions docs/content/doc/advanced/config-cheat-sheet.en-us.md
Original file line number Diff line number Diff line change
Expand Up @@ -497,6 +497,7 @@ relation to port exhaustion.
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
Expand Down
6 changes: 6 additions & 0 deletions modules/setting/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ var Service struct {
EmailDomainWhitelist []string
EmailDomainBlocklist []string
DisableRegistration bool
AllowOnlyInternalRegistration bool
AllowOnlyExternalRegistration bool
ShowRegistrationButton bool
ShowMilestonesDashboardPage bool
Expand Down Expand Up @@ -73,7 +74,12 @@ func newService() {
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
Service.AllowOnlyInternalRegistration = sec.Key("ALLOW_ONLY_INTERNAL_REGISTRATION").MustBool()
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
if Service.AllowOnlyExternalRegistration && Service.AllowOnlyInternalRegistration {
log.Warn("ALLOW_ONLY_INTERNAL_REGISTRATION and ALLOW_ONLY_EXTERNAL_REGISTRATION are true - disabling registration")
Service.DisableRegistration = true
}
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
} else {
Expand Down
1 change: 1 addition & 0 deletions options/locale/locale_en-US.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2412,6 +2412,7 @@ config.db_path = Path
config.service_config = Service Configuration
config.register_email_confirm = Require Email Confirmation to Register
config.disable_register = Disable Self-Registration
config.allow_only_internal_registration = Allow Registration Only Through Gitea itself
config.allow_only_external_registration = Allow Registration Only Through External Services
config.enable_openid_signup = Enable OpenID Self-Registration
config.enable_openid_signin = Enable OpenID Sign-In
Expand Down
5 changes: 3 additions & 2 deletions routers/user/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ func SignInOAuthCallback(ctx *context.Context) {
}

if u == nil {
if setting.OAuth2Client.EnableAutoRegistration {
if !(setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration) && setting.OAuth2Client.EnableAutoRegistration {
// create new user with details from oauth2 provider
var missingFields []string
if gothUser.UserID == "" {
Expand Down Expand Up @@ -828,6 +828,7 @@ func LinkAccount(ctx *context.Context) {
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["ShowRegistrationButton"] = false

// use this to set the right link into the signIn and signUp templates in the link_account template
Expand Down Expand Up @@ -993,7 +994,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
return
}

if setting.Service.DisableRegistration {
if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden)
return
}
Expand Down
9 changes: 8 additions & 1 deletion routers/user/auth_openid.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ func signInOpenIDVerify(ctx *context.Context) {
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
}

if u != nil || !setting.Service.EnableOpenIDSignUp {
if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
} else {
ctx.Redirect(setting.AppSubURL + "/user/openid/register")
Expand All @@ -267,6 +267,7 @@ func ConnectOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDConnect"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["OpenID"] = oid
userName, _ := ctx.Session.Get("openid_determined_username").(string)
if userName != "" {
Expand Down Expand Up @@ -328,6 +329,7 @@ func RegisterOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDRegister"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
ctx.Data["Captcha"] = context.GetImageCaptcha()
ctx.Data["CaptchaType"] = setting.Service.CaptchaType
Expand Down Expand Up @@ -367,6 +369,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["OpenID"] = oid

if setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden)
return
}

if setting.Service.EnableCaptcha {
var valid bool
var err error
Expand Down
2 changes: 2 additions & 0 deletions templates/admin/config.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_internal_registration"}}</dt>
<dd>{{if .Service.AllowOnlyInternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
Expand Down
10 changes: 6 additions & 4 deletions templates/user/auth/link_account.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
<div class="new-menu-inner">
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
<a class="item {{if not .user_exists}}active{{end}}"
data-tab="auth-link-signup-tab">
{{.i18n.Tr "auth.oauth_signup_tab"}}
</a>
{{if not .AllowOnlyInternalRegistration}}
<a class="item {{if not .user_exists}}active{{end}}"
data-tab="auth-link-signup-tab">
{{.i18n.Tr "auth.oauth_signup_tab"}}
</a>
{{end}}
<a class="item {{if .user_exists}}active{{end}}"
data-tab="auth-link-signin-tab">
{{.i18n.Tr "auth.oauth_signin_tab"}}
Expand Down
2 changes: 1 addition & 1 deletion templates/user/auth/signup_openid_navbar.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
{{.i18n.Tr "auth.openid_connect_title"}}
</a>
{{if .EnableOpenIDSignUp}}
{{if and .EnableOpenIDSignUp (not .AllowOnlyInternalRegistration)}}
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
{{.i18n.Tr "auth.openid_register_title"}}
</a>
Expand Down