Allow only internal registration (#15795)
* Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings * OpenID respect setting too
This commit is contained in:
parent
e818e9150f
commit
a229e34387
9 changed files with 30 additions and 8 deletions
|
@ -659,6 +659,8 @@ EMAIL_DOMAIN_WHITELIST =
|
|||
EMAIL_DOMAIN_BLOCKLIST =
|
||||
; Disallow registration, only allow admins to create accounts.
|
||||
DISABLE_REGISTRATION = false
|
||||
; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
|
||||
ALLOW_ONLY_INTERNAL_REGISTRATION = false
|
||||
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||||
; User must sign in to view anything.
|
||||
|
|
|
@ -497,6 +497,7 @@ relation to port exhaustion.
|
|||
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
|
||||
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
|
||||
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
|
||||
- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
|
||||
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
|
||||
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
|
||||
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
|
||||
|
|
|
@ -23,6 +23,7 @@ var Service struct {
|
|||
EmailDomainWhitelist []string
|
||||
EmailDomainBlocklist []string
|
||||
DisableRegistration bool
|
||||
AllowOnlyInternalRegistration bool
|
||||
AllowOnlyExternalRegistration bool
|
||||
ShowRegistrationButton bool
|
||||
ShowMilestonesDashboardPage bool
|
||||
|
@ -73,7 +74,12 @@ func newService() {
|
|||
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
|
||||
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
|
||||
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
|
||||
Service.AllowOnlyInternalRegistration = sec.Key("ALLOW_ONLY_INTERNAL_REGISTRATION").MustBool()
|
||||
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
|
||||
if Service.AllowOnlyExternalRegistration && Service.AllowOnlyInternalRegistration {
|
||||
log.Warn("ALLOW_ONLY_INTERNAL_REGISTRATION and ALLOW_ONLY_EXTERNAL_REGISTRATION are true - disabling registration")
|
||||
Service.DisableRegistration = true
|
||||
}
|
||||
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
|
||||
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
|
||||
} else {
|
||||
|
|
|
@ -2412,6 +2412,7 @@ config.db_path = Path
|
|||
config.service_config = Service Configuration
|
||||
config.register_email_confirm = Require Email Confirmation to Register
|
||||
config.disable_register = Disable Self-Registration
|
||||
config.allow_only_internal_registration = Allow Registration Only Through Gitea itself
|
||||
config.allow_only_external_registration = Allow Registration Only Through External Services
|
||||
config.enable_openid_signup = Enable OpenID Self-Registration
|
||||
config.enable_openid_signin = Enable OpenID Sign-In
|
||||
|
|
|
@ -617,7 +617,7 @@ func SignInOAuthCallback(ctx *context.Context) {
|
|||
}
|
||||
|
||||
if u == nil {
|
||||
if setting.OAuth2Client.EnableAutoRegistration {
|
||||
if !(setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration) && setting.OAuth2Client.EnableAutoRegistration {
|
||||
// create new user with details from oauth2 provider
|
||||
var missingFields []string
|
||||
if gothUser.UserID == "" {
|
||||
|
@ -828,6 +828,7 @@ func LinkAccount(ctx *context.Context) {
|
|||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
|
||||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||
ctx.Data["ShowRegistrationButton"] = false
|
||||
|
||||
// use this to set the right link into the signIn and signUp templates in the link_account template
|
||||
|
@ -993,7 +994,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
if setting.Service.DisableRegistration {
|
||||
if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -249,7 +249,7 @@ func signInOpenIDVerify(ctx *context.Context) {
|
|||
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
|
||||
}
|
||||
|
||||
if u != nil || !setting.Service.EnableOpenIDSignUp {
|
||||
if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
|
||||
ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
|
||||
} else {
|
||||
ctx.Redirect(setting.AppSubURL + "/user/openid/register")
|
||||
|
@ -267,6 +267,7 @@ func ConnectOpenID(ctx *context.Context) {
|
|||
ctx.Data["PageIsSignIn"] = true
|
||||
ctx.Data["PageIsOpenIDConnect"] = true
|
||||
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
||||
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||
ctx.Data["OpenID"] = oid
|
||||
userName, _ := ctx.Session.Get("openid_determined_username").(string)
|
||||
if userName != "" {
|
||||
|
@ -328,6 +329,7 @@ func RegisterOpenID(ctx *context.Context) {
|
|||
ctx.Data["PageIsSignIn"] = true
|
||||
ctx.Data["PageIsOpenIDRegister"] = true
|
||||
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
||||
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||
ctx.Data["Captcha"] = context.GetImageCaptcha()
|
||||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType
|
||||
|
@ -367,6 +369,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
|
|||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
||||
ctx.Data["OpenID"] = oid
|
||||
|
||||
if setting.Service.AllowOnlyInternalRegistration {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if setting.Service.EnableCaptcha {
|
||||
var valid bool
|
||||
var err error
|
||||
|
|
|
@ -149,6 +149,8 @@
|
|||
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
|
||||
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||
<dt>{{.i18n.Tr "admin.config.allow_only_internal_registration"}}</dt>
|
||||
<dd>{{if .Service.AllowOnlyInternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
|
||||
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
|
||||
|
|
|
@ -3,10 +3,12 @@
|
|||
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
|
||||
<div class="new-menu-inner">
|
||||
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
|
||||
<a class="item {{if not .user_exists}}active{{end}}"
|
||||
data-tab="auth-link-signup-tab">
|
||||
{{.i18n.Tr "auth.oauth_signup_tab"}}
|
||||
</a>
|
||||
{{if not .AllowOnlyInternalRegistration}}
|
||||
<a class="item {{if not .user_exists}}active{{end}}"
|
||||
data-tab="auth-link-signup-tab">
|
||||
{{.i18n.Tr "auth.oauth_signup_tab"}}
|
||||
</a>
|
||||
{{end}}
|
||||
<a class="item {{if .user_exists}}active{{end}}"
|
||||
data-tab="auth-link-signin-tab">
|
||||
{{.i18n.Tr "auth.oauth_signin_tab"}}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
|
||||
{{.i18n.Tr "auth.openid_connect_title"}}
|
||||
</a>
|
||||
{{if .EnableOpenIDSignUp}}
|
||||
{{if and .EnableOpenIDSignUp (not .AllowOnlyInternalRegistration)}}
|
||||
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
|
||||
{{.i18n.Tr "auth.openid_register_title"}}
|
||||
</a>
|
||||
|
|
Reference in a new issue