Allow only internal registration (#15795)
* Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings * OpenID respect setting too
This commit is contained in:
parent
e818e9150f
commit
a229e34387
9 changed files with 30 additions and 8 deletions
|
@ -659,6 +659,8 @@ EMAIL_DOMAIN_WHITELIST =
|
||||||
EMAIL_DOMAIN_BLOCKLIST =
|
EMAIL_DOMAIN_BLOCKLIST =
|
||||||
; Disallow registration, only allow admins to create accounts.
|
; Disallow registration, only allow admins to create accounts.
|
||||||
DISABLE_REGISTRATION = false
|
DISABLE_REGISTRATION = false
|
||||||
|
; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
|
||||||
|
ALLOW_ONLY_INTERNAL_REGISTRATION = false
|
||||||
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
|
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
|
||||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||||||
; User must sign in to view anything.
|
; User must sign in to view anything.
|
||||||
|
|
|
@ -497,6 +497,7 @@ relation to port exhaustion.
|
||||||
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
|
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
|
||||||
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
|
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
|
||||||
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
|
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
|
||||||
|
- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
|
||||||
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
|
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
|
||||||
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
|
- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
|
||||||
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
|
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
|
||||||
|
|
|
@ -23,6 +23,7 @@ var Service struct {
|
||||||
EmailDomainWhitelist []string
|
EmailDomainWhitelist []string
|
||||||
EmailDomainBlocklist []string
|
EmailDomainBlocklist []string
|
||||||
DisableRegistration bool
|
DisableRegistration bool
|
||||||
|
AllowOnlyInternalRegistration bool
|
||||||
AllowOnlyExternalRegistration bool
|
AllowOnlyExternalRegistration bool
|
||||||
ShowRegistrationButton bool
|
ShowRegistrationButton bool
|
||||||
ShowMilestonesDashboardPage bool
|
ShowMilestonesDashboardPage bool
|
||||||
|
@ -73,7 +74,12 @@ func newService() {
|
||||||
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
|
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
|
||||||
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
|
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
|
||||||
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
|
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
|
||||||
|
Service.AllowOnlyInternalRegistration = sec.Key("ALLOW_ONLY_INTERNAL_REGISTRATION").MustBool()
|
||||||
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
|
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
|
||||||
|
if Service.AllowOnlyExternalRegistration && Service.AllowOnlyInternalRegistration {
|
||||||
|
log.Warn("ALLOW_ONLY_INTERNAL_REGISTRATION and ALLOW_ONLY_EXTERNAL_REGISTRATION are true - disabling registration")
|
||||||
|
Service.DisableRegistration = true
|
||||||
|
}
|
||||||
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
|
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
|
||||||
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
|
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -2412,6 +2412,7 @@ config.db_path = Path
|
||||||
config.service_config = Service Configuration
|
config.service_config = Service Configuration
|
||||||
config.register_email_confirm = Require Email Confirmation to Register
|
config.register_email_confirm = Require Email Confirmation to Register
|
||||||
config.disable_register = Disable Self-Registration
|
config.disable_register = Disable Self-Registration
|
||||||
|
config.allow_only_internal_registration = Allow Registration Only Through Gitea itself
|
||||||
config.allow_only_external_registration = Allow Registration Only Through External Services
|
config.allow_only_external_registration = Allow Registration Only Through External Services
|
||||||
config.enable_openid_signup = Enable OpenID Self-Registration
|
config.enable_openid_signup = Enable OpenID Self-Registration
|
||||||
config.enable_openid_signin = Enable OpenID Sign-In
|
config.enable_openid_signin = Enable OpenID Sign-In
|
||||||
|
|
|
@ -617,7 +617,7 @@ func SignInOAuthCallback(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if u == nil {
|
if u == nil {
|
||||||
if setting.OAuth2Client.EnableAutoRegistration {
|
if !(setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration) && setting.OAuth2Client.EnableAutoRegistration {
|
||||||
// create new user with details from oauth2 provider
|
// create new user with details from oauth2 provider
|
||||||
var missingFields []string
|
var missingFields []string
|
||||||
if gothUser.UserID == "" {
|
if gothUser.UserID == "" {
|
||||||
|
@ -828,6 +828,7 @@ func LinkAccount(ctx *context.Context) {
|
||||||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
|
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
|
||||||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
||||||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
|
||||||
|
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||||
ctx.Data["ShowRegistrationButton"] = false
|
ctx.Data["ShowRegistrationButton"] = false
|
||||||
|
|
||||||
// use this to set the right link into the signIn and signUp templates in the link_account template
|
// use this to set the right link into the signIn and signUp templates in the link_account template
|
||||||
|
@ -993,7 +994,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if setting.Service.DisableRegistration {
|
if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
|
||||||
ctx.Error(http.StatusForbidden)
|
ctx.Error(http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -249,7 +249,7 @@ func signInOpenIDVerify(ctx *context.Context) {
|
||||||
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
|
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if u != nil || !setting.Service.EnableOpenIDSignUp {
|
if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
|
ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
|
||||||
} else {
|
} else {
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/openid/register")
|
ctx.Redirect(setting.AppSubURL + "/user/openid/register")
|
||||||
|
@ -267,6 +267,7 @@ func ConnectOpenID(ctx *context.Context) {
|
||||||
ctx.Data["PageIsSignIn"] = true
|
ctx.Data["PageIsSignIn"] = true
|
||||||
ctx.Data["PageIsOpenIDConnect"] = true
|
ctx.Data["PageIsOpenIDConnect"] = true
|
||||||
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
||||||
|
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||||
ctx.Data["OpenID"] = oid
|
ctx.Data["OpenID"] = oid
|
||||||
userName, _ := ctx.Session.Get("openid_determined_username").(string)
|
userName, _ := ctx.Session.Get("openid_determined_username").(string)
|
||||||
if userName != "" {
|
if userName != "" {
|
||||||
|
@ -328,6 +329,7 @@ func RegisterOpenID(ctx *context.Context) {
|
||||||
ctx.Data["PageIsSignIn"] = true
|
ctx.Data["PageIsSignIn"] = true
|
||||||
ctx.Data["PageIsOpenIDRegister"] = true
|
ctx.Data["PageIsOpenIDRegister"] = true
|
||||||
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
|
||||||
|
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
|
||||||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
|
||||||
ctx.Data["Captcha"] = context.GetImageCaptcha()
|
ctx.Data["Captcha"] = context.GetImageCaptcha()
|
||||||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType
|
ctx.Data["CaptchaType"] = setting.Service.CaptchaType
|
||||||
|
@ -367,6 +369,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
|
||||||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
|
||||||
ctx.Data["OpenID"] = oid
|
ctx.Data["OpenID"] = oid
|
||||||
|
|
||||||
|
if setting.Service.AllowOnlyInternalRegistration {
|
||||||
|
ctx.Error(http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if setting.Service.EnableCaptcha {
|
if setting.Service.EnableCaptcha {
|
||||||
var valid bool
|
var valid bool
|
||||||
var err error
|
var err error
|
||||||
|
|
|
@ -149,6 +149,8 @@
|
||||||
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||||
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
|
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
|
||||||
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||||
|
<dt>{{.i18n.Tr "admin.config.allow_only_internal_registration"}}</dt>
|
||||||
|
<dd>{{if .Service.AllowOnlyInternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||||
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
|
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
|
||||||
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
|
||||||
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
|
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
|
||||||
|
|
|
@ -3,10 +3,12 @@
|
||||||
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
|
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
|
||||||
<div class="new-menu-inner">
|
<div class="new-menu-inner">
|
||||||
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
|
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
|
||||||
|
{{if not .AllowOnlyInternalRegistration}}
|
||||||
<a class="item {{if not .user_exists}}active{{end}}"
|
<a class="item {{if not .user_exists}}active{{end}}"
|
||||||
data-tab="auth-link-signup-tab">
|
data-tab="auth-link-signup-tab">
|
||||||
{{.i18n.Tr "auth.oauth_signup_tab"}}
|
{{.i18n.Tr "auth.oauth_signup_tab"}}
|
||||||
</a>
|
</a>
|
||||||
|
{{end}}
|
||||||
<a class="item {{if .user_exists}}active{{end}}"
|
<a class="item {{if .user_exists}}active{{end}}"
|
||||||
data-tab="auth-link-signin-tab">
|
data-tab="auth-link-signin-tab">
|
||||||
{{.i18n.Tr "auth.oauth_signin_tab"}}
|
{{.i18n.Tr "auth.oauth_signin_tab"}}
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
|
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
|
||||||
{{.i18n.Tr "auth.openid_connect_title"}}
|
{{.i18n.Tr "auth.openid_connect_title"}}
|
||||||
</a>
|
</a>
|
||||||
{{if .EnableOpenIDSignUp}}
|
{{if and .EnableOpenIDSignUp (not .AllowOnlyInternalRegistration)}}
|
||||||
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
|
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
|
||||||
{{.i18n.Tr "auth.openid_register_title"}}
|
{{.i18n.Tr "auth.openid_register_title"}}
|
||||||
</a>
|
</a>
|
||||||
|
|
Reference in a new issue