Skip to content

Commit

Permalink
Allow only internal registration (go-gitea#15795)
Browse files Browse the repository at this point in the history
* Add ALLOW_ONLY_INTERNAL_REGISTRATION into settings

* OpenID respect setting too
  • Loading branch information
6543 authored and ashimokawa committed Jul 25, 2021
1 parent aa1c715 commit bd0b528
Show file tree
Hide file tree
Showing 9 changed files with 31 additions and 8 deletions.
2 changes: 2 additions & 0 deletions custom/conf/app.example.ini
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,8 @@ EMAIL_DOMAIN_WHITELIST =
EMAIL_DOMAIN_BLOCKLIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = false
; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_INTERNAL_REGISTRATION = false
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
; User must sign in to view anything.
Expand Down
1 change: 1 addition & 0 deletions docs/content/doc/advanced/config-cheat-sheet.en-us.md
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,7 @@ relation to port exhaustion.
- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
- `NO_REPLY_ADDRESS`: **DOMAIN** Default value for the domain part of the user's email address in the git log if he has set KeepEmailPrivate to true.
The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
Expand Down
6 changes: 6 additions & 0 deletions modules/setting/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ var Service struct {
EmailDomainWhitelist []string
EmailDomainBlocklist []string
DisableRegistration bool
AllowOnlyInternalRegistration bool
AllowOnlyExternalRegistration bool
ShowRegistrationButton bool
ShowMilestonesDashboardPage bool
Expand Down Expand Up @@ -73,7 +74,12 @@ func newService() {
Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
Service.AllowOnlyInternalRegistration = sec.Key("ALLOW_ONLY_INTERNAL_REGISTRATION").MustBool()
Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
if Service.AllowOnlyExternalRegistration && Service.AllowOnlyInternalRegistration {
log.Warn("ALLOW_ONLY_INTERNAL_REGISTRATION and ALLOW_ONLY_EXTERNAL_REGISTRATION are true - disabling registration")
Service.DisableRegistration = true
}
if !sec.Key("REGISTER_EMAIL_CONFIRM").MustBool() {
Service.RegisterManualConfirm = sec.Key("REGISTER_MANUAL_CONFIRM").MustBool(false)
} else {
Expand Down
1 change: 1 addition & 0 deletions options/locale/locale_en-US.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2386,6 +2386,7 @@ config.db_path = Path
config.service_config = Service Configuration
config.register_email_confirm = Require Email Confirmation to Register
config.disable_register = Disable Self-Registration
config.allow_only_internal_registration = Allow Registration Only Through Gitea itself
config.allow_only_external_registration = Allow Registration Only Through External Services
config.enable_openid_signup = Enable OpenID Self-Registration
config.enable_openid_signin = Enable OpenID Sign-In
Expand Down
5 changes: 3 additions & 2 deletions routers/user/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,7 @@ func LinkAccount(ctx *context.Context) {
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["ShowRegistrationButton"] = false

// use this to set the right link into the signIn and signUp templates in the link_account template
Expand Down Expand Up @@ -912,8 +913,8 @@ func LinkAccountPostRegister(ctx *context.Context) {
return
}

if setting.Service.DisableRegistration {
ctx.Error(403)
if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden)
return
}

Expand Down
10 changes: 9 additions & 1 deletion routers/user/auth_openid.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package user

import (
"fmt"
"net/http"
"net/url"

"code.gitea.io/gitea/models"
Expand Down Expand Up @@ -250,7 +251,7 @@ func signInOpenIDVerify(ctx *context.Context) {
log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
}

if u != nil || !setting.Service.EnableOpenIDSignUp {
if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
} else {
ctx.Redirect(setting.AppSubURL + "/user/openid/register")
Expand All @@ -268,6 +269,7 @@ func ConnectOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDConnect"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["OpenID"] = oid
userName, _ := ctx.Session.Get("openid_determined_username").(string)
if userName != "" {
Expand Down Expand Up @@ -329,6 +331,7 @@ func RegisterOpenID(ctx *context.Context) {
ctx.Data["PageIsSignIn"] = true
ctx.Data["PageIsOpenIDRegister"] = true
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
ctx.Data["Captcha"] = context.GetImageCaptcha()
ctx.Data["CaptchaType"] = setting.Service.CaptchaType
Expand Down Expand Up @@ -368,6 +371,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
ctx.Data["OpenID"] = oid

if setting.Service.AllowOnlyInternalRegistration {
ctx.Error(http.StatusForbidden)
return
}

if setting.Service.EnableCaptcha {
var valid bool
var err error
Expand Down
2 changes: 2 additions & 0 deletions templates/admin/config.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@
<dd>{{if .Service.RegisterEmailConfirm}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.disable_register"}}</dt>
<dd>{{if .Service.DisableRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_internal_registration"}}</dt>
<dd>{{if .Service.AllowOnlyInternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.allow_only_external_registration"}}</dt>
<dd>{{if .Service.AllowOnlyExternalRegistration}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
<dt>{{.i18n.Tr "admin.config.show_registration_button"}}</dt>
Expand Down
10 changes: 6 additions & 4 deletions templates/user/auth/link_account.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
<div class="new-menu-inner">
<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
<a class="item {{if not .user_exists}}active{{end}}"
data-tab="auth-link-signup-tab">
{{.i18n.Tr "auth.oauth_signup_tab"}}
</a>
{{if not .AllowOnlyInternalRegistration}}
<a class="item {{if not .user_exists}}active{{end}}"
data-tab="auth-link-signup-tab">
{{.i18n.Tr "auth.oauth_signup_tab"}}
</a>
{{end}}
<a class="item {{if .user_exists}}active{{end}}"
data-tab="auth-link-signin-tab">
{{.i18n.Tr "auth.oauth_signin_tab"}}
Expand Down
2 changes: 1 addition & 1 deletion templates/user/auth/signup_openid_navbar.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<a class="{{if .PageIsOpenIDConnect}}active{{end}} item" href="{{AppSubUrl}}/user/openid/connect">
{{.i18n.Tr "auth.openid_connect_title"}}
</a>
{{if .EnableOpenIDSignUp}}
{{if and .EnableOpenIDSignUp (not .AllowOnlyInternalRegistration)}}
<a class="{{if .PageIsOpenIDRegister}}active{{end}} item" href="{{AppSubUrl}}/user/openid/register">
{{.i18n.Tr "auth.openid_register_title"}}
</a>
Expand Down

0 comments on commit bd0b528

Please sign in to comment.