Parameter DISABLE_LOCAL_USER_MANAGEMENT added

Added parameter DISABLE_LOCAL_USER_MANAGEMENT (false by default) in
app.ini [service] section; when true disables local modifications
of username, fullname and e-mail fields in user Settings.

Author-Change-Id: IB#1105051

Author: pboguslawski

custom/conf/app.example.ini

@@ -569,6 +569,8 @@ EMAIL_DOMAIN_WHITELIST=
 DISABLE_REGISTRATION = false
 ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+; Disable local user management (i.e. when user data and password comes from LDAP and should not be changed locally in gitea).
+DISABLE_LOCAL_USER_MANAGEMENT = false
 ; User must sign in to view anything.
 REQUIRE_SIGNIN_VIEW = false
 ; Mail notification

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -409,6 +409,7 @@ set name for unique queues. Individual queues will default to
 - `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
 - `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
 - `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
+- `DISABLE_LOCAL_USER_MANAGEMENT`: **false** Set to true to disable local user management in gitea (i.e. when users are managed in LDAP).
 - `NO_REPLY_ADDRESS`: **DOMAIN** Default value for the domain part of the user's email address in the git log if he has set KeepEmailPrivate to true. 
   The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
 

models/user.go

@@ -1148,6 +1148,24 @@ func updateUserCols(e Engine, u *User, cols ...string) error {
 
 // UpdateUserSetting updates user's settings.
 func UpdateUserSetting(u *User) error {
+
+	// Don't allow username, fullname nor email changes if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		if currUser, err := GetUserByID(u.ID); err == nil {
+			if currUser.Name != u.Name {
+				return fmt.Errorf("cannot change %s username; local user management disabled", u.Name)
+			}
+			if currUser.FullName != u.FullName {
+				return fmt.Errorf("cannot change %s full name; local user management disabled", u.Name)
+			}
+			if currUser.Email != u.Email {
+				return fmt.Errorf("cannot change %s e-mail; local user management disabled", u.Name)
+			}
+		} else {
+			return err
+		}
+	}
+
 	if !u.IsOrganization() {
 		if err := checkDupEmail(x, u); err != nil {
 			return err

modules/auth/user_form.go

@@ -51,6 +51,7 @@ type InstallForm struct {
 	EnableOpenIDSignUp             bool
 	DisableRegistration            bool
 	AllowOnlyExternalRegistration  bool
+	DisableLocalUserManagement     bool
 	EnableCaptcha                  bool
 	RequireSignInView              bool
 	DefaultKeepEmailPrivate        bool

modules/setting/service.go

@@ -20,6 +20,7 @@ var Service struct {
 	EmailDomainWhitelist                    []string
 	DisableRegistration                     bool
 	AllowOnlyExternalRegistration           bool
+	DisableLocalUserManagement              bool
 	ShowRegistrationButton                  bool
 	ShowMilestonesDashboardPage             bool
 	RequireSignInView                       bool
@@ -61,6 +62,7 @@ func newService() {
 	Service.ResetPwdCodeLives = sec.Key("RESET_PASSWD_CODE_LIVE_MINUTES").MustInt(180)
 	Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
 	Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
+	Service.DisableLocalUserManagement = sec.Key("DISABLE_LOCAL_USER_MANAGEMENT").MustBool()
 	Service.EmailDomainWhitelist = sec.Key("EMAIL_DOMAIN_WHITELIST").Strings(",")
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration))
 	Service.ShowMilestonesDashboardPage = sec.Key("SHOW_MILESTONES_DASHBOARD_PAGE").MustBool(true)

routers/user/setting/profile.go

@@ -34,13 +34,14 @@ const (
 func Profile(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsProfile"] = true
+	ctx.Data["DisableLocalUserManagement"] = setting.Service.DisableLocalUserManagement
 
 	ctx.HTML(200, tplSettingsProfile)
 }
 
 func handleUsernameChange(ctx *context.Context, newName string) {
 	// Non-local users are not allowed to change their username.
-	if len(newName) == 0 || !ctx.User.IsLocal() {
+	if len(newName) == 0 || !ctx.User.IsLocal() || setting.Service.DisableLocalUserManagement {
 		return
 	}
 
@@ -80,6 +81,7 @@ func handleUsernameChange(ctx *context.Context, newName string) {
 func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsProfile"] = true
+	ctx.Data["DisableLocalUserManagement"] = setting.Service.DisableLocalUserManagement
 
 	if ctx.HasError() {
 		ctx.HTML(200, tplSettingsProfile)

templates/user/settings/profile.tmpl

@@ -10,20 +10,20 @@
 			<p>{{.i18n.Tr "settings.profile_desc"}}</p>
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{.CsrfTokenHtml}}
-				<div class="required field {{if .Err_Name}}error{{end}}">
+				<div class="{{if not .DisableLocalUserManagement}}required{{end}} field {{if .Err_Name}}error{{end}}">
 					<label for="username">{{.i18n.Tr "username"}}<span class="text red hide" id="name-change-prompt"> {{.i18n.Tr "settings.change_username_prompt"}}</span></label>
-					<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus required {{if not .SignedUser.IsLocal}}disabled{{end}}>
+					<input id="username" name="name" value="{{.SignedUser.Name}}" data-name="{{.SignedUser.Name}}" autofocus {{if not .DisableLocalUserManagement}}required{{end}} {{if or (not .SignedUser.IsLocal) (.DisableLocalUserManagement) }}disabled{{end}}>
 					{{if not .SignedUser.IsLocal}}
 					<p class="help text blue">{{$.i18n.Tr "settings.password_username_disabled"}}</p>
 					{{end}}
 				</div>
 				<div class="field {{if .Err_FullName}}error{{end}}">
 					<label for="full_name">{{.i18n.Tr "settings.full_name"}}</label>
-					<input id="full_name" name="full_name" value="{{.SignedUser.FullName}}">
+					<input id="full_name" name="full_name" value="{{.SignedUser.FullName}}" {{if .DisableLocalUserManagement}}readonly{{end}}>
 				</div>
-				<div class="required field {{if .Err_Email}}error{{end}}">
+				<div class="{{if not .DisableLocalUserManagement}}required{{end}} field {{if .Err_Email}}error{{end}}">
 					<label for="email">{{.i18n.Tr "email"}}</label>
-					<input id="email" name="email" value="{{.SignedUser.Email}}">
+					<input id="email" name="email" value="{{.SignedUser.Email}}" {{if .DisableLocalUserManagement}}readonly{{end}}>
 				</div>
 				<div class="inline field">
 					<div class="ui checkbox" id="keep-email-private">