Merge master-IB#1105051 into main-IB#1105051

Author: pboguslawski

cmd/admin.go

@@ -471,7 +471,7 @@ func runChangePassword(c *cli.Context) error {
 		return err
 	}
 
-	if err = user_model.UpdateUserCols(db.DefaultContext, user, "passwd", "passwd_hash_algo", "salt"); err != nil {
+	if err = user_model.UpdateUserCols(db.DefaultContext, user, false, "passwd", "passwd_hash_algo", "salt"); err != nil {
 		return err
 	}
 

custom/conf/app.example.ini

@@ -630,6 +630,9 @@ PATH =
 ;; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
 ;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ;;
+;; Disable local user management (i.e. when user data and password comes from LDAP and should not be changed locally in gitea).
+;DISABLE_LOCAL_USER_MANAGEMENT = false
+;;
 ;; User must sign in to view anything.
 ;REQUIRE_SIGNIN_VIEW = false
 ;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -596,6 +596,7 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via Gitea.
 - `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
 - `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the Git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
+- `DISABLE_LOCAL_USER_MANAGEMENT`: **false** Set to true to disable local user management in gitea (i.e. when users are managed in LDAP).
   The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
 - `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
 - `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles

models/repo.go

@@ -508,7 +508,7 @@ func CreateRepository(ctx context.Context, doer, u *user_model.User, repo *repo_
 
 	// Remember visibility preference.
 	u.LastRepoVisibility = repo.IsPrivate
-	if err = user_model.UpdateUserColsEngine(db.GetEngine(ctx), u, "last_repo_visibility"); err != nil {
+	if err = user_model.UpdateUserColsEngine(db.GetEngine(ctx), u, false, "last_repo_visibility"); err != nil {
 		return fmt.Errorf("updateUser: %v", err)
 	}
 

models/user/email_address.go

@@ -303,7 +303,7 @@ func updateActivation(e db.Engine, email *EmailAddress, activate bool) error {
 	if _, err := e.ID(email.ID).Cols("is_activated").Update(email); err != nil {
 		return err
 	}
-	return UpdateUserColsEngine(e, user, "rands")
+	return UpdateUserColsEngine(e, user, false, "rands")
 }
 
 // MakeEmailPrimary sets primary email address of given user.
@@ -513,7 +513,7 @@ func ActivateUserEmail(userID int64, email string, activate bool) (err error) {
 			if user.Rands, err = GetUserSalt(); err != nil {
 				return fmt.Errorf("unable to generate salt: %v", err)
 			}
-			if err = UpdateUserColsEngine(sess, &user, "is_active", "rands"); err != nil {
+			if err = UpdateUserColsEngine(sess, &user, false, "is_active", "rands"); err != nil {
 				return fmt.Errorf("unable to updateUserCols() for user ID: %d: %v", userID, err)
 			}
 		}

models/user/user.go

@@ -206,13 +206,13 @@ func (u *User) SetLastLogin() {
 // UpdateUserDiffViewStyle updates the users diff view style
 func UpdateUserDiffViewStyle(u *User, style string) error {
 	u.DiffViewStyle = style
-	return UpdateUserCols(db.DefaultContext, u, "diff_view_style")
+	return UpdateUserCols(db.DefaultContext, u, false, "diff_view_style")
 }
 
 // UpdateUserTheme updates a users' theme irrespective of the site wide theme
 func UpdateUserTheme(u *User, themeName string) error {
 	u.Theme = themeName
-	return UpdateUserCols(db.DefaultContext, u, "theme")
+	return UpdateUserCols(db.DefaultContext, u, false, "theme")
 }
 
 // GetEmail returns an noreply email, if the user has set to keep his
@@ -502,7 +502,7 @@ func (u *User) EmailNotifications() string {
 // SetEmailNotifications sets the user's email notification preference
 func SetEmailNotifications(u *User, set string) error {
 	u.EmailNotificationsPreference = set
-	if err := UpdateUserCols(db.DefaultContext, u, "email_notifications_preference"); err != nil {
+	if err := UpdateUserCols(db.DefaultContext, u, false, "email_notifications_preference"); err != nil {
 		log.Error("SetEmailNotifications: %v", err)
 		return err
 	}
@@ -827,7 +827,43 @@ func validateUser(u *User) error {
 	return ValidateEmail(u.Email)
 }
 
+// updateUserAllowed is used to block updating selected user fields when local user managemement is disabled.
+func updateUserAllowed(u *User) error {
+	// Don't allow changes of selected user fields if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement && (u.Type == UserTypeIndividual) {
+		if currUser, err := GetUserByID(u.ID); err == nil {
+			if currUser.Name != u.Name {
+				return fmt.Errorf("cannot change user %s username; local user management disabled", u.Name)
+			}
+			if (currUser.LoginSource != u.LoginSource) || (currUser.LoginName != u.LoginName) {
+				return fmt.Errorf("cannot change user %s login; local user management disabled", u.Name)
+			}
+			if currUser.FullName != u.FullName {
+				return fmt.Errorf("cannot change user %s full name; local user management disabled", u.Name)
+			}
+			if currUser.Email != u.Email {
+				return fmt.Errorf("cannot change user %s e-mail; local user management disabled", u.Name)
+			}
+			if (currUser.Passwd != u.Passwd) || (currUser.PasswdHashAlgo != u.PasswdHashAlgo) {
+				return fmt.Errorf("cannot change user %s password; local user management disabled", u.Name)
+			}
+			if currUser.IsActive != u.IsActive {
+				return fmt.Errorf("cannot change user %s activity; local user management disabled", u.Name)
+			}
+			if currUser.IsAdmin != u.IsAdmin {
+				return fmt.Errorf("cannot change user %s admin permission; local user management disabled", u.Name)
+			}
+		} else {
+			return err
+		}
+	}
+	return nil
+}
+
 func updateUser(ctx context.Context, u *User, changePrimaryEmail bool) error {
+	if err := updateUserAllowed(u); err != nil {
+		return err
+	}
 	if err := validateUser(u); err != nil {
 		return err
 	}
@@ -872,16 +908,21 @@ func UpdateUser(u *User, emailChanged bool) error {
 }
 
 // UpdateUserCols update user according special columns
-func UpdateUserCols(ctx context.Context, u *User, cols ...string) error {
-	return updateUserCols(db.GetEngine(ctx), u, cols...)
+func UpdateUserCols(ctx context.Context, u *User, force bool, cols ...string) error {
+	return updateUserCols(db.GetEngine(ctx), u, force, cols...)
 }
 
 // UpdateUserColsEngine update user according special columns
-func UpdateUserColsEngine(e db.Engine, u *User, cols ...string) error {
-	return updateUserCols(e, u, cols...)
+func UpdateUserColsEngine(e db.Engine, u *User, force bool, cols ...string) error {
+	return updateUserCols(e, u, force, cols...)
 }
 
-func updateUserCols(e db.Engine, u *User, cols ...string) error {
+func updateUserCols(e db.Engine, u *User, force bool, cols ...string) error {
+	if !force {
+		if err := updateUserAllowed(u); err != nil {
+			return err
+		}
+	}
 	if err := validateUser(u); err != nil {
 		return err
 	}

modules/setting/service.go

@@ -30,6 +30,7 @@ var Service = struct {
 	DisableRegistration                     bool
 	AllowOnlyInternalRegistration           bool
 	AllowOnlyExternalRegistration           bool
+	DisableLocalUserManagement              bool
 	ShowRegistrationButton                  bool
 	ShowMilestonesDashboardPage             bool
 	RequireSignInView                       bool
@@ -115,6 +116,7 @@ func newService() {
 	} else {
 		Service.RegisterManualConfirm = false
 	}
+	Service.DisableLocalUserManagement = sec.Key("DISABLE_LOCAL_USER_MANAGEMENT").MustBool()
 	Service.EmailDomainWhitelist = sec.Key("EMAIL_DOMAIN_WHITELIST").Strings(",")
 	Service.EmailDomainBlocklist = sec.Key("EMAIL_DOMAIN_BLOCKLIST").Strings(",")
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration))

modules/templates/helper.go

@@ -239,6 +239,9 @@ func NewFuncMap() []template.FuncMap {
 		"DisableImportLocal": func() bool {
 			return !setting.ImportLocalPaths
 		},
+		"DisableLocalUserManagement": func() bool {
+			return setting.Service.DisableLocalUserManagement
+		},
 		"Dict": func(values ...interface{}) (map[string]interface{}, error) {
 			if len(values)%2 != 0 {
 				return nil, errors.New("invalid dict call")

routers/api/v1/org/org.go

@@ -346,7 +346,7 @@ func Edit(ctx *context.APIContext) {
 	if form.RepoAdminChangeTeamAccess != nil {
 		org.RepoAdminChangeTeamAccess = *form.RepoAdminChangeTeamAccess
 	}
-	if err := user_model.UpdateUserCols(db.DefaultContext, org.AsUser(),
+	if err := user_model.UpdateUserCols(db.DefaultContext, org.AsUser(), false,
 		"full_name", "description", "website", "location",
 		"visibility", "repo_admin_change_team_access",
 	); err != nil {

routers/web/admin/auths.go

@@ -49,6 +49,12 @@ func Authentications(ctx *context.Context) {
 	ctx.Data["PageIsAdmin"] = true
 	ctx.Data["PageIsAdminAuthentications"] = true
 
+	// No access to this page if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("Authentications", fmt.Errorf("access to Authentications function denied; local user management disabled"))
+		return
+	}
+
 	var err error
 	ctx.Data["Sources"], err = auth.Sources()
 	if err != nil {
@@ -111,6 +117,12 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["SSPISeparatorReplacement"] = "_"
 	ctx.Data["SSPIDefaultLanguage"] = ""
 
+	// No access to this page if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("NewAuthSource", fmt.Errorf("access to NewAuthSource function denied; local user management disabled"))
+		return
+	}
+
 	// only the first as default
 	ctx.Data["oauth2_provider"] = oauth2providers[0]
 
@@ -240,6 +252,12 @@ func NewAuthSourcePost(ctx *context.Context) {
 	ctx.Data["SSPISeparatorReplacement"] = "_"
 	ctx.Data["SSPIDefaultLanguage"] = ""
 
+	// Don't allow to create auth source if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("NewAuthSourcePost", fmt.Errorf("cannot create auth source; local user management disabled"))
+		return
+	}
+
 	hasTLS := false
 	var config convert.Conversion
 	switch auth.Type(form.Type) {
@@ -314,6 +332,12 @@ func EditAuthSource(ctx *context.Context) {
 	oauth2providers := oauth2.GetOAuth2Providers()
 	ctx.Data["OAuth2Providers"] = oauth2providers
 
+	// No access to this page if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("EditAuthSource", fmt.Errorf("access to EditAuthSource page denied; local user management disabled"))
+		return
+	}
+
 	source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
 	if err != nil {
 		ctx.ServerError("auth.GetSourceByID", err)
@@ -349,6 +373,12 @@ func EditAuthSourcePost(ctx *context.Context) {
 	oauth2providers := oauth2.GetOAuth2Providers()
 	ctx.Data["OAuth2Providers"] = oauth2providers
 
+	// Don't allow to update auth source if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("EditAuthSourcePost", fmt.Errorf("cannot update auth source; local user management disabled"))
+		return
+	}
+
 	source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid"))
 	if err != nil {
 		ctx.ServerError("auth.GetSourceByID", err)

routers/web/admin/emails.go

@@ -6,6 +6,7 @@ package admin
 
 import (
 	"bytes"
+	"fmt"
 	"net/http"
 	"net/url"
 
@@ -28,6 +29,12 @@ func Emails(ctx *context.Context) {
 	ctx.Data["PageIsAdmin"] = true
 	ctx.Data["PageIsAdminEmails"] = true
 
+	// No access to this page if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("Emails", fmt.Errorf("access to Emails function denied; local user management disabled"))
+		return
+	}
+
 	opts := &user_model.SearchEmailOptions{
 		ListOptions: db.ListOptions{
 			PageSize: setting.UI.Admin.UserPagingNum,
@@ -112,6 +119,12 @@ func isKeywordValid(keyword string) bool {
 // ActivateEmail serves a POST request for activating/deactivating a user's email
 func ActivateEmail(ctx *context.Context) {
 
+	// Don't allow to activate/deactivate emails if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("ActivateEmail", fmt.Errorf("cannot activate email; local user management disabled"))
+		return
+	}
+
 	truefalse := map[string]bool{"1": true, "0": false}
 
 	uid := ctx.FormInt64("uid")

routers/web/admin/users.go

@@ -6,6 +6,7 @@
 package admin
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -81,6 +82,12 @@ func NewUser(ctx *context.Context) {
 
 	ctx.Data["login_type"] = "0-0"
 
+	// No access to this page if local user management is disabled.
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("NewUser", fmt.Errorf("access to NewUser function denied; local user management disabled"))
+		return
+	}
+
 	sources, err := auth.Sources()
 	if err != nil {
 		ctx.ServerError("auth.Sources", err)
@@ -100,6 +107,11 @@ func NewUserPost(ctx *context.Context) {
 	ctx.Data["PageIsAdminUsers"] = true
 	ctx.Data["DefaultUserVisibilityMode"] = setting.Service.DefaultUserVisibilityMode
 
+	if setting.Service.DisableLocalUserManagement {
+		ctx.ServerError("NewUserPost", fmt.Errorf("cannot create new user; local user management disabled"))
+		return
+	}
+
 	sources, err := auth.Sources()
 	if err != nil {
 		ctx.ServerError("auth.Sources", err)
@@ -278,6 +290,13 @@ func EditUserPost(ctx *context.Context) {
 
 	if len(form.Password) > 0 && (u.IsLocal() || u.IsOAuth2()) {
 		var err error
+
+		// Don't allow password changes if local user management is disabled.
+		if setting.Service.DisableLocalUserManagement {
+			ctx.ServerError("UpdateUser", fmt.Errorf("cannot change %s password; local user management disabled", u.Name))
+			return
+		}
+
 		if len(form.Password) < setting.MinPasswordLength {
 			ctx.Data["Err_Password"] = true
 			ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplUserEdit, &form)

routers/web/auth/auth.go

@@ -107,7 +107,7 @@ func resetLocale(ctx *context.Context, u *user_model.User) error {
 	// If the user does not have a locale set, we save the current one.
 	if len(u.Language) == 0 {
 		u.Language = ctx.Locale.Language()
-		if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, false, "language"); err != nil {
 			return err
 		}
 	}
@@ -333,7 +333,7 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool, o
 	// If the user does not have a locale set, we save the current one.
 	if len(u.Language) == 0 {
 		u.Language = ctx.Locale.Language()
-		if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, false, "language"); err != nil {
 			ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
 			return setting.AppSubURL + "/"
 		}
@@ -350,7 +350,7 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool, o
 
 	// Register last login
 	u.SetLastLogin()
-	if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil {
+	if err := user_model.UpdateUserCols(db.DefaultContext, u, false, "last_login_unix"); err != nil {
 		ctx.ServerError("UpdateUserCols", err)
 		return setting.AppSubURL + "/"
 	}
@@ -603,7 +603,7 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.
 		u.IsAdmin = true
 		u.IsActive = true
 		u.SetLastLogin()
-		if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, false, "is_admin", "is_active", "last_login_unix"); err != nil {
 			ctx.ServerError("UpdateUser", err)
 			return
 		}
@@ -724,7 +724,7 @@ func handleAccountActivation(ctx *context.Context, user *user_model.User) {
 		ctx.ServerError("UpdateUser", err)
 		return
 	}
-	if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil {
+	if err := user_model.UpdateUserCols(db.DefaultContext, user, false, "is_active", "rands"); err != nil {
 		if user_model.IsErrUserNotExist(err) {
 			ctx.NotFound("UpdateUserCols", err)
 		} else {

routers/web/auth/oauth.go

@@ -1021,7 +1021,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 			cols = append(cols, "is_admin", "is_restricted")
 		}
 
-		if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, false, cols...); err != nil {
 			ctx.ServerError("UpdateUserCols", err)
 			return
 		}
@@ -1048,7 +1048,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 
 	changed := setUserGroupClaims(source, u, &gothUser)
 	if changed {
-		if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, false, "is_admin", "is_restricted"); err != nil {
 			ctx.ServerError("UpdateUserCols", err)
 			return
 		}