Add ui.explore settings to control view of explore pages (2) (#14094)

This is an alternative PR to #13687.

Add `[ui.explore]` settings to allow restricting the
explore pages to logged in users only and to disable the users explore page.

The two proposed settings are:

- `REQUIRE_SIGNIN_VIEW`: Only allows access to the explore pages if the
user is signed in. Also restricts
  - `/api/v1/user/search`
  - `/api/v1/users/{username}`
  - `/api/v1/users/{username}/repos`
  - but does not restrict `/api/v1/users/{username}/heatmap`
- `DISABLE_USERS_PAGE`: Disables the /explore/users page

Fix #2908

Close #13687 

Signed-off-by: Andrew Thornton <[email protected]>
Co-authored-by: 6543 <[email protected]>

Author: zeripath

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -479,6 +479,12 @@ relation to port exhaustion.
   The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
 - `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
 
+### Service - Expore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: Only allow signed in users to view the explore pages.
+- `DISABLE_USERS_PAGE`: **false**: Disable the users explore page.
+
+
 ## SSH Minimum Key Sizes (`ssh.minimum_key_sizes`)
 
 Define allowed algorithms and their minimum key length (use -1 to disable a type):

docs/content/doc/advanced/config-cheat-sheet.zh-cn.md

@@ -135,6 +135,11 @@ menu:
 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: 允许通过反向认证做自动注册。
 - `ENABLE_CAPTCHA`: 注册时使用图片验证码。
 
+### Service - Expore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: 仅允许已登录的用户查看探索页面。
+- `DISABLE_USERS_PAGE`: **false**: 不显示用户探索页面。
+
 ## Webhook (`webhook`)
 
 - `QUEUE_LENGTH`: 说明: Hook 任务队列长度。

modules/setting/service.go

@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"time"
 
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/structs"
 )
 
@@ -59,6 +60,12 @@ var Service struct {
 	EnableOpenIDSignUp bool
 	OpenIDWhitelist    []*regexp.Regexp
 	OpenIDBlacklist    []*regexp.Regexp
+
+	// Explore page settings
+	Explore struct {
+		RequireSigninView bool `ini:"REQUIRE_SIGNIN_VIEW"`
+		DisableUsersPage  bool `ini:"DISABLE_USERS_PAGE"`
+	} `ini:"service.explore"`
 }
 
 func newService() {
@@ -108,6 +115,10 @@ func newService() {
 	Service.DefaultOrgMemberVisible = sec.Key("DEFAULT_ORG_MEMBER_VISIBLE").MustBool()
 	Service.UserDeleteWithCommentsMaxTime = sec.Key("USER_DELETE_WITH_COMMENTS_MAX_TIME").MustDuration(0)
 
+	if err := Cfg.Section("service.explore").MapTo(&Service.Explore); err != nil {
+		log.Fatal("Failed to map service.explore settings: %v", err)
+	}
+
 	sec = Cfg.Section("openid")
 	Service.EnableOpenIDSignIn = sec.Key("ENABLE_OPENID_SIGNIN").MustBool(!InstallLock)
 	Service.EnableOpenIDSignUp = sec.Key("ENABLE_OPENID_SIGNUP").MustBool(!Service.DisableRegistration && Service.EnableOpenIDSignIn)

routers/api/v1/api.go

@@ -204,6 +204,14 @@ func reqToken() func(ctx *context.APIContext) {
 	}
 }
 
+func reqExploreSignIn() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {
+			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")
+		}
+	}
+}
+
 func reqBasicAuth() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		if !ctx.Context.IsBasicAuth {
@@ -603,16 +611,16 @@ func Routes() *web.Route {
 
 		// Users
 		m.Group("/users", func() {
-			m.Get("/search", user.Search)
+			m.Get("/search", reqExploreSignIn(), user.Search)
 
 			m.Group("/{username}", func() {
-				m.Get("", user.GetInfo)
+				m.Get("", reqExploreSignIn(), user.GetInfo)
 
 				if setting.Service.EnableUserHeatmap {
 					m.Get("/heatmap", user.GetUserHeatmapData)
 				}
 
-				m.Get("/repos", user.ListUserRepos)
+				m.Get("/repos", reqExploreSignIn(), user.ListUserRepos)
 				m.Group("/tokens", func() {
 					m.Combo("").Get(user.ListAccessTokens).
 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

routers/home.go

@@ -171,6 +171,7 @@ func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 
 // ExploreRepos render explore repositories page
 func ExploreRepos(ctx *context.Context) {
+	ctx.Data["UsersIsDisabled"] = setting.Service.Explore.DisableUsersPage
 	ctx.Data["Title"] = ctx.Tr("explore")
 	ctx.Data["PageIsExplore"] = true
 	ctx.Data["PageIsExploreRepositories"] = true
@@ -247,6 +248,10 @@ func RenderUserSearch(ctx *context.Context, opts *models.SearchUserOptions, tplN
 
 // ExploreUsers render explore users page
 func ExploreUsers(ctx *context.Context) {
+	if setting.Service.Explore.DisableUsersPage {
+		ctx.Redirect(setting.AppSubURL + "/explore/repos")
+		return
+	}
 	ctx.Data["Title"] = ctx.Tr("explore")
 	ctx.Data["PageIsExplore"] = true
 	ctx.Data["PageIsExploreUsers"] = true
@@ -263,6 +268,7 @@ func ExploreUsers(ctx *context.Context) {
 
 // ExploreOrganizations render explore organizations page
 func ExploreOrganizations(ctx *context.Context) {
+	ctx.Data["UsersIsDisabled"] = setting.Service.Explore.DisableUsersPage
 	ctx.Data["Title"] = ctx.Tr("explore")
 	ctx.Data["PageIsExplore"] = true
 	ctx.Data["PageIsExploreOrganizations"] = true
@@ -288,6 +294,7 @@ func ExploreCode(ctx *context.Context) {
 		return
 	}
 
+	ctx.Data["UsersIsDisabled"] = setting.Service.Explore.DisableUsersPage
 	ctx.Data["IsRepoIndexerEnabled"] = setting.Indexer.RepoIndexerEnabled
 	ctx.Data["Title"] = ctx.Tr("explore")
 	ctx.Data["PageIsExplore"] = true

routers/routes/web.go

@@ -286,6 +286,7 @@ func goGet(ctx *context.Context) {
 func RegisterRoutes(m *web.Route) {
 	reqSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: true})
 	ignSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: setting.Service.RequireSignInView})
+	ignExploreSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: setting.Service.RequireSignInView || setting.Service.Explore.RequireSigninView})
 	ignSignInAndCsrf := context.Toggle(&context.ToggleOptions{DisableCSRF: true})
 	reqSignOut := context.Toggle(&context.ToggleOptions{SignOutRequired: true})
 
@@ -335,7 +336,7 @@ func RegisterRoutes(m *web.Route) {
 		m.Get("/users", routers.ExploreUsers)
 		m.Get("/organizations", routers.ExploreOrganizations)
 		m.Get("/code", routers.ExploreCode)
-	}, ignSignIn)
+	}, ignExploreSignIn)
 	m.Get("/issues", reqSignIn, user.Issues)
 	m.Get("/pulls", reqSignIn, user.Pulls)
 	m.Get("/milestones", reqSignIn, reqMilestonesDashboardPageEnabled, user.Milestones)

templates/explore/navbar.tmpl

@@ -2,9 +2,11 @@
 	<a class="{{if .PageIsExploreRepositories}}active{{end}} item" href="{{AppSubUrl}}/explore/repos">
 		{{svg "octicon-repo"}} {{.i18n.Tr "explore.repos"}}
 	</a>
-	<a class="{{if .PageIsExploreUsers}}active{{end}} item" href="{{AppSubUrl}}/explore/users">
-		{{svg "octicon-person"}} {{.i18n.Tr "explore.users"}}
-	</a>
+	{{if not .UsersIsDisabled}}
+		<a class="{{if .PageIsExploreUsers}}active{{end}} item" href="{{AppSubUrl}}/explore/users">
+			{{svg "octicon-person"}} {{.i18n.Tr "explore.users"}}
+		</a>
+	{{end}}
 	<a class="{{if .PageIsExploreOrganizations}}active{{end}} item" href="{{AppSubUrl}}/explore/organizations">
 		{{svg "octicon-organization"}} {{.i18n.Tr "explore.organizations"}}
 	</a>