add configuration option to restrict users by default

Author: rjnienaber

custom/conf/app.example.ini

@@ -649,6 +649,9 @@ PATH =
 ;; Default value for AllowCreateOrganization
 ;; Every new user will have rights set to create organizations depending on this setting
 ;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+;; Default value for IsRestricted
+;; Every new user will have restricted permissions depending on this setting
+;DEFAULT_USER_IS_RESTRICTED = true
 ;;
 ;; Either "public", "limited" or "private", default is "public"
 ;; Limited is for signed user only

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -499,6 +499,7 @@ relation to port exhaustion.
 - `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
+- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
 - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
 - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
 - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.

integrations/mssql.ini.tmpl

@@ -65,6 +65,7 @@ ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_USER_IS_RESTRICTED 				= false
 NO_REPLY_ADDRESS                  = noreply.example.org
 ENABLE_NOTIFY_MAIL                = true
 

integrations/mysql.ini.tmpl

@@ -85,6 +85,7 @@ ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_USER_IS_RESTRICTED 				= false
 NO_REPLY_ADDRESS                  = noreply.example.org
 ENABLE_NOTIFY_MAIL                = true
 

integrations/mysql8.ini.tmpl

@@ -63,6 +63,7 @@ ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_USER_IS_RESTRICTED 				= false
 NO_REPLY_ADDRESS                  = noreply.example.org
 
 [picture]

integrations/pgsql.ini.tmpl

@@ -66,6 +66,7 @@ ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_USER_IS_RESTRICTED 				= false
 NO_REPLY_ADDRESS                  = noreply.example.org
 ENABLE_NOTIFY_MAIL                = true
 

integrations/sqlite.ini.tmpl

@@ -62,6 +62,7 @@ ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_USER_IS_RESTRICTED 				= false
 NO_REPLY_ADDRESS                  = noreply.example.org
 
 [picture]

models/user.go

@@ -843,6 +843,7 @@ func CreateUser(u *User) (err error) {
 	}
 	u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization && !setting.Admin.DisableRegularOrgCreation
 	u.EmailNotificationsPreference = setting.Admin.DefaultEmailNotification
+	u.IsRestricted = setting.Service.DefaultUserIsRestricted
 	u.MaxRepoCreation = -1
 	u.Theme = setting.UI.DefaultTheme
 

models/user_test.go

@@ -322,6 +322,28 @@ func TestCreateUser(t *testing.T) {
 	assert.NoError(t, DeleteUser(user))
 }
 
+func TestCreateUserWithRestrictedUserByDefault(t *testing.T) {
+	user := &User{
+		Name:               "GiteaBot",
+		Email:              "GiteaBot@gitea.io",
+		Passwd:             ";p['////..-++']",
+		IsAdmin:            false,
+		Theme:              setting.UI.DefaultTheme,
+		MustChangePassword: false,
+	}
+
+	setting.Service.DefaultUserIsRestricted = true
+
+	assert.NoError(t, CreateUser(user))
+
+	savedUser, err := GetUserByEmail(user.Email)
+	assert.NoError(t, err)
+
+	assert.Equal(t, savedUser.IsRestricted, true)
+
+	assert.NoError(t, DeleteUser(savedUser))
+}
+
 func TestCreateUserInvalidEmail(t *testing.T) {
 	user := &User{
 		Name:               "GiteaBot",

modules/setting/service.go

@@ -44,6 +44,7 @@ var Service struct {
 	HcaptchaSitekey                         string
 	DefaultKeepEmailPrivate                 bool
 	DefaultAllowCreateOrganization          bool
+	DefaultUserIsRestricted                 bool
 	EnableTimetracking                      bool
 	DefaultEnableTimetracking               bool
 	DefaultEnableDependencies               bool
@@ -105,6 +106,7 @@ func newService() {
 	Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("")
 	Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool()
 	Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true)
+	Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false)
 	Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true)
 	if Service.EnableTimetracking {
 		Service.DefaultEnableTimetracking = sec.Key("DEFAULT_ENABLE_TIMETRACKING").MustBool(true)