From 2ce7affc9afdeeb15cc21f1a4508c8d3f1b44104 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Sun, 27 Apr 2025 19:51:09 +0000
Subject: [PATCH] fix: set default restricted for OAuth2 user (#7683)

- The OAuthCallback code that is responsible for creating a new user, if one does not exist yet, did not use `[service].ALLOW_ONLY_EXTERNAL_REGISTRATION` as default value for the restricted field of a user.
- Resolves forgejo/forgejo#7681
- Add integration test.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7683
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 routers/web/auth/oauth.go       |  2 +-
 tests/integration/oauth_test.go | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index f1554638cb..c55397da88 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -1079,7 +1079,7 @@ func SignInOAuthCallback(ctx *context.Context) {
 
 			isAdmin, isRestricted := getUserAdminAndRestrictedFromGroupClaims(source, &gothUser)
 			u.IsAdmin = isAdmin.ValueOrDefault(false)
-			u.IsRestricted = isRestricted.ValueOrDefault(false)
+			u.IsRestricted = isRestricted.ValueOrDefault(setting.Service.DefaultUserIsRestricted)
 
 			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
 				// error already handled
diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
index 298a1ee716..e9b17634c9 100644
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@@ -1431,3 +1431,28 @@ func TestOAuth_GrantScopesReadPublicGroupsWithTheReadScope(t *testing.T) {
 		assert.Contains(t, parsedUserInfo.Groups, privOrg)
 	}
 }
+
+func TestSignUpViaOAuthDefaultRestricted(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.OAuth2Client.EnableAutoRegistration, true)()
+	defer test.MockVariableValue(&setting.Service.DefaultUserIsRestricted, true)()
+
+	gitlabName := "gitlab"
+	addAuthSource(t, authSourcePayloadGitLabCustom(gitlabName))
+	userGitLabUserID := "BB(5)=47176870"
+
+	defer mockCompleteUserAuth(func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
+		return goth.User{
+			Provider: gitlabName,
+			UserID:   userGitLabUserID,
+			Name:     "gitlab-user",
+			NickName: "gitlab-user",
+			Email:    "gitlab@example.com",
+		}, nil
+	})()
+	req := NewRequest(t, "GET", fmt.Sprintf("/user/oauth2/%s/callback?code=XYZ&state=XYZ", gitlabName))
+	resp := MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, "/", test.RedirectURL(resp))
+
+	unittest.AssertExistsIf(t, true, &user_model.User{Name: "gitlab-user"}, "is_restricted = true")
+}