Add setting to disable user features when user login type is not plain (#29615)

- Adds setting `EXTERNAL_USER_DISABLE_FEATURES` to disable any supported user features when login type is not plain - In general, this is necessary for SSO implementations to avoid inconsistencies between the external account management and the linked account - Adds helper functions to encourage correct use (cherry picked from commit 59d4aadba5c15d02f3b9f0e61abb7476870c20a5) Conflicts: - docs/content/administration/config-cheat-sheet.en-us.md Removed. - modules/setting/admin.go Trivial resolution: pick the newly added struct member.
2025-05-31 11:52:10 +00:00 · 2024-03-29 11:05:41 -04:00 · 2024-03-29 11:05:41 -04:00 · e08f05b069
commit e08f05b069
parent ee33869f84
8 changed files with 77 additions and 13 deletions
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@ -10,6 +10,7 @@ import (

 	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web"
@ -78,7 +79,7 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
-		if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageGPGKeys) {
+		if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageGPGKeys) {
 			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting is not allowed to be visited"))
 			return
 		}
@ -159,7 +160,7 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.verify_gpg_key_success", keyID))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "ssh":
-		if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) {
+		if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageSSHKeys) {
 			ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited"))
 			return
 		}
@ -203,7 +204,7 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_key_success", form.Title))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "verify_ssh":
-		if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) {
+		if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageSSHKeys) {
 			ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited"))
 			return
 		}
@ -240,7 +241,7 @@ func KeysPost(ctx *context.Context) {
 func DeleteKey(ctx *context.Context) {
 	switch ctx.FormString("type") {
 	case "gpg":
-		if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageGPGKeys) {
+		if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageGPGKeys) {
 			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting is not allowed to be visited"))
 			return
 		}
@ -250,7 +251,7 @@ func DeleteKey(ctx *context.Context) {
 			ctx.Flash.Success(ctx.Tr("settings.gpg_key_deletion_success"))
 		}
 	case "ssh":
-		if setting.Admin.UserDisabledFeatures.Contains(setting.UserFeatureManageSSHKeys) {
+		if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageSSHKeys) {
 			ctx.NotFound("Not Found", fmt.Errorf("ssh keys setting is not allowed to be visited"))
 			return
 		}
@ -333,5 +334,5 @@ func loadKeysData(ctx *context.Context) {

 	ctx.Data["VerifyingID"] = ctx.FormString("verify_gpg")
 	ctx.Data["VerifyingFingerprint"] = ctx.FormString("verify_ssh")
-	ctx.Data["UserDisabledFeatures"] = &setting.Admin.UserDisabledFeatures
+	ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer)
 }