Allow to disable local user management #13068
Conversation
Added parameter DISABLE_LOCAL_USER_MANAGEMENT (false by default) in app.ini [service] section; when true disables local modifications of username, fullname and e-mail fields in user Settings. Author-Change-Id: IB#1105051
This patch blocks access to local user management options that are not required and possibly problematic in scenario when users are managed in external database (like LDAP) and should not be managed separately in gitea. Options specific to gitea (like restricted users) are still managed in this app. Author-Change-Id: IB#1105051
This fixes external user syncing when local user management is disabled. Fixes: eca3563 Author-Change-Id: IB#1105051
Hide message about changing username when local user modifications are disabled. Author-Change-Id: IB#1105051
|
Imho this should disable changing automatically for LDAP users without special setting. Also restricted setting should be disabled if LDAP filter for it is set, same for admin setting |
GiteaBot
added
the
lgtm/need 2
Adopted repos screens didn't hide menu tabs. This mod fixes it and simplifies configuration for templates. It also removes unnecessarry comment. Author-Change-Id: IB#1105051 Fixes: eca3563
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
lunny
added
the
issue/confirmed
Fixes 500 on organization name change in DISABLE_LOCAL_USER_MANAGEMENT mode. Fixes: eca3563 Author-Change-Id: IB#1105051
This switch disables local user management regardless of how many user backends exist/will exist in the system. This switch disables also local maintenace of local accounts that already exist in the system (admin is still able to remove user accounts - they will be recreated from LDAP for example). This mod is intentionally designed not to relay on specific backends and this should fit well it common internal company environment scenarios (i.e. users in one or a few LDAP, reverse proxy auth, no local user db).
This mod assumes, that admin privilege will be maintained in external user db (like LDAP); that's the most common scenario IHMO. Other privileges like "is restricted", "may create git hooks", "may create organizations" are gitea specific and such details maintenance in central LDAP db sounds like overkill. Is one really needs it it the future - may contribute separate mod to specify list of gitea user fields that should be disabled for local changes. |
|
Replaced with #18466. |
This mod introduces parameter DISABLE_LOCAL_USER_MANAGEMENT (false by default) in app.ini [service] section; when true disables local modifications of user data and external sources editor.
This is for scenario when users are synchronized from external source (i.e. LDAP backend configured using gitea cli) and should not be changed locally (only gitea specific user settings are allowed to be changed in gitea). isActive and isAdmin are treated as LDAP data but isRestricted is not (this should be managed in app). More - user is not allowed to remove their account - app admin must do it if required.
Not experienced in gitea devel so please verify and fine tune if required before merging.