Allow disabling authentication related user features #31535
Conversation
We have some instances that only allow using an external authentication source for authentication. In this case, users changing their email, password, or linked OpenID connections will not have any effect, and we'd like to prevent showing that to them to prevent confusion. Included in this are several changes to support this: * A new setting to disable user managed authentication credentials (email, password & OpenID connections) * A new setting to disable user managed MFA (2FA codes & WebAuthn) * Fix an issue where some templates had separate logic for determining if a feature was disabled since it didn't check the globally disabled features * Hide more user setting pages in the navbar when their settings aren't enabled
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/go
pull-request-size
bot
added
the
size/L
| {{template "user/settings/security/twofa" .}} | ||
| {{template "user/settings/security/webauthn" .}} | ||
| {{end}} | ||
| {{if not ($.UserDisabledFeatures.Contains "manage_credentials")}} |
There was a problem hiding this comment.
Should we disable only when both 'manage_credentials' and 'deleted' are true?
There was a problem hiding this comment.
What is the reasoning behind that? Is it to prevent them from unlinking their primary account?
There was a problem hiding this comment.
What is the reasoning behind that? Is it to prevent them from unlinking their primary account?
I think I referred to the wrong file. This comment is for navbar.tmpl, and you have already added it in commit 3df7358.
And there is another bug: when I click Blocked users, the Account option will appear again, even though manage_credentials and deletion are true.
There was a problem hiding this comment.
Thanks for catching that! It should be fixed in c9487b4.
add integration tests for navbar and all disabled user settings
pull-request-size
bot
added
size/XL
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
|
Thanks! This will be useful for additional use cases too, as I was starting work on disabling changing user visibility and can leverage your work (this will aid in spam prevention so accounts potentially flagged as spam can be hidden until they can be reviewed by a human) |
|
missed doc has been pushed to https://gitea.com/gitea/docs/pulls/25 |
* giteaofficial/main: Fix: Allow org team names of length 255 in create team form (go-gitea#31564) Remove docs sub folder since docs has been moved to https://gitea.com/gitea/docs (go-gitea#31536) Add bohde as maintainer (go-gitea#31601) Add `YEAR`, `MONTH`, `MONTH_ENGLISH`, `DAY` variables for template repos (go-gitea#31584) Allow disabling authentication related user features (go-gitea#31535) Add back esbuild-loader for .js files (go-gitea#31585)
We have some instances that only allow using an external authentication source for authentication. In this case, users changing their email, password, or linked OpenID connections will not have any effect, and we'd like to prevent showing that to them to prevent confusion.
Included in this are several changes to support this: