Disable login prohibition and extra e-mail list

pboguslawski · pboguslawski · commit e45a831bcd22 · 2022-02-04T11:09:48.000+01:00
When local user management is disabled, active user login should not be prohibited. Only primary user e-mail should be available when local user management is enabled (only this mail is synchronized from LDAP). Related: #18466 Author-Change-Id: IB#1105051
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/services/mailer"
 	user_service "code.gitea.io/gitea/services/user"
 )
@@ -37,7 +38,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 				return nil, err
 			}
 		}
-		if user != nil && !user.ProhibitLogin {
+		if user != nil && (!user.ProhibitLogin || setting.Service.DisableLocalUserManagement) {
 			cols := make([]string, 0)
 			if len(source.AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {
 				// Change existing admin flag only if AdminFilter option is set
@@ -49,6 +50,11 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 				user.IsRestricted = sr.IsRestricted
 				cols = append(cols, "is_restricted")
 			}
+			if user.ProhibitLogin && setting.Service.DisableLocalUserManagement {
+				// When local user management is disabled, active user is allowed to login.
+				user.ProhibitLogin = false
+				cols = append(cols, "prohibit_login")
+			}
 			if len(cols) > 0 {
 				err = user_model.UpdateForceUserCols(db.DefaultContext, user, cols...)
 				if err != nil {
diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go
@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	user_service "code.gitea.io/gitea/services/user"
 )
 
@@ -138,7 +139,8 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				(len(source.RestrictedFilter) > 0 && usr.IsRestricted != su.IsRestricted) ||
 				!strings.EqualFold(usr.Email, su.Mail) ||
 				usr.FullName != fullName ||
-				!usr.IsActive {
+				!usr.IsActive ||
+				usr.ProhibitLogin != (usr.ProhibitLogin && !setting.Service.DisableLocalUserManagement) {
 
 				log.Trace("SyncExternalUsers[%s]: Updating user %s", source.authSource.Name, usr.Name)
 
@@ -153,8 +155,10 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 					usr.IsRestricted = su.IsRestricted
 				}
 				usr.IsActive = true
+				// When local user management is disabled, active user is allowed to login.
+				usr.ProhibitLogin = usr.ProhibitLogin && !setting.Service.DisableLocalUserManagement
 
-				err = user_model.UpdateForceUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active")
+				err = user_model.UpdateForceUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active", "prohibit_login")
 				if err != nil {
 					log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.authSource.Name, usr.Name, err)
 				}
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
@@ -92,7 +92,7 @@
 
 				<div class="ui divider"></div>
 
-				<div class="inline field">
+				<div class="inline field" {{if DisableLocalUserManagement}} hidden{{end}}>
 					<div class="ui checkbox">
 						<label><strong>{{.i18n.Tr "admin.users.is_activated"}}</strong></label>
 						<input name="active" type="checkbox" {{if .User.IsActive}}checked{{end}} {{if DisableLocalUserManagement}}readonly{{end}}>
@@ -101,7 +101,7 @@
 				<div class="inline field">
 					<div class="ui checkbox">
 						<label><strong>{{.i18n.Tr "admin.users.prohibit_login"}}</strong></label>
-						<input name="prohibit_login" type="checkbox" {{if .User.ProhibitLogin}}checked{{end}} {{if or (eq .User.ID .SignedUserID) DisableLocalUserManagement}}disabled{{end}}>
+						<input name="prohibit_login" type="checkbox" {{if .User.ProhibitLogin}}checked{{end}} {{if eq .User.ID .SignedUserID}}disabled{{end}}>
 					</div>
 				</div>
 				<div class="inline field">
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
@@ -72,8 +72,8 @@
 					</form>
 				</div>
 				{{range .Emails}}
+				{{if not DisableLocalUserManagement}}
 					<div class="item">
-{{if not DisableLocalUserManagement}}
 						{{if not .IsPrimary}}
 							<div class="right floated content">
 								<button class="ui red tiny button delete-button" data-modal-id="delete-email" data-url="{{AppSubUrl}}/user/settings/account/email/delete" data-id="{{.ID}}">
@@ -105,10 +105,8 @@
 								</form>
 							</div>
 						{{end}}
-{{end}}
 						<div class="content">
 							<strong>{{.Email}}</strong>
-{{if not DisableLocalUserManagement}}
 							{{if .IsPrimary}}
 								<div class="ui blue label">{{$.i18n.Tr "settings.primary"}}</div>
 							{{end}}
@@ -117,10 +115,10 @@
 							{{else}}
 								<div class="ui label">{{$.i18n.Tr "settings.requires_activation"}}</div>
 							{{end}}
-{{end}}
 						</div>
 					</div>
 				{{end}}
+				{{end}}
 			</div>
 		</div>
 {{if not DisableLocalUserManagement}}
