diff options
| author | zeripath <art27@cantab.net> | 2020-01-20 03:47:39 +0000 |
|---|---|---|
| committer | Lunny Xiao <xiaolunwen@gmail.com> | 2020-01-20 11:47:39 +0800 |
| commit | c5014a7f2c4a263818269216d16d6f21b008cd17 (patch) | |
| tree | 42423c1aa2ac688b4694e36bdc450d47d4276299 | |
| parent | 54c2854cd2c4084ead621fa42565100338ff3467 (diff) | |
| download | gitea-c5014a7f2c4a263818269216d16d6f21b008cd17.tar.gz gitea-c5014a7f2c4a263818269216d16d6f21b008cd17.zip | |
Add option to prevent LDAP from deactivating everything on empty search (#9879)
* Add option to prevent LDAP from deactivating everything on empty search
* Update options/locale/locale_en-US.ini
Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
| -rw-r--r-- | cmd/admin_auth_ldap.go | 7 | ||||
| -rw-r--r-- | models/user.go | 9 | ||||
| -rw-r--r-- | modules/auth/auth_form.go | 1 | ||||
| -rw-r--r-- | modules/auth/ldap/ldap.go | 1 | ||||
| -rw-r--r-- | options/locale/locale_en-US.ini | 1 | ||||
| -rw-r--r-- | routers/admin/auths.go | 1 | ||||
| -rw-r--r-- | templates/admin/auth/edit.tmpl | 6 |
7 files changed, 26 insertions, 0 deletions
diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index cce3aa894f..e869686cbd 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -61,6 +61,10 @@ var ( Name: "admin-filter", Usage: "An LDAP filter specifying if a user should be given administrator privileges.", }, + cli.BoolFlag{ + Name: "allow-deactivate-all", + Usage: "Allow empty search results to deactivate all users.", + }, cli.StringFlag{ Name: "username-attribute", Usage: "The attribute of the user’s LDAP record containing the user name.", @@ -231,6 +235,9 @@ func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error { if c.IsSet("admin-filter") { config.Source.AdminFilter = c.String("admin-filter") } + if c.IsSet("allow-deactivate-all") { + config.Source.AllowDeactivateAll = c.Bool("allow-deactivate-all") + } return nil } diff --git a/models/user.go b/models/user.go index 4a4af3547a..c2631d5dd2 100644 --- a/models/user.go +++ b/models/user.go @@ -1780,6 +1780,15 @@ func SyncExternalUsers(ctx context.Context) { continue } + if len(sr) == 0 { + if !s.LDAP().AllowDeactivateAll { + log.Error("LDAP search found no entries but did not report an error. Refusing to deactivate all users") + continue + } else { + log.Warn("LDAP search found no entries but did not report an error. All users will be deactivated as per settings") + } + } + for _, su := range sr { select { case <-ctx.Done(): diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go index c838590c1f..a30ebb75eb 100644 --- a/modules/auth/auth_form.go +++ b/modules/auth/auth_form.go @@ -30,6 +30,7 @@ type AuthenticationForm struct { SearchPageSize int Filter string AdminFilter string + AllowDeactivateAll bool IsActive bool IsSyncEnabled bool SMTPAuth string diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index ed83a77e12..7f0d2c93f3 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -47,6 +47,7 @@ type Source struct { Filter string // Query filter to validate entry AdminFilter string // Query filter to check if user is admin Enabled bool // if this source is disabled + AllowDeactivateAll bool // Allow an empty search response to deactivate all users from this source } // SearchResult : user data diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini index 0f3e9f4a3d..589506f7aa 100644 --- a/options/locale/locale_en-US.ini +++ b/options/locale/locale_en-US.ini @@ -1851,6 +1851,7 @@ auths.attribute_surname = Surname Attribute auths.attribute_mail = Email Attribute auths.attribute_ssh_public_key = Public SSH Key Attribute auths.attributes_in_bind = Fetch Attributes in Bind DN Context +auths.allow_deactivate_all = Allow an empty search result to deactivate all users auths.use_paged_search = Use Paged Search auths.search_page_size = Page Size auths.filter = User Filter diff --git a/routers/admin/auths.go b/routers/admin/auths.go index 8a16e36bf5..4fa76df44e 100644 --- a/routers/admin/auths.go +++ b/routers/admin/auths.go @@ -130,6 +130,7 @@ func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig { SearchPageSize: pageSize, Filter: form.Filter, AdminFilter: form.AdminFilter, + AllowDeactivateAll: form.AllowDeactivateAll, Enabled: true, }, } diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index d1a614b1f0..3f515bbf48 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -112,6 +112,12 @@ </div> </div> {{end}} + <div class="inline field"> + <div class="ui checkbox"> + <label for="allow_deactivate_all"><strong>{{.i18n.Tr "admin.auths.allow_deactivate_all"}}</strong></label> + <input id="allow_deactivate_all" name="allow_deactivate_all" type="checkbox" {{if $cfg.AllowDeactivateAll}}checked{{end}}> + </div> + </div> {{end}} <!-- SMTP --> |