add configuration option to restrict users by default (#16256)

* add configuration option to restrict users by default

* default IsRestricted permission only set on sign up

setting this in the model messes with other workflows (e.g. syncing LDAP users) where the IsRestricted permission needs to be explicitly set and not overridden by a config value

* fix formatting

* Apply suggestions from code review

* ensure newly created user is set to restricted

* ensure imports are in the correct order

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>

1 files changed, 23 insertions, 0 deletions

diff --git a/integrations/signup_test.go b/integrations/signup_test.go
index 5208a42ce5..66ff8ac2d7 100644
--- a/integrations/signup_test.go
+++ b/integrations/signup_test.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/stretchr/testify/assert"
 	"github.com/unknwon/i18n"
@@ -33,6 +34,28 @@ func TestSignup(t *testing.T) {
 	MakeRequest(t, req, http.StatusOK)
 }
 
+func TestSignupAsRestricted(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	setting.Service.EnableCaptcha = false
+	setting.Service.DefaultUserIsRestricted = true
+
+	req := NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
+		"user_name": "restrictedUser",
+		"email":     "restrictedUser@example.com",
+		"password":  "examplePassword!1",
+		"retype":    "examplePassword!1",
+	})
+	MakeRequest(t, req, http.StatusFound)
+
+	// should be able to view new user's page
+	req = NewRequest(t, "GET", "/restrictedUser")
+	MakeRequest(t, req, http.StatusOK)
+
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{Name: "restrictedUser"}).(*models.User)
+	assert.True(t, user2.IsRestricted)
+}
+
 func TestSignupEmail(t *testing.T) {
 	defer prepareTestEnv(t)()