diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/admin/application_settings_controller.rb | 1 | ||||
-rw-r--r-- | app/models/application_setting.rb | 6 | ||||
-rw-r--r-- | app/models/application_setting_implementation.rb | 1 | ||||
-rw-r--r-- | app/models/key.rb | 18 | ||||
-rw-r--r-- | app/policies/base_policy.rb | 6 | ||||
-rw-r--r-- | app/validators/ssh_key_validator.rb | 31 | ||||
-rw-r--r-- | app/views/admin/application_settings/_user_restrictions.html.haml | 2 |
7 files changed, 43 insertions, 22 deletions
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb index b5edecbd6a5..cd099173718 100644 --- a/app/controllers/admin/application_settings_controller.rb +++ b/app/controllers/admin/application_settings_controller.rb @@ -179,6 +179,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController *::ApplicationSettingsHelper.visible_attributes, *::ApplicationSettingsHelper.external_authorization_service_attributes, *ApplicationSetting.kroki_formats_attributes.keys.map { |key| "kroki_formats_#{key}".to_sym }, + :can_create_organization, :lets_encrypt_notification_email, :lets_encrypt_terms_of_service_accepted, :domain_denylist_file, diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 96ea7064c6f..f389b857354 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -468,7 +468,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord validates :invisible_captcha_enabled, inclusion: { in: [true, false], message: N_('must be a boolean value') } - validates :invitation_flow_enforcement, :can_create_group, :allow_project_creation_for_guest_and_below, :user_defaults_to_private_profile, + validates :invitation_flow_enforcement, + :can_create_group, + :can_create_organization, + :allow_project_creation_for_guest_and_below, + :user_defaults_to_private_profile, allow_nil: false, inclusion: { in: [true, false], message: N_('must be a boolean value') } diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index 00b093c8ac3..16991937e2f 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -263,6 +263,7 @@ module ApplicationSettingImplementation users_get_by_id_limit: 300, users_get_by_id_limit_allowlist: [], can_create_group: true, + can_create_organization: true, bulk_import_enabled: false, bulk_import_max_download_file_size: 5120, allow_runner_registration_token: true, diff --git a/app/models/key.rb b/app/models/key.rb index fdc54c9f56e..4ff5f7a8e6a 100644 --- a/app/models/key.rb +++ b/app/models/key.rb @@ -21,6 +21,7 @@ class Key < ApplicationRecord validates :key, presence: true, + ssh_key: true, length: { maximum: 5000 }, format: { with: /\A(#{Gitlab::SSHPublicKey.supported_algorithms.join('|')})/ } @@ -28,7 +29,6 @@ class Key < ApplicationRecord uniqueness: true, presence: { message: 'cannot be generated' } - validate :key_meets_restrictions validate :expiration, on: :create validate :banned_key, if: :key_changed? @@ -154,16 +154,6 @@ class Key < ApplicationRecord self.fingerprint_sha256 = public_key.fingerprint_sha256.gsub("SHA256:", "") end - def key_meets_restrictions - restriction = Gitlab::CurrentSettings.key_restriction_for(public_key.type) - - if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE - errors.add(:key, forbidden_key_type_message) - elsif public_key.bits < restriction - errors.add(:key, "must be at least #{restriction} bits") - end - end - def banned_key return unless public_key.banned? @@ -179,12 +169,6 @@ class Key < ApplicationRecord ) end - def forbidden_key_type_message - allowed_types = Gitlab::CurrentSettings.allowed_key_types.map(&:upcase) - - "type is forbidden. Must be #{Gitlab::Sentence.to_exclusive_sentence(allowed_types)}" - end - def expiration errors.add(:key, message: 'has expired') if expired? end diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 462afbaa475..53b0073eccc 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -57,11 +57,9 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:can_create_group) { @user&.can_create_group } - # TODO: update to check application setting - # https://gitlab.com/gitlab-org/gitlab/-/issues/423302 desc 'User can create an organization' - with_options scope: :user, score: 0 - condition(:can_create_organization) { true } + with_options scope: :global, score: 0 + condition(:can_create_organization) { Gitlab::CurrentSettings.can_create_organization } desc "The application is restricted from public visibility" condition(:restricted_public_level, scope: :global) do diff --git a/app/validators/ssh_key_validator.rb b/app/validators/ssh_key_validator.rb new file mode 100644 index 00000000000..74e86fc6644 --- /dev/null +++ b/app/validators/ssh_key_validator.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +# SshKeyValidator +# +# Custom validator for SSH keys. +# +# class Project < ActiveRecord::Base +# validates :key, ssh_key: true +# end +# +class SshKeyValidator < ActiveModel::EachValidator # rubocop:disable Gitlab/NamespacedClass -- Allow setting ssh_key by convention + def validate_each(record, attribute, value) + public_key = Gitlab::SSHPublicKey.new(value) + + restriction = Gitlab::CurrentSettings.key_restriction_for(public_key.type) + + if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE + record.errors.add(attribute, forbidden_key_type_message) + elsif public_key.bits < restriction + record.errors.add(attribute, "must be at least #{restriction} bits") + end + end + + private + + def forbidden_key_type_message + allowed_types = Gitlab::CurrentSettings.allowed_key_types.map(&:upcase) + + "type is forbidden. Must be #{Gitlab::Sentence.to_exclusive_sentence(allowed_types)}" + end +end diff --git a/app/views/admin/application_settings/_user_restrictions.html.haml b/app/views/admin/application_settings/_user_restrictions.html.haml index c21d1ec47e6..4fb65c20daf 100644 --- a/app/views/admin/application_settings/_user_restrictions.html.haml +++ b/app/views/admin/application_settings/_user_restrictions.html.haml @@ -3,6 +3,8 @@ .form-group = label_tag _('User restrictions') = render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: form + - if Feature.enabled?(:ui_for_organizations, current_user) + = form.gitlab_ui_checkbox_component :can_create_organization, _("Allow users to create organizations") = form.gitlab_ui_checkbox_component :can_create_group, _("Allow new users to create top-level groups") = form.gitlab_ui_checkbox_component :user_defaults_to_private_profile, _("Make new users' profiles private by default") = render_if_exists 'admin/application_settings/allow_account_deletion', form: form |