Add option to disallow users from registering any application to use GitLab as an OAuth provider

96d6fdc2 · Douwe Maan · 70b29c35 · 96d6fdc2 · 96d6fdc2 · 96d6fdc2
Commit 96d6fdc2 authored May 29, 2015 by Douwe Maan
9 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.

 v 7.12.0 (unreleased)
+  - Add option to disallow users from registering any application to use GitLab as an OAuth provider
  - Refactor permission checks with issues and merge requests project settings (Stan Hu)
  - Fix Markdown preview not working in Edit Milestone page (Stan Hu)
  - Fix Zen Mode not closing with ESC key (Stan Hu)

--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -43,6 +43,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
      :default_snippet_visibility,
      :restricted_signup_domains_raw,
      :version_check_enabled,
+      :user_oauth_applications,
      restricted_visibility_levels: [],
    )
  end

--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
 class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
+  include Gitlab::CurrentSettings
  include PageLayoutHelper
  
+  before_action :verify_user_oauth_applications_enabled
  before_action :authenticate_user!

  layout 'profile'
@@ -32,6 +34,12 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController

  private

+  def verify_user_oauth_applications_enabled
+    return if current_application_settings.user_oauth_applications?
+
+    redirect_to applications_profile_url
+  end
+
  def set_application
    @application = current_user.oauth_applications.find(params[:id])
  end

--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -19,6 +19,10 @@ module ApplicationSettingsHelper
    current_application_settings.sign_in_text
  end

+  def user_oauth_applications?
+    current_application_settings.user_oauth_applications
+  end
+
  # Return a group of checkboxes that use Bootstrap's button plugin for a
  # toggle button effect.
  def restricted_level_checkboxes(help_block_id)

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -18,6 +18,7 @@
 #  default_project_visibility   :integer
 #  default_snippet_visibility   :integer
 #  restricted_signup_domains    :text
+#  user_oauth_applications      :bool             default(TRUE)
 #

 class ApplicationSetting < ActiveRecord::Base

--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -30,7 +30,7 @@
        .checkbox
          = f.label :twitter_sharing_enabled do
            = f.check_box :twitter_sharing_enabled, :'aria-describedby' => 'twitter_help_block'
-            %strong Twitter enabled
+            Twitter enabled
          %span.help-block#twitter_help_block Show users a button to share their newly created public or internal projects on twitter
    .form-group
      .col-sm-offset-2.col-sm-10
@@ -83,6 +83,13 @@
      .col-sm-10
        = f.text_area :restricted_signup_domains_raw, placeholder: 'domain.com', class: 'form-control'
        .help-block Only users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
+    .form_group
+      = f.label :user_oauth_applications, 'User OAuth applications', class: 'control-label col-sm-2'
+      .col-sm-10
+        .checkbox
+          = f.label :user_oauth_applications do
+            = f.check_box :user_oauth_applications
+            Allow users to register any application to use GitLab as an OAuth provider

  .form-actions
    = f.submit 'Save', class: 'btn btn-primary'
--- a/app/views/profiles/applications.html.haml
+++ b/app/views/profiles/applications.html.haml
@@ -2,37 +2,43 @@
 %h3.page-title
  = page_title
 %p.light
-  OAuth2 protocol settings below.
+  - if user_oauth_applications?
+    Manage applications that can use GitLab as an OAuth provider, 
+    and applications that you've authorized to use your account.
+  - else
+    Manage applications that you've authorized to use your account.
 %hr

-.oauth-applications
-  %h3
-    Your applications
-    .pull-right
-      = link_to 'New Application', new_oauth_application_path, class: 'btn btn-success'
-  - if @applications.any?
-    %table.table.table-striped
-      %thead
-        %tr
-          %th Name
-          %th Callback URL
-          %th Clients
-          %th
-          %th
-      %tbody
-        - @applications.each do |application|
-          %tr{:id => "application_#{application.id}"}
-            %td= link_to application.name, oauth_application_path(application)
-            %td
-              - application.redirect_uri.split.each do |uri|
-                %div= uri
-            %td= application.access_tokens.count
-            %td= link_to 'Edit', edit_oauth_application_path(application), class: 'btn btn-link btn-sm'
-            %td= render 'doorkeeper/applications/delete_form', application: application
+- if user_oauth_applications?
+  .oauth-applications
+    %h3
+      Your applications
+      .pull-right
+        = link_to 'New Application', new_oauth_application_path, class: 'btn btn-success'
+    - if @applications.any?
+      %table.table.table-striped
+        %thead
+          %tr
+            %th Name
+            %th Callback URL
+            %th Clients
+            %th
+            %th
+        %tbody
+          - @applications.each do |application|
+            %tr{:id => "application_#{application.id}"}
+              %td= link_to application.name, oauth_application_path(application)
+              %td
+                - application.redirect_uri.split.each do |uri|
+                  %div= uri
+              %td= application.access_tokens.count
+              %td= link_to 'Edit', edit_oauth_application_path(application), class: 'btn btn-link btn-sm'
+              %td= render 'doorkeeper/applications/delete_form', application: application

 .oauth-authorized-applications.prepend-top-20
-  %h3
-    Authorized applications
+  - if user_oauth_applications?
+    %h3
+      Authorized applications

  - if @authorized_tokens.any?
    %table.table.table-striped

--- a/db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb
+++ b/db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb
+class AddUserOauthApplicationsToApplicationSettings < ActiveRecord::Migration
+  def change
+    add_column :application_settings, :user_oauth_applications, :bool, default: true
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20150516060434) do
+ActiveRecord::Schema.define(version: 20150529111607) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -33,6 +33,7 @@ ActiveRecord::Schema.define(version: 20150516060434) do
    t.integer  "default_project_visibility"
    t.integer  "default_snippet_visibility"
    t.text     "restricted_signup_domains"
+    t.boolean  "user_oauth_applications",      default: true
  end

  create_table "broadcast_messages", force: true do |t|