DISABLE_ACCESS_TOKENS parameter for disabling access tokens added

pboguslawski · pboguslawski · commit 2bde83b51de8 · 2022-01-31T17:49:06.000+01:00
Access tokens are hardcoded and cannot be disabled (i.e. when owner doesn't want this kind of authentication). This mod introduces new DISABLE_ACCESS_TOKENS parameter in app.ini section [security]. When disabled (default when parameter is not present) gitea behaves as without this mod (access tokens feature is available). When enabled, access tokens feature and its UI elements are not avaiable. This mod also hides those areas on Settings/Applications page that are disabled in config and hides menu link to Applications page if all its areas are disabled in config. Related: go-gitea#13129 Author-Change-Id: IB#1115254
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -372,6 +372,9 @@ INTERNAL_TOKEN=
 ;; Set to true to disable webhooks feature.
 ;DISABLE_WEBHOOKS = false
 ;;
+;; Set to false to disable access tokens feature.
+;DISABLE_ACCESS_TOKENS = false
+;;
 ;; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ;ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;;
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -498,6 +498,7 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
    Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
    This maybe harmful to you website or your operating system.
 - `DISABLE_WEBHOOKS`: **false**: Set to `true` to disable webhooks feature.
+- `DISABLE_ACCESS_TOKENS`: **false**: Set to `true` to disable access tokens feature.
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to Gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -187,6 +187,7 @@ var (
 	ImportLocalPaths                   bool
 	DisableGitHooks                    bool
 	DisableWebhooks                    bool
+	DisableAccessTokens                bool
 	OnlyAllowPushIfGiteaEnvironmentSet bool
 	PasswordComplexity                 []string
 	PasswordHashAlgo                   string
@@ -868,6 +869,7 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
 	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
+	DisableAccessTokens = sec.Key("DISABLE_ACCESS_TOKENS").MustBool(false)
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
 	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
@@ -236,6 +236,12 @@ func NewFuncMap() []template.FuncMap {
 		"DisableWebhooks": func() bool {
 			return setting.DisableWebhooks
 		},
+		"DisableAccessTokens": func() bool {
+			return setting.DisableAccessTokens
+		},
+		"DisableOAuth2": func() bool {
+			return !setting.OAuth2.Enable
+		},
 		"DisableImportLocal": func() bool {
 			return !setting.ImportLocalPaths
 		},
diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
@@ -6,6 +6,7 @@
 package setting
 
 import (
+	"fmt"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -44,6 +45,11 @@ func ApplicationsPost(ctx *context.Context) {
 		return
 	}
 
+	if setting.DisableAccessTokens {
+		ctx.ServerError("AccessToken", fmt.Errorf("cannot modify access token; access tokens disabled"))
+		return
+	}
+
 	t := &models.AccessToken{
 		UID:  ctx.User.ID,
 		Name: form.Name,
@@ -73,6 +79,10 @@ func ApplicationsPost(ctx *context.Context) {
 
 // DeleteApplication response for delete user access token
 func DeleteApplication(ctx *context.Context) {
+	if setting.DisableAccessTokens {
+		ctx.ServerError("DeleteAccessToken", fmt.Errorf("cannot delete access token; access tokens disabled"))
+		return
+	}
 	if err := models.DeleteAccessTokenByID(ctx.FormInt64("id"), ctx.User.ID); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
@@ -85,14 +95,17 @@ func DeleteApplication(ctx *context.Context) {
 }
 
 func loadApplicationsData(ctx *context.Context) {
-	tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
-	if err != nil {
-		ctx.ServerError("ListAccessTokens", err)
-		return
+	if setting.DisableAccessTokens {
+		tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})
+		if err != nil {
+			ctx.ServerError("ListAccessTokens", err)
+			return
+		}
+		ctx.Data["Tokens"] = tokens
 	}
-	ctx.Data["Tokens"] = tokens
 	ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
 	if setting.OAuth2.Enable {
+		var err error
 		ctx.Data["Applications"], err = auth.GetOAuth2ApplicationsByUserID(ctx.User.ID)
 		if err != nil {
 			ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
@@ -3,6 +3,7 @@
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
+		{{if not DisableAccessTokens}}
 		<h4 class="ui top attached header">
 			{{.i18n.Tr "settings.manage_access_token"}}
 		</h4>
@@ -46,6 +47,7 @@
 				</button>
 			</form>
 		</div>
+		{{end}}
 
 		{{if .EnableOAuth2}}
 			{{template "user/settings/grants_oauth2" .}}
diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl
@@ -12,9 +12,11 @@
 		<a class="{{if .PageIsSettingsSecurity}}active{{end}} item" href="{{AppSubUrl}}/user/settings/security">
 			{{.i18n.Tr "settings.security"}}
 		</a>
+		{{if or (not DisableAccessTokens) (not DisableOAuth2)}}
 		<a class="{{if .PageIsSettingsApplications}}active{{end}} item" href="{{AppSubUrl}}/user/settings/applications">
 			{{.i18n.Tr "settings.applications"}}
 		</a>
+		{{end}}
 		<a class="{{if .PageIsSettingsKeys}}active{{end}} item" href="{{AppSubUrl}}/user/settings/keys">
 			{{.i18n.Tr "settings.ssh_gpg_keys"}}
 		</a>
