Add setting to disable user features when user login type is not plain (#29615)

- Adds setting `EXTERNAL_USER_DISABLE_FEATURES` to disable any supported user features when login type is not plain - In general, this is necessary for SSO implementations to avoid inconsistencies between the external account management and the linked account - Adds helper functions to encourage correct use (cherry picked from commit 59d4aadba5c15d02f3b9f0e61abb7476870c20a5) Conflicts: - docs/content/administration/config-cheat-sheet.en-us.md Removed. - modules/setting/admin.go Trivial resolution: pick the newly added struct member.
2025-08-03 00:45:22 +02:00 · 2024-03-29 11:05:41 -04:00 · 2024-03-29 11:05:41 -04:00 · e08f05b069
commit e08f05b069
parent ee33869f84
8 changed files with 77 additions and 13 deletions
--- a/models/user/user.go
+++ b/models/user/user.go
@ -1246,3 +1246,21 @@ func GetOrderByName() string {
 	}
 	return "name"
 }
+
+// IsFeatureDisabledWithLoginType checks if a user feature is disabled, taking into account the login type of the
+// user if applicable
+func IsFeatureDisabledWithLoginType(user *User, feature string) bool {
+	// NOTE: in the long run it may be better to check the ExternalLoginUser table rather than user.LoginType
+	return (user != nil && user.LoginType > auth.Plain && setting.Admin.ExternalUserDisableFeatures.Contains(feature)) ||
+		setting.Admin.UserDisabledFeatures.Contains(feature)
+}
+
+// DisabledFeaturesWithLoginType returns the set of user features disabled, taking into account the login type
+// of the user if applicable
+func DisabledFeaturesWithLoginType(user *User) *container.Set[string] {
+	// NOTE: in the long run it may be better to check the ExternalLoginUser table rather than user.LoginType
+	if user != nil && user.LoginType > auth.Plain {
+		return &setting.Admin.ExternalUserDisableFeatures
+	}
+	return &setting.Admin.UserDisabledFeatures
+}