From 7b1b66416b5287e5e5f928a276440d9b1e4badb5 Mon Sep 17 00:00:00 2001
From: Pavel Shutsin <pshutsin@gitlab.com>
Date: Thu, 6 Jun 2019 23:00:31 +0300
Subject: [PATCH] EE port: add app-wide LDAP membership lock field

---
 ...20190604091310_add_ldap_membership_lock.rb | 20 +++++++++++++++++++
 db/schema.rb                                  |  1 +
 doc/administration/auth/ldap-ee.md            |  9 +++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 db/migrate/20190604091310_add_ldap_membership_lock.rb

diff --git a/db/migrate/20190604091310_add_ldap_membership_lock.rb b/db/migrate/20190604091310_add_ldap_membership_lock.rb
new file mode 100644
index 00000000000..1afc6aeefd5
--- /dev/null
+++ b/db/migrate/20190604091310_add_ldap_membership_lock.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLdapMembershipLock < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:application_settings, :lock_memberships_to_ldap)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 392edf89430..7a9274e1e77 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do
     t.text "encrypted_lets_encrypt_private_key_iv"
     t.boolean "dns_rebinding_protection_enabled", default: true, null: false
     t.boolean "default_project_deletion_protection", default: false, null: false
+    t.boolean "lock_memberships_to_ldap", default: false, null: false
     t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
   end
 
diff --git a/doc/administration/auth/ldap-ee.md b/doc/administration/auth/ldap-ee.md
index 30095d35705..15f093bb62d 100644
--- a/doc/administration/auth/ldap-ee.md
+++ b/doc/administration/auth/ldap-ee.md
@@ -183,6 +183,15 @@ group, as opposed to the full DN.
 
 1. [Restart GitLab][restart] for the changes to take effect.
 
+## Global group memberships lock
+
+"Lock memberships to LDAP synchronization" setting allows instance administrators 
+to lock down user abilities to invite new members to a group. When enabled following happens:
+
+1. Only administrator can manage memberships of any group including access levels.
+2. Users are not allowed to share project with other groups or invite members to a project created in a group.
+
+
 ## Adjusting LDAP user sync schedule
 
 > Introduced in GitLab Enterprise Edition Starter.