From 96d6fdc27cc3721ec76b6542a32ae236d5e78956 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 29 May 2015 13:29:16 +0200
Subject: [PATCH] Add option to disallow users from registering any application
 to use GitLab as an OAuth provider

---
 CHANGELOG                                     |  1 +
 .../admin/application_settings_controller.rb  |  1 +
 .../oauth/applications_controller.rb          |  8 +++
 app/helpers/application_settings_helper.rb    |  4 ++
 app/models/application_setting.rb             |  1 +
 .../application_settings/_form.html.haml      |  9 ++-
 app/views/profiles/applications.html.haml     | 60 ++++++++++---------
 ...th_applications_to_application_settings.rb |  5 ++
 db/schema.rb                                  |  3 +-
 9 files changed, 63 insertions(+), 29 deletions(-)
 create mode 100644 db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb

diff --git a/CHANGELOG b/CHANGELOG
index 452fe553b00..f0d03fa00f0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.12.0 (unreleased)
+  - Add option to disallow users from registering any application to use GitLab as an OAuth provider
   - Refactor permission checks with issues and merge requests project settings (Stan Hu)
   - Fix Markdown preview not working in Edit Milestone page (Stan Hu)
   - Fix Zen Mode not closing with ESC key (Stan Hu)
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index 4c35622fff1..5aaae94e6bf 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -43,6 +43,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       :default_snippet_visibility,
       :restricted_signup_domains_raw,
       :version_check_enabled,
+      :user_oauth_applications,
       restricted_visibility_levels: [],
     )
   end
diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 507b8290a2b..fc31118124b 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -1,6 +1,8 @@
 class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
+  include Gitlab::CurrentSettings
   include PageLayoutHelper
   
+  before_action :verify_user_oauth_applications_enabled
   before_action :authenticate_user!
 
   layout 'profile'
@@ -32,6 +34,12 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
 
   private
 
+  def verify_user_oauth_applications_enabled
+    return if current_application_settings.user_oauth_applications?
+
+    redirect_to applications_profile_url
+  end
+
   def set_application
     @application = current_user.oauth_applications.find(params[:id])
   end
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 241d6075c9f..63c3ff5674d 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -19,6 +19,10 @@ module ApplicationSettingsHelper
     current_application_settings.sign_in_text
   end
 
+  def user_oauth_applications?
+    current_application_settings.user_oauth_applications
+  end
+
   # Return a group of checkboxes that use Bootstrap's button plugin for a
   # toggle button effect.
   def restricted_level_checkboxes(help_block_id)
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index d5123249c53..c465158f764 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -18,6 +18,7 @@
 #  default_project_visibility   :integer
 #  default_snippet_visibility   :integer
 #  restricted_signup_domains    :text
+#  user_oauth_applications      :bool             default(TRUE)
 #
 
 class ApplicationSetting < ActiveRecord::Base
diff --git a/app/views/admin/application_settings/_form.html.haml b/app/views/admin/application_settings/_form.html.haml
index 4ceae814805..dd8978647c4 100644
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -30,7 +30,7 @@
         .checkbox
           = f.label :twitter_sharing_enabled do
             = f.check_box :twitter_sharing_enabled, :'aria-describedby' => 'twitter_help_block'
-            %strong Twitter enabled
+            Twitter enabled
           %span.help-block#twitter_help_block Show users a button to share their newly created public or internal projects on twitter
     .form-group
       .col-sm-offset-2.col-sm-10
@@ -83,6 +83,13 @@
       .col-sm-10
         = f.text_area :restricted_signup_domains_raw, placeholder: 'domain.com', class: 'form-control'
         .help-block Only users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
+    .form_group
+      = f.label :user_oauth_applications, 'User OAuth applications', class: 'control-label col-sm-2'
+      .col-sm-10
+        .checkbox
+          = f.label :user_oauth_applications do
+            = f.check_box :user_oauth_applications
+            Allow users to register any application to use GitLab as an OAuth provider
 
   .form-actions
     = f.submit 'Save', class: 'btn btn-primary'
diff --git a/app/views/profiles/applications.html.haml b/app/views/profiles/applications.html.haml
index c145a9b7f6d..2c4f0804f0b 100644
--- a/app/views/profiles/applications.html.haml
+++ b/app/views/profiles/applications.html.haml
@@ -2,37 +2,43 @@
 %h3.page-title
   = page_title
 %p.light
-  OAuth2 protocol settings below.
+  - if user_oauth_applications?
+    Manage applications that can use GitLab as an OAuth provider, 
+    and applications that you've authorized to use your account.
+  - else
+    Manage applications that you've authorized to use your account.
 %hr
 
-.oauth-applications
-  %h3
-    Your applications
-    .pull-right
-      = link_to 'New Application', new_oauth_application_path, class: 'btn btn-success'
-  - if @applications.any?
-    %table.table.table-striped
-      %thead
-        %tr
-          %th Name
-          %th Callback URL
-          %th Clients
-          %th
-          %th
-      %tbody
-        - @applications.each do |application|
-          %tr{:id => "application_#{application.id}"}
-            %td= link_to application.name, oauth_application_path(application)
-            %td
-              - application.redirect_uri.split.each do |uri|
-                %div= uri
-            %td= application.access_tokens.count
-            %td= link_to 'Edit', edit_oauth_application_path(application), class: 'btn btn-link btn-sm'
-            %td= render 'doorkeeper/applications/delete_form', application: application
+- if user_oauth_applications?
+  .oauth-applications
+    %h3
+      Your applications
+      .pull-right
+        = link_to 'New Application', new_oauth_application_path, class: 'btn btn-success'
+    - if @applications.any?
+      %table.table.table-striped
+        %thead
+          %tr
+            %th Name
+            %th Callback URL
+            %th Clients
+            %th
+            %th
+        %tbody
+          - @applications.each do |application|
+            %tr{:id => "application_#{application.id}"}
+              %td= link_to application.name, oauth_application_path(application)
+              %td
+                - application.redirect_uri.split.each do |uri|
+                  %div= uri
+              %td= application.access_tokens.count
+              %td= link_to 'Edit', edit_oauth_application_path(application), class: 'btn btn-link btn-sm'
+              %td= render 'doorkeeper/applications/delete_form', application: application
 
 .oauth-authorized-applications.prepend-top-20
-  %h3
-    Authorized applications
+  - if user_oauth_applications?
+    %h3
+      Authorized applications
 
   - if @authorized_tokens.any?
     %table.table.table-striped
diff --git a/db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb b/db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb
new file mode 100644
index 00000000000..6a78294f0b2
--- /dev/null
+++ b/db/migrate/20150529111607_add_user_oauth_applications_to_application_settings.rb
@@ -0,0 +1,5 @@
+class AddUserOauthApplicationsToApplicationSettings < ActiveRecord::Migration
+  def change
+    add_column :application_settings, :user_oauth_applications, :bool, default: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 1ab91256406..dfd93d056e9 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150516060434) do
+ActiveRecord::Schema.define(version: 20150529111607) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -33,6 +33,7 @@ ActiveRecord::Schema.define(version: 20150516060434) do
     t.integer  "default_project_visibility"
     t.integer  "default_snippet_visibility"
     t.text     "restricted_signup_domains"
+    t.boolean  "user_oauth_applications",      default: true
   end
 
   create_table "broadcast_messages", force: true do |t|