Commit e55702d5 authored by Joern Schneeweisz's avatar Joern Schneeweisz Committed by Ezekiel Kigbo

Add Setting to disable feed_tokens

parent b8016f27
...@@ -198,6 +198,7 @@ module ApplicationSettingsHelper ...@@ -198,6 +198,7 @@ module ApplicationSettingsHelper
:default_project_visibility, :default_project_visibility,
:default_projects_limit, :default_projects_limit,
:default_snippet_visibility, :default_snippet_visibility,
:disable_feed_token,
:disabled_oauth_sign_in_sources, :disabled_oauth_sign_in_sources,
:domain_denylist, :domain_denylist,
:domain_denylist_enabled, :domain_denylist_enabled,
......
...@@ -426,6 +426,9 @@ class ApplicationSetting < ApplicationRecord ...@@ -426,6 +426,9 @@ class ApplicationSetting < ApplicationRecord
attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm
attr_encrypted :cloud_license_auth_token, encryption_options_base_truncated_aes_256_gcm attr_encrypted :cloud_license_auth_token, encryption_options_base_truncated_aes_256_gcm
validates :disable_feed_token,
inclusion: { in: [true, false], message: 'must be a boolean value' }
before_validation :ensure_uuid! before_validation :ensure_uuid!
before_save :ensure_runners_registration_token before_save :ensure_runners_registration_token
......
...@@ -58,6 +58,7 @@ module ApplicationSettingImplementation ...@@ -58,6 +58,7 @@ module ApplicationSettingImplementation
default_projects_limit: Settings.gitlab['default_projects_limit'], default_projects_limit: Settings.gitlab['default_projects_limit'],
default_snippet_visibility: Settings.gitlab.default_projects_features['visibility_level'], default_snippet_visibility: Settings.gitlab.default_projects_features['visibility_level'],
diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES, diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
disable_feed_token: false,
disabled_oauth_sign_in_sources: [], disabled_oauth_sign_in_sources: [],
dns_rebinding_protection_enabled: true, dns_rebinding_protection_enabled: true,
domain_allowlist: Settings.gitlab['domain_allowlist'], domain_allowlist: Settings.gitlab['domain_allowlist'],
......
...@@ -1659,7 +1659,7 @@ class User < ApplicationRecord ...@@ -1659,7 +1659,7 @@ class User < ApplicationRecord
# we do this on read since migrating all existing users is not a feasible # we do this on read since migrating all existing users is not a feasible
# solution. # solution.
def feed_token def feed_token
ensure_feed_token! Gitlab::CurrentSettings.disable_feed_token ? nil : ensure_feed_token!
end end
# Each existing user needs to have a `static_object_token`. # Each existing user needs to have a `static_object_token`.
......
...@@ -66,4 +66,12 @@ ...@@ -66,4 +66,12 @@
.form-group .form-group
= f.label field_name, "#{type.upcase} SSH keys", class: 'label-bold' = f.label field_name, "#{type.upcase} SSH keys", class: 'label-bold'
= f.select field_name, key_restriction_options_for_select(type), {}, class: 'form-control' = f.select field_name, key_restriction_options_for_select(type), {}, class: 'form-control'
.form-group
%label.label-bold= s_('AdminSettings|Feed token')
.form-check
= f.check_box :disable_feed_token, class: 'form-check-input'
= f.label :disable_feed_token, class: 'form-check-label' do
= s_('AdminSettings|Disable feed token')
= f.submit _('Save changes'), class: "gl-button btn btn-success" = f.submit _('Save changes'), class: "gl-button btn btn-success"
...@@ -32,22 +32,23 @@ ...@@ -32,22 +32,23 @@
active_tokens: @active_personal_access_tokens, active_tokens: @active_personal_access_tokens,
revoke_route_helper: ->(token) { revoke_profile_personal_access_token_path(token) } revoke_route_helper: ->(token) { revoke_profile_personal_access_token_path(token) }
%hr - unless Gitlab::CurrentSettings.disable_feed_token
.row.gl-mt-3 %hr
.col-lg-4.profile-settings-sidebar .row.gl-mt-3
%h4.gl-mt-0 .col-lg-4.profile-settings-sidebar
= s_('AccessTokens|Feed token') %h4.gl-mt-0
%p = s_('AccessTokens|Feed token')
= s_('AccessTokens|Your feed token is used to authenticate you when your RSS reader loads a personalized RSS feed or when your calendar application loads a personalized calendar, and is included in those feed URLs.') %p
%p = s_('AccessTokens|Your feed token is used to authenticate you when your RSS reader loads a personalized RSS feed or when your calendar application loads a personalized calendar, and is included in those feed URLs.')
= s_('AccessTokens|It cannot be used to access any other data.') %p
.col-lg-8.feed-token-reset = s_('AccessTokens|It cannot be used to access any other data.')
= label_tag :feed_token, s_('AccessTokens|Feed token'), class: 'label-bold' .col-lg-8.feed-token-reset
= text_field_tag :feed_token, current_user.feed_token, class: 'form-control js-select-on-focus', readonly: true = label_tag :feed_token, s_('AccessTokens|Feed token'), class: 'label-bold'
%p.form-text.text-muted = text_field_tag :feed_token, current_user.feed_token, class: 'form-control js-select-on-focus', readonly: true
- reset_link = link_to s_('AccessTokens|reset it'), [:reset, :feed_token, :profile], method: :put, data: { confirm: s_('AccessTokens|Are you sure? Any RSS or calendar URLs currently in use will stop working.') } %p.form-text.text-muted
- reset_message = s_('AccessTokens|Keep this token secret. Anyone who gets ahold of it can read activity and issue RSS feeds or your calendar feed as if they were you. You should %{link_reset_it} if that ever happens.') % { link_reset_it: reset_link } - reset_link = link_to s_('AccessTokens|reset it'), [:reset, :feed_token, :profile], method: :put, data: { confirm: s_('AccessTokens|Are you sure? Any RSS or calendar URLs currently in use will stop working.') }
= reset_message.html_safe - reset_message = s_('AccessTokens|Keep this token secret. Anyone who gets ahold of it can read activity and issue RSS feeds or your calendar feed as if they were you. You should %{link_reset_it} if that ever happens.') % { link_reset_it: reset_link }
= reset_message.html_safe
- if incoming_email_token_enabled? - if incoming_email_token_enabled?
%hr %hr
......
---
title: Add Setting to disable feed_tokens
merge_request: 48600
author:
type: added
# frozen_string_literal: true
class AddFeedTokenOffToSettings < ActiveRecord::Migration[6.0]
DOWNTIME = false
def change
add_column :application_settings, :disable_feed_token, :boolean, null: false, default: false
end
end
65dcc2a53d48acc83dbfc5276e8cfc1eee5f20ffea8355d86df1f2d5b329061b
\ No newline at end of file
...@@ -9370,6 +9370,7 @@ CREATE TABLE application_settings ( ...@@ -9370,6 +9370,7 @@ CREATE TABLE application_settings (
encrypted_cloud_license_auth_token_iv text, encrypted_cloud_license_auth_token_iv text,
secret_detection_revocation_token_types_url text, secret_detection_revocation_token_types_url text,
cloud_license_enabled boolean DEFAULT false NOT NULL, cloud_license_enabled boolean DEFAULT false NOT NULL,
disable_feed_token boolean DEFAULT false NOT NULL,
CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)), CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
CONSTRAINT check_17d9558205 CHECK ((char_length((kroki_url)::text) <= 1024)), CONSTRAINT check_17d9558205 CHECK ((char_length((kroki_url)::text) <= 1024)),
CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)), CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)),
......
...@@ -233,6 +233,7 @@ listed in the descriptions of the relevant settings. ...@@ -233,6 +233,7 @@ listed in the descriptions of the relevant settings.
| `default_snippet_visibility` | string | no | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | | `default_snippet_visibility` | string | no | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. |
| `deletion_adjourned_period` | integer | no | **(PREMIUM ONLY)** The number of days to wait before deleting a project or group that is marked for deletion. Value must be between 0 and 90. | `deletion_adjourned_period` | integer | no | **(PREMIUM ONLY)** The number of days to wait before deleting a project or group that is marked for deletion. Value must be between 0 and 90.
| `diff_max_patch_bytes` | integer | no | Maximum diff patch size (Bytes). | | `diff_max_patch_bytes` | integer | no | Maximum diff patch size (Bytes). |
| `disable_feed_token` | boolean | no | Disable display of RSS/Atom and calendar feed tokens ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/231493) in GitLab 13.7) |
| `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. | | `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. |
| `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS rebinding attack protection. | | `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS rebinding attack protection. |
| `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. |
......
...@@ -52,6 +52,7 @@ module API ...@@ -52,6 +52,7 @@ module API
optional :default_project_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default project visibility' optional :default_project_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default project visibility'
optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects' optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects'
optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility' optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility'
optional :disable_feed_token, type: Boolean, desc: 'Disable display of RSS/Atom and Calendar `feed_tokens`'
optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources' optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources'
optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups' optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups'
optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com' optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
......
...@@ -46,6 +46,7 @@ module Gitlab ...@@ -46,6 +46,7 @@ module Gitlab
def find_user_from_feed_token(request_format) def find_user_from_feed_token(request_format)
return unless valid_rss_format?(request_format) return unless valid_rss_format?(request_format)
return if Gitlab::CurrentSettings.disable_feed_token
# NOTE: feed_token was renamed from rss_token but both needs to be supported because # NOTE: feed_token was renamed from rss_token but both needs to be supported because
# users might have already added the feed to their RSS reader before the rename # users might have already added the feed to their RSS reader before the rename
......
...@@ -1963,6 +1963,9 @@ msgstr "" ...@@ -1963,6 +1963,9 @@ msgstr ""
msgid "AdminSettings|Auto DevOps domain" msgid "AdminSettings|Auto DevOps domain"
msgstr "" msgstr ""
msgid "AdminSettings|Disable feed token"
msgstr ""
msgid "AdminSettings|Elasticsearch, PlantUML, Slack application, Third party offers, Snowplow, Amazon EKS have moved to Settings &gt; General." msgid "AdminSettings|Elasticsearch, PlantUML, Slack application, Third party offers, Snowplow, Amazon EKS have moved to Settings &gt; General."
msgstr "" msgstr ""
...@@ -1972,6 +1975,9 @@ msgstr "" ...@@ -1972,6 +1975,9 @@ msgstr ""
msgid "AdminSettings|Environment variables are protected by default" msgid "AdminSettings|Environment variables are protected by default"
msgstr "" msgstr ""
msgid "AdminSettings|Feed token"
msgstr ""
msgid "AdminSettings|Go to General Settings" msgid "AdminSettings|Go to General Settings"
msgstr "" msgstr ""
......
...@@ -18,5 +18,14 @@ RSpec.describe CalendarHelper do ...@@ -18,5 +18,14 @@ RSpec.describe CalendarHelper do
expect(helper.calendar_url_options[:feed_token]).to be_nil expect(helper.calendar_url_options[:feed_token]).to be_nil
end end
end end
context 'when feed token disabled' do
it "does not have a feed_token" do
current_user = create(:user)
allow(helper).to receive(:current_user).and_return(current_user)
allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
expect(helper.calendar_url_options[:feed_token]).to be_nil
end
end
end end
end end
...@@ -18,5 +18,14 @@ RSpec.describe RssHelper do ...@@ -18,5 +18,14 @@ RSpec.describe RssHelper do
expect(helper.rss_url_options[:feed_token]).to be_nil expect(helper.rss_url_options[:feed_token]).to be_nil
end end
end end
context 'when feed_token disabled' do
it "does not have a feed_token" do
current_user = create(:user)
allow(helper).to receive(:current_user).and_return(current_user)
allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
expect(helper.rss_url_options[:feed_token]).to be_nil
end
end
end end
end end
...@@ -147,6 +147,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do ...@@ -147,6 +147,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
expect(find_user_from_feed_token(:rss)).to eq user expect(find_user_from_feed_token(:rss)).to eq user
end end
it 'returns nil if valid feed_token and disabled' do
allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
set_param(:feed_token, user.feed_token)
expect(find_user_from_feed_token(:rss)).to be_nil
end
it 'returns nil if feed_token is blank' do it 'returns nil if feed_token is blank' do
expect(find_user_from_feed_token(:rss)).to be_nil expect(find_user_from_feed_token(:rss)).to be_nil
end end
......
...@@ -1523,6 +1523,16 @@ RSpec.describe User do ...@@ -1523,6 +1523,16 @@ RSpec.describe User do
expect(feed_token).not_to be_blank expect(feed_token).not_to be_blank
expect(user.reload.feed_token).to eq feed_token expect(user.reload.feed_token).to eq feed_token
end end
it 'ensures no feed token when disabled' do
allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
user = create(:user, feed_token: nil)
feed_token = user.feed_token
expect(feed_token).to be_blank
expect(user.reload.feed_token).to be_blank
end
end end
describe 'static object token' do describe 'static object token' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment