Adds documentation & helper text for sign up restrictions

This change adds more prominent documentation for sign up restrictions.

Adds documentation & helper text for sign up restrictions
This change adds more prominent documentation for sign up restrictions.
f94170f6 · Manoj M J · Evan Read · 9ba82eae · f94170f6 · f94170f6
Commit f94170f6 authored Jan 06, 2020 by Manoj M J Committed by Evan Read Jan 06, 2020
9 changed files
--- a/app/views/admin/application_settings/_signup.html.haml
+++ b/app/views/admin/application_settings/_signup.html.haml
@@ -7,6 +7,8 @@
        = f.check_box :signup_enabled, class: 'form-check-input'
        = f.label :signup_enabled, class: 'form-check-label' do
          Sign-up enabled
+          .form-text.text-muted
+            = _("When enabled, any user visiting %{host} will be able to create an account.") % { host: "#{new_user_session_url(host: Gitlab.config.gitlab.host)}" }
    .form-group
      .form-check
        = f.check_box :send_user_confirmation_email, class: 'form-check-input'

--- a/changelogs/unreleased/30968-make-open-user-registration-setting-more-prominent-to-admins.yml
+++ b/changelogs/unreleased/30968-make-open-user-registration-setting-more-prominent-to-admins.yml
+---
+title: Add documentation & helper text information regarding securing a GitLab instance
+merge_request: 18987
+author:
+type: changed
--- a/doc/install/README.md
+++ b/doc/install/README.md
@@ -87,3 +87,7 @@ the above methods, provided the cloud provider supports it.
 - [Install GitLab on DigitalOcean](https://about.gitlab.com/blog/2016/04/27/getting-started-with-gitlab-and-digitalocean/): Install Omnibus GitLab on DigitalOcean.
 - _Testing only!_ [DigitalOcean and Docker Machine](digitaloceandocker.md):
  Quickly test any version of GitLab on DigitalOcean using Docker Machine.
+
+## Securing your GitLab installation
+
+After completing your installation, check out our [recommended practices to secure your GitLab instance](../security/README.md#securing-your-gitlab-installation).
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -19,3 +19,9 @@ type: index
 - [Send email confirmation on sign-up](user_email_confirmation.md)
 - [Security of running jobs](https://docs.gitlab.com/runner/security/)
 - [Proxying images](asset_proxy.md)
+
+## Securing your GitLab installation
+
+To make sure your GitLab instance is safe and secure, please consider implementing
+[Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) to avoid
+malicious users creating accounts.
--- a/doc/user/admin_area/settings/img/disable_signup_v12_7.png
+++ b/doc/user/admin_area/settings/img/disable_signup_v12_7.png
--- a/doc/user/admin_area/settings/img/email_confirmation.png
+++ b/doc/user/admin_area/settings/img/email_confirmation.png
--- a/doc/user/admin_area/settings/img/email_confirmation_v12_7.png
+++ b/doc/user/admin_area/settings/img/email_confirmation_v12_7.png
--- a/doc/user/admin_area/settings/sign_up_restrictions.md
+++ b/doc/user/admin_area/settings/sign_up_restrictions.md
@@ -4,20 +4,42 @@ type: reference

 # Sign-up restrictions **(CORE ONLY)**

-You can use sign-up restrictions to require user email confirmation, as well as
-to blacklist or whitelist email addresses belonging to specific domains.
+You can use sign-up restrictions to:

->**Note**: These restrictions are only applied during sign-up. An admin is
+- Disable new signups.
+- Require user email confirmation.
+- Blacklist or whitelist email addresses belonging to specific domains.
+
+NOTE: **Note:**
+These restrictions are only applied during sign-up from an external user. An admin is
 able to add a user through the admin panel with a disallowed domain. Also
 note that the users can change their email addresses after signup to
 disallowed domains.

+## Disable new signups
+
+When this setting is enabled, any user visiting your GitLab domain will be able to sign up for an account.
+
+![Disable signups](img/disable_signup_v12_7.png)
+
+You can restrict new users from signing up by themselves for an account in your instance by disabling this setting.
+
+### Recommendations
+
+For customers running public facing GitLab instances, we highly recommend that you
+consider disabling new signups if you do not expect public users to sign up for an
+account.
+
+Alternatively, you could also consider setting up a
+[whitelist](#whitelist-email-domains) or [blacklist](#blacklist-email-domains) on
+email domains to prevent malicious users from creating accounts.
+
 ## Require email confirmation

 You can send confirmation emails during sign-up and require that users confirm
 their email address before they are allowed to sign in.

-![Email confirmation](img/email_confirmation.png)
+![Email confirmation](img/email_confirmation_v12_7.png)

 ## Minimum password length limit


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -20423,6 +20423,9 @@ msgstr ""
 msgid "When a runner is locked, it cannot be assigned to other projects"
 msgstr ""

+msgid "When enabled, any user visiting %{host} will be able to create an account."
+msgstr ""
+
 msgid "When enabled, users cannot use GitLab until the terms have been accepted."
 msgstr ""