Add ALLOWED_ORG_VISIBILITY_MODES setting

markwylde · Claude · markwylde · commit 93dd2042ab00 · 2025-04-26T12:43:01.000+01:00
Similar to ALLOWED_USER_VISIBILITY_MODES, this setting restricts which visibility modes (public, limited, private) can be selected for organizations. - Added new settings in service.go - Updated settings loading to parse the config - Modified org templates to filter visibility options - Added validation in controllers and service layer - Added translation for error message - Added tests for configuration loading and validation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/modules/setting/service.go b/modules/setting/service.go
@@ -248,7 +248,7 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 		Service.DefaultUserVisibility = Service.AllowedUserVisibilityModes[0]
 	}
 	Service.DefaultUserVisibilityMode = structs.VisibilityModes[Service.DefaultUserVisibility]
-	
+
 	// Process allowed organization visibility modes
 	modes = sec.Key("ALLOWED_ORG_VISIBILITY_MODES").Strings(",")
 	if len(modes) != 0 {
@@ -268,7 +268,7 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 		Service.AllowedOrgVisibilityModes = []string{"public", "limited", "private"}
 		Service.AllowedOrgVisibilityModesSlice = []bool{true, true, true}
 	}
-	
+
 	Service.DefaultOrgVisibility = sec.Key("DEFAULT_ORG_VISIBILITY").String()
 	if Service.DefaultOrgVisibility == "" {
 		Service.DefaultOrgVisibility = Service.AllowedOrgVisibilityModes[0]
diff --git a/modules/setting/service_test.go b/modules/setting/service_test.go
@@ -126,6 +126,87 @@ ALLOWED_USER_VISIBILITY_MODES = public, limit, privated
 	}
 }
 
+func TestLoadServiceOrgVisibilityModes(t *testing.T) {
+	defer test.MockVariableValue(&Service)()
+
+	kases := map[string]func(){
+		`
+[service]
+DEFAULT_ORG_VISIBILITY = public
+ALLOWED_ORG_VISIBILITY_MODES = public,limited,private
+`: func() {
+			assert.Equal(t, "public", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypePublic, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"public", "limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+		[service]
+		DEFAULT_ORG_VISIBILITY = public
+		`: func() {
+			assert.Equal(t, "public", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypePublic, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"public", "limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+		[service]
+		DEFAULT_ORG_VISIBILITY = limited
+		`: func() {
+			assert.Equal(t, "limited", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypeLimited, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"public", "limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+[service]
+ALLOWED_ORG_VISIBILITY_MODES = public,limited,private
+`: func() {
+			assert.Equal(t, "public", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypePublic, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"public", "limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+[service]
+DEFAULT_ORG_VISIBILITY = public
+ALLOWED_ORG_VISIBILITY_MODES = limited,private
+`: func() {
+			assert.Equal(t, "limited", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypeLimited, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+[service]
+DEFAULT_ORG_VISIBILITY = my_type
+ALLOWED_ORG_VISIBILITY_MODES = limited,private
+`: func() {
+			assert.Equal(t, "limited", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypeLimited, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"limited", "private"}, Service.AllowedOrgVisibilityModes)
+		},
+		`
+[service]
+DEFAULT_ORG_VISIBILITY = public
+ALLOWED_ORG_VISIBILITY_MODES = public, limit, privated
+`: func() {
+			assert.Equal(t, "public", Service.DefaultOrgVisibility)
+			assert.Equal(t, structs.VisibleTypePublic, Service.DefaultOrgVisibilityMode)
+			assert.Equal(t, []string{"public"}, Service.AllowedOrgVisibilityModes)
+		},
+	}
+
+	for kase, fun := range kases {
+		t.Run(kase, func(t *testing.T) {
+			cfg, err := NewConfigProviderFromData(kase)
+			assert.NoError(t, err)
+			loadServiceFrom(cfg)
+			fun()
+			// reset
+			Service.AllowedOrgVisibilityModesSlice = []bool{true, true, true}
+			Service.AllowedOrgVisibilityModes = []string{}
+			Service.DefaultOrgVisibility = ""
+			Service.DefaultOrgVisibilityMode = structs.VisibleTypePublic
+		})
+	}
+}
+
 func TestLoadServiceRequireSignInView(t *testing.T) {
 	defer test.MockVariableValue(&Service)()
 
diff --git a/services/user/update_test.go b/services/user/update_test.go
@@ -11,7 +11,9 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	password_module "code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -118,3 +120,68 @@ func TestUpdateAuth(t *testing.T) {
 		Password: optional.Some("aaaa"),
 	}), password_module.ErrMinLength)
 }
+
+func TestVisibilityModeValidation(t *testing.T) {
+	// Mock testing setup
+	defer test.MockVariableValue(&setting.Service)()
+
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	// Organization user
+	org := &user_model.User{
+		ID:        500,
+		Type:      user_model.UserTypeOrganization,
+		Name:      "test-org",
+		LowerName: "test-org",
+	}
+
+	// Regular user
+	user := &user_model.User{
+		ID:        501,
+		Type:      user_model.UserTypeIndividual,
+		Name:      "test-user",
+		LowerName: "test-user",
+	}
+
+	// Test case 1: Allow only limited and private visibility for organizations
+	setting.Service.AllowedOrgVisibilityModesSlice = []bool{false, true, true}
+	setting.Service.AllowedOrgVisibilityModes = []string{"limited", "private"}
+
+	// Should fail when trying to set public visibility for organization
+	err := UpdateUser(db.DefaultContext, org, &UpdateOptions{
+		Visibility: optional.Some(structs.VisibleTypePublic),
+	})
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "visibility mode not allowed for organization")
+
+	// Should succeed when setting limited visibility for organization
+	err = UpdateUser(db.DefaultContext, org, &UpdateOptions{
+		Visibility: optional.Some(structs.VisibleTypeLimited),
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, structs.VisibleTypeLimited, org.Visibility)
+
+	// Test case 2: Allow only public and limited visibility for users
+	setting.Service.AllowedUserVisibilityModesSlice = []bool{true, true, false}
+	setting.Service.AllowedUserVisibilityModes = []string{"public", "limited"}
+
+	// Should fail when trying to set private visibility for user
+	err = UpdateUser(db.DefaultContext, user, &UpdateOptions{
+		Visibility: optional.Some(structs.VisibleTypePrivate),
+	})
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "visibility mode not allowed")
+
+	// Should succeed when setting public visibility for user
+	err = UpdateUser(db.DefaultContext, user, &UpdateOptions{
+		Visibility: optional.Some(structs.VisibleTypePublic),
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, structs.VisibleTypePublic, user.Visibility)
+
+	// Reset to default settings
+	setting.Service.AllowedOrgVisibilityModesSlice = []bool{true, true, true}
+	setting.Service.AllowedOrgVisibilityModes = []string{"public", "limited", "private"}
+	setting.Service.AllowedUserVisibilityModesSlice = []bool{true, true, true}
+	setting.Service.AllowedUserVisibilityModes = []string{"public", "limited", "private"}
+}
