Add ALLOWED_ORG_VISIBILITY_MODES setting

Similar to ALLOWED_USER_VISIBILITY_MODES, this setting restricts which visibility
modes (public, limited, private) can be selected for organizations.

- Added new settings in service.go
- Updated settings loading to parse the config
- Modified org templates to filter visibility options
- Added validation in controllers and service layer
- Added translation for error message

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: markwylde

modules/setting/service.go

@@ -32,6 +32,8 @@ var Service = struct {
 	AllowedUserVisibilityModesSlice         AllowedVisibility `ini:"-"`
 	DefaultOrgVisibility                    string
 	DefaultOrgVisibilityMode                structs.VisibleType
+	AllowedOrgVisibilityModes               []string
+	AllowedOrgVisibilityModesSlice          AllowedVisibility `ini:"-"`
 	ActiveCodeLives                         int
 	ResetPwdCodeLives                       int
 	RegisterEmailConfirm                    bool
@@ -108,6 +110,7 @@ var Service = struct {
 	}
 }{
 	AllowedUserVisibilityModesSlice: []bool{true, true, true},
+	AllowedOrgVisibilityModesSlice:  []bool{true, true, true},
 }
 
 // AllowedVisibility store in a 3 item bool array what is allowed
@@ -245,7 +248,34 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 		Service.DefaultUserVisibility = Service.AllowedUserVisibilityModes[0]
 	}
 	Service.DefaultUserVisibilityMode = structs.VisibilityModes[Service.DefaultUserVisibility]
-	Service.DefaultOrgVisibility = sec.Key("DEFAULT_ORG_VISIBILITY").In("public", structs.ExtractKeysFromMapString(structs.VisibilityModes))
+	
+	// Process allowed organization visibility modes
+	modes = sec.Key("ALLOWED_ORG_VISIBILITY_MODES").Strings(",")
+	if len(modes) != 0 {
+		Service.AllowedOrgVisibilityModes = []string{}
+		Service.AllowedOrgVisibilityModesSlice = []bool{false, false, false}
+		for _, sMode := range modes {
+			if tp, ok := structs.VisibilityModes[sMode]; ok { // remove unsupported modes
+				Service.AllowedOrgVisibilityModes = append(Service.AllowedOrgVisibilityModes, sMode)
+				Service.AllowedOrgVisibilityModesSlice[tp] = true
+			} else {
+				log.Warn("ALLOWED_ORG_VISIBILITY_MODES %s is unsupported", sMode)
+			}
+		}
+	}
+
+	if len(Service.AllowedOrgVisibilityModes) == 0 {
+		Service.AllowedOrgVisibilityModes = []string{"public", "limited", "private"}
+		Service.AllowedOrgVisibilityModesSlice = []bool{true, true, true}
+	}
+	
+	Service.DefaultOrgVisibility = sec.Key("DEFAULT_ORG_VISIBILITY").String()
+	if Service.DefaultOrgVisibility == "" {
+		Service.DefaultOrgVisibility = Service.AllowedOrgVisibilityModes[0]
+	} else if !Service.AllowedOrgVisibilityModesSlice[structs.VisibilityModes[Service.DefaultOrgVisibility]] {
+		log.Warn("DEFAULT_ORG_VISIBILITY %s is wrong or not in ALLOWED_ORG_VISIBILITY_MODES, using first allowed", Service.DefaultOrgVisibility)
+		Service.DefaultOrgVisibility = Service.AllowedOrgVisibilityModes[0]
+	}
 	Service.DefaultOrgVisibilityMode = structs.VisibilityModes[Service.DefaultOrgVisibility]
 	Service.DefaultOrgMemberVisible = sec.Key("DEFAULT_ORG_MEMBER_VISIBLE").MustBool()
 	Service.UserDeleteWithCommentsMaxTime = sec.Key("USER_DELETE_WITH_COMMENTS_MAX_TIME").MustDuration(0)

options/locale/locale_en-US.ini

@@ -2808,6 +2808,7 @@ team_unit_disabled = (Disabled)
 form.name_reserved = The organization name "%s" is reserved.
 form.name_pattern_not_allowed = The pattern "%s" is not allowed in an organization name.
 form.create_org_not_allowed = You are not allowed to create an organization.
+form.visibility_not_allowed = The selected visibility mode is not allowed.
 
 settings = Settings
 settings.options = Organization

routers/web/org/org.go

@@ -33,6 +33,7 @@ func Create(ctx *context.Context) {
 	}
 
 	ctx.Data["visibility"] = setting.Service.DefaultOrgVisibilityMode
+	ctx.Data["AllowedOrgVisibilityModes"] = setting.Service.AllowedOrgVisibilityModesSlice.ToVisibleTypeSlice()
 	ctx.Data["repo_admin_change_team_access"] = true
 
 	ctx.HTML(http.StatusOK, tplCreateOrg)
@@ -48,6 +49,13 @@ func CreatePost(ctx *context.Context) {
 		return
 	}
 
+	// Check if the visibility is allowed
+	if !setting.Service.AllowedOrgVisibilityModesSlice.IsAllowedVisibility(form.Visibility) {
+		ctx.Data["Err_OrgVisibility"] = true
+		ctx.RenderWithErr(ctx.Tr("org.form.visibility_not_allowed"), tplCreateOrg, &form)
+		return
+	}
+
 	if ctx.HasError() {
 		ctx.HTML(http.StatusOK, tplCreateOrg)
 		return

routers/web/org/setting.go

@@ -47,6 +47,7 @@ func Settings(ctx *context.Context) {
 	ctx.Data["CurrentVisibility"] = ctx.Org.Organization.Visibility
 	ctx.Data["RepoAdminChangeTeamAccess"] = ctx.Org.Organization.RepoAdminChangeTeamAccess
 	ctx.Data["ContextUser"] = ctx.ContextUser
+	ctx.Data["AllowedOrgVisibilityModes"] = setting.Service.AllowedOrgVisibilityModesSlice.ToVisibleTypeSlice()
 
 	if _, err := shared_user.RenderUserOrgHeader(ctx); err != nil {
 		ctx.ServerError("RenderUserOrgHeader", err)
@@ -63,6 +64,14 @@ func SettingsPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgSettings"] = true
 	ctx.Data["PageIsSettingsOptions"] = true
 	ctx.Data["CurrentVisibility"] = ctx.Org.Organization.Visibility
+	ctx.Data["AllowedOrgVisibilityModes"] = setting.Service.AllowedOrgVisibilityModesSlice.ToVisibleTypeSlice()
+
+	// Check if the visibility is allowed
+	if !setting.Service.AllowedOrgVisibilityModesSlice.IsAllowedVisibility(form.Visibility) {
+		ctx.Data["Err_Visibility"] = true
+		ctx.RenderWithErr(ctx.Tr("org.form.visibility_not_allowed"), tplSettingsOptions, form)
+		return
+	}
 
 	if ctx.HasError() {
 		ctx.HTML(http.StatusOK, tplSettingsOptions)

services/user/update.go

@@ -124,6 +124,9 @@ func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) er
 		if !u.IsOrganization() && !setting.Service.AllowedUserVisibilityModesSlice.IsAllowedVisibility(opts.Visibility.Value()) {
 			return fmt.Errorf("visibility mode not allowed: %s", opts.Visibility.Value().String())
 		}
+		if u.IsOrganization() && !setting.Service.AllowedOrgVisibilityModesSlice.IsAllowedVisibility(opts.Visibility.Value()) {
+			return fmt.Errorf("visibility mode not allowed for organization: %s", opts.Visibility.Value().String())
+		}
 		u.Visibility = opts.Visibility.Value()
 
 		cols = append(cols, "visibility")

templates/org/create.tmpl

@@ -17,18 +17,24 @@
 				<div class="inline field required {{if .Err_OrgVisibility}}error{{end}}">
 					<label for="visibility">{{ctx.Locale.Tr "org.settings.visibility"}}</label>
 					<div class="inline-right">
-						<div class="ui radio checkbox">
-							<input class="enable-system-radio" name="visibility" type="radio" value="0" {{if .visibility.IsPublic}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "org.settings.visibility.public"}}</label>
-						</div>
-						<div class="ui radio checkbox">
-							<input class="enable-system-radio" name="visibility" type="radio" value="1" {{if .visibility.IsLimited}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "org.settings.visibility.limited"}}</label>
-						</div>
-						<div class="ui radio checkbox">
-							<input class="enable-system-radio" name="visibility" type="radio" value="2" {{if .visibility.IsPrivate}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "org.settings.visibility.private"}}</label>
-						</div>
+						{{range $mode := .AllowedOrgVisibilityModes}}
+							{{if $mode.IsPublic}}
+								<div class="ui radio checkbox">
+									<input class="enable-system-radio" name="visibility" type="radio" value="0" {{if $.visibility.IsPublic}}checked{{end}}>
+									<label>{{ctx.Locale.Tr "org.settings.visibility.public"}}</label>
+								</div>
+							{{else if $mode.IsLimited}}
+								<div class="ui radio checkbox">
+									<input class="enable-system-radio" name="visibility" type="radio" value="1" {{if $.visibility.IsLimited}}checked{{end}}>
+									<label>{{ctx.Locale.Tr "org.settings.visibility.limited"}}</label>
+								</div>
+							{{else if $mode.IsPrivate}}
+								<div class="ui radio checkbox">
+									<input class="enable-system-radio" name="visibility" type="radio" value="2" {{if $.visibility.IsPrivate}}checked{{end}}>
+									<label>{{ctx.Locale.Tr "org.settings.visibility.private"}}</label>
+								</div>
+							{{end}}
+						{{end}}
 					</div>
 				</div>
 

templates/org/settings/options.tmpl

@@ -39,24 +39,30 @@
 						<div class="divider"></div>
 						<div class="field" id="visibility_box">
 							<label for="visibility">{{ctx.Locale.Tr "org.settings.visibility"}}</label>
-							<div class="field">
-								<div class="ui radio checkbox">
-									<input class="enable-system-radio" name="visibility" type="radio" value="0" {{if eq .CurrentVisibility 0}}checked{{end}}>
-									<label>{{ctx.Locale.Tr "org.settings.visibility.public"}}</label>
-								</div>
-							</div>
-							<div class="field">
-								<div class="ui radio checkbox">
-									<input class="enable-system-radio" name="visibility" type="radio" value="1" {{if eq .CurrentVisibility 1}}checked{{end}}>
-									<label>{{ctx.Locale.Tr "org.settings.visibility.limited"}}</label>
-								</div>
-							</div>
-							<div class="field">
-								<div class="ui radio checkbox">
-									<input class="enable-system-radio" name="visibility" type="radio" value="2" {{if eq .CurrentVisibility 2}}checked{{end}}>
-									<label>{{ctx.Locale.Tr "org.settings.visibility.private"}}</label>
-								</div>
-							</div>
+							{{range $mode := .AllowedOrgVisibilityModes}}
+								{{if $mode.IsPublic}}
+									<div class="field">
+										<div class="ui radio checkbox">
+											<input class="enable-system-radio" name="visibility" type="radio" value="0" {{if eq $.CurrentVisibility 0}}checked{{end}}>
+											<label>{{ctx.Locale.Tr "org.settings.visibility.public"}}</label>
+										</div>
+									</div>
+								{{else if $mode.IsLimited}}
+									<div class="field">
+										<div class="ui radio checkbox">
+											<input class="enable-system-radio" name="visibility" type="radio" value="1" {{if eq $.CurrentVisibility 1}}checked{{end}}>
+											<label>{{ctx.Locale.Tr "org.settings.visibility.limited"}}</label>
+										</div>
+									</div>
+								{{else if $mode.IsPrivate}}
+									<div class="field">
+										<div class="ui radio checkbox">
+											<input class="enable-system-radio" name="visibility" type="radio" value="2" {{if eq $.CurrentVisibility 2}}checked{{end}}>
+											<label>{{ctx.Locale.Tr "org.settings.visibility.private"}}</label>
+										</div>
+									</div>
+								{{end}}
+							{{end}}
 						</div>
 
 						<div class="field" id="permission_box">