Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#36688)

2026-02-21 13:38:39 +01:00 · 2026-02-20 16:56:43 -08:00 · 2026-02-20 16:56:43 -08:00 · 7012c969b6
commit 7012c969b6
parent 8051056075
1 changed files with 22 additions and 0 deletions
--- a/modules/setting/admin.go
+++ b/modules/setting/admin.go
@ -5,6 +5,7 @@ package setting

 import (
 	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/log"
 )

 // Admin settings
@ -15,12 +16,33 @@ var Admin struct {
 	ExternalUserDisableFeatures container.Set[string]
 }

+var validUserFeatures = container.SetOf(
+	UserFeatureDeletion,
+	UserFeatureManageSSHKeys,
+	UserFeatureManageGPGKeys,
+	UserFeatureManageMFA,
+	UserFeatureManageCredentials,
+	UserFeatureChangeUsername,
+	UserFeatureChangeFullName,
+)
+
 func loadAdminFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("admin")
 	Admin.DisableRegularOrgCreation = sec.Key("DISABLE_REGULAR_ORG_CREATION").MustBool(false)
 	Admin.DefaultEmailNotification = sec.Key("DEFAULT_EMAIL_NOTIFICATIONS").MustString("enabled")
 	Admin.UserDisabledFeatures = container.SetOf(sec.Key("USER_DISABLED_FEATURES").Strings(",")...)
 	Admin.ExternalUserDisableFeatures = container.SetOf(sec.Key("EXTERNAL_USER_DISABLE_FEATURES").Strings(",")...).Union(Admin.UserDisabledFeatures)
+
+	for feature := range Admin.UserDisabledFeatures {
+		if !validUserFeatures.Contains(feature) {
+			log.Warn("USER_DISABLED_FEATURES contains unknown feature %q", feature)
+		}
+	}
+	for feature := range Admin.ExternalUserDisableFeatures {
+		if !validUserFeatures.Contains(feature) && !Admin.UserDisabledFeatures.Contains(feature) {
+			log.Warn("EXTERNAL_USER_DISABLE_FEATURES contains unknown feature %q", feature)
+		}
+	}
 }

 const (