feat: option to disallow public org registration (#6917)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * lint
2025-08-11 17:27:31 +00:00 · 2023-11-22 10:29:38 +01:00
parent 5fa596a871
commit 76fe032b5f
45 changed files with 1280 additions and 123 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -823,6 +823,10 @@ DefaultInstance:
    # A value of "0s" means that all events are available.
    # If this value is set, it overwrites the system default unless it is not reset via the admin API.
    AuditLogRetention: # ZITADEL_DEFAULTINSTANCE_LIMITS_AUDITLOGRETENTION
+  Restrictions:
+    # DisallowPublicOrgRegistration defines if ZITADEL should expose the endpoint /ui/login/register/org
+    # If it is true, the endpoint returns the HTTP status 404 on GET requests, and 409 on POST requests.
+    DisallowPublicOrgRegistration: # ZITADEL_DEFAULTINSTANCE_RESTRICTIONS_DISALLOWPUBLICORGREGISTRATION
  Quotas:
    # Items take a slice of quota configurations, whereas, for each unit type and instance, one or zero quotas may exist.
    # The following unit types are supported
@@ -907,6 +911,8 @@ InternalAuthZ:
        - "iam.flow.write"
        - "iam.flow.delete"
        - "iam.feature.write"
+        - "iam.restrictions.read"
+        - "iam.restrictions.write"
        - "org.read"
        - "org.global.read"
        - "org.create"
@@ -967,6 +973,7 @@ InternalAuthZ:
        - "iam.idp.read"
        - "iam.action.read"
        - "iam.flow.read"
+        - "iam.restrictions.read"
        - "org.read"
        - "org.member.read"
        - "org.idp.read"