feat: restrict languages (#6931)

* feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * configure supported languages * fix allowed languages * fix tests * default lang must not be restricted * preferred language must be allowed * change preferred languages * check languages everywhere * lint * test command side * lint * add integration test * add integration test * restrict supported ui locales * lint * lint * cleanup * lint * allow undefined preferred language * fix integration tests * update main * fix env var * ignore linter * ignore linter * improve integration test config * reduce cognitive complexity * compile * check for duplicates * remove useless restriction checks * review * revert restriction renaming * fix language restrictions * lint * generate * allow custom texts for supported langs for now * fix tests * cleanup * cleanup * cleanup * lint * unsupported preferred lang is allowed * fix integration test * finish reverting to old property name * finish reverting to old property name * load languages * refactor(i18n): centralize translators and fs * lint * amplify no validations on preferred languages * fix integration test * lint * fix resetting allowed languages * test unchanged restrictions
2025-08-12 03:47:33 +00:00 · 2023-12-05 12:12:01 +01:00
parent 236930f109
commit dd33538c0a
123 changed files with 4133 additions and 2058 deletions
--- a/internal/command/restrictions.go
+++ b/internal/command/restrictions.go
@@ -3,16 +3,38 @@ package command
 import (
 	"context"

+	"golang.org/x/text/language"
+
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/domain"
-	"github.com/zitadel/zitadel/internal/errors"
+	zitadel_errors "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/i18n"
 	"github.com/zitadel/zitadel/internal/repository/restrictions"
 )

 type SetRestrictions struct {
 	DisallowPublicOrgRegistration *bool
+	AllowedLanguages              []language.Tag
+}
+
+func (s *SetRestrictions) Validate(defaultLanguage language.Tag) error {
+	if s == nil || (s.DisallowPublicOrgRegistration == nil && s.AllowedLanguages == nil) {
+		return zitadel_errors.ThrowInvalidArgument(nil, "COMMAND-oASwj", "Errors.Restrictions.NoneSpecified")
+	}
+	if s.AllowedLanguages != nil {
+		if err := domain.LanguagesHaveDuplicates(s.AllowedLanguages); err != nil {
+			return err
+		}
+		if err := domain.LanguagesAreSupported(i18n.SupportedLanguages(), s.AllowedLanguages...); err != nil {
+			return err
+		}
+		if err := domain.LanguageIsAllowed(false, s.AllowedLanguages, defaultLanguage); err != nil {
+			return zitadel_errors.ThrowPreconditionFailedf(err, "COMMAND-L0m2u", "Errors.Restrictions.DefaultLanguageMustBeAllowed")
+		}
+	}
+	return nil
 }

 // SetRestrictions creates new restrictions or updates existing restrictions.
@@ -60,10 +82,10 @@ func (c *Commands) getRestrictionsWriteModel(ctx context.Context, instanceId, re

 func (c *Commands) SetRestrictionsCommand(a *restrictions.Aggregate, wm *restrictionsWriteModel, setRestrictions *SetRestrictions) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
-		if setRestrictions == nil || setRestrictions.DisallowPublicOrgRegistration == nil {
-			return nil, errors.ThrowInvalidArgument(nil, "COMMAND-oASwj", "Errors.Restrictions.NoneSpecified")
-		}
 		return func(ctx context.Context, _ preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			if err := setRestrictions.Validate(authz.GetInstance(ctx).DefaultLanguage()); err != nil {
+				return nil, err
+			}
 			changes := wm.NewChanges(setRestrictions)
 			if len(changes) == 0 {
 				return nil, nil