Add config option to disable password reset via mail

[david-oswald]

• Gitea version (or commit ref): v1.9.3
• Operating system: n/a
• Database (use [x]): n/a
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: n/a

Description

For centrally administrated installations, it might be desirable to disable password resets via email (which bypasses any 2FA) and instead require the admin to do that through the admin interface or via the terminal.

Currently, the only solution to achieve that seems to be to disable the mailer completely, which in turn disables other useful features like notifications.

Hence, it would be great to add a config.ini option similar to DISABLE_REGISTRATION, e.g. DISABLE_EMAIL_PASSWORD_RESET (default value false).

I think the required changes are relatively limited, mainly adding the option here:

https://github.com/go-gitea/gitea/blob/6dbd26185203d464c4a4e32e7af04a34f37ae4f2/modules/setting/service.go

and checking for the new option in addition to setting.MailService here:

• gitea/routers/user/auth.go

  Line 1199 in 171b359

  if setting.MailService == nil {

• gitea/routers/user/auth.go

  Line 1216 in 171b359

  if setting.MailService == nil {

I currently don't have a dev setup for gitea to implement that and send a PR, so if somebody else wants to pick this up that'd be great - however I can also give it a try if the backlog is already too full.

Great project overall btw, keep on the good work.

[plinss]

Somewhat related, when using an external authentication system, like LDAP, often there's a different site used to handle password resets. A configurable URL to direct users to the proper password reset mechanism would be useful and somewhat more user friendly than disabling password resets entirely (which may still be necessary if there isn't an external reset service).

[lunny]

related with #20549