Restrict creating organisations by user

cmd/web.go

@@ -280,7 +280,7 @@ func runWeb(ctx *cli.Context) error {
 
 		m.Group("/users", func() {
 			m.Get("", admin.Users)
-			m.Combo("/new").Get(admin.NewUser).Post(bindIgnErr(auth.AdminCrateUserForm{}), admin.NewUserPost)
+			m.Combo("/new").Get(admin.NewUser).Post(bindIgnErr(auth.AdminCreateUserForm{}), admin.NewUserPost)
 			m.Combo("/:userid").Get(admin.EditUser).Post(bindIgnErr(auth.AdminEditUserForm{}), admin.EditUserPost)
 			m.Post("/:userid/delete", admin.DeleteUser)
 		})

conf/locale/locale_de-DE.ini

@@ -815,6 +815,7 @@ team_permission_desc=Welche Berechtigungsstufe soll das Team haben?
 
 form.name_reserved=Organisationsname '%s' ist bereits vergeben.
 form.name_pattern_not_allowed=Organisationsnamen der Form '%s' sind nicht erlaubt.
+form.create_org_not_allowed=Dieser Benutzer darf keine Organisation erstellen.
 
 settings=Einstellungen
 settings.options=Optionen
@@ -963,6 +964,7 @@ users.prohibit_login=Diesem Konto ist es nicht gestattet sich anzumelden
 users.is_admin=Dieses Konto hat Administratorrechte
 users.allow_git_hook=Dieses Konto ist berechtigt Git-Hooks zu erstellen
 users.allow_import_local=Dieses Konto ist berechtigt, lokale Repositories zu importieren
+users.allow_create_organization=Dieses Konto ist berechtigt, Organisationen zu erstellen
 users.update_profile=Konto aktualisieren
 users.delete_account=Dieses Konto löschen
 users.still_own_repo=Dieses Konto besitzt noch Repositories. Sie müssen diese zuerst löschen oder übertragen.

conf/locale/locale_en-US.ini

@@ -818,6 +818,7 @@ team_permission_desc = What permission level should this team have?
 
 form.name_reserved = Organization name '%s' is reserved.
 form.name_pattern_not_allowed = Organization name pattern '%s' is not allowed.
+form.create_org_not_allowed = This user is not allowed to create an organization.
 
 settings = Settings
 settings.options = Options
@@ -968,6 +969,7 @@ users.prohibit_login = This account is prohibited to login
 users.is_admin = This account has administrator permissions
 users.allow_git_hook = This account has permissions to create Git hooks
 users.allow_import_local = This account has permissions to import local repositories
+users.allow_create_organization = This account has permissions to create Organizations
 users.update_profile = Update Account Profile
 users.delete_account = Delete This Account
 users.still_own_repo = This account still has ownership over at least one repository, you have to delete or transfer them first.

models/error.go

@@ -108,6 +108,18 @@ func (err ErrUserHasOrgs) Error() string {
 	return fmt.Sprintf("user still has membership of organizations [uid: %d]", err.UID)
 }
 
+type ErrUserNotAllowedCreateOrg struct {
+}
+
+func IsErrUserNotAllowedCreateOrg(err error) bool {
+	_, ok := err.(ErrUserNotAllowedCreateOrg)
+	return ok
+}
+
+func (err ErrUserNotAllowedCreateOrg) Error() string {
+	return fmt.Sprintf("user is not allowed to create organizations")
+}
+
 type ErrReachLimitOfRepo struct {
 	Limit int
 }

models/migrations/migrations.go

@@ -18,7 +18,7 @@ import (
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/xorm"
 	gouuid "github.com/satori/go.uuid"
-	"gopkg.in/ini.v1"
+	ini "gopkg.in/ini.v1"
 
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/log"
@@ -72,8 +72,10 @@ var migrations = []Migration{
 
 	// v13 -> v14:v0.9.87
 	NewMigration("set comment updated with created", setCommentUpdatedWithCreated),
-
+	// v14
 	NewMigration("create user column diff view style", createUserColumnDiffViewStyle),
+	// v15
+	NewMigration("create user colum allow create organization", createAllowCreateOrganizationColumn),
 }
 
 // Migrate database to current version

models/migrations/v15.go

@@ -0,0 +1,19 @@
+// Copyright 2016 Gitea. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import "github.com/go-xorm/xorm"
+
+type UserV15 struct {
+	AllowCreateOrganization bool
+}
+
+func (*UserV15) TableName() string {
+	return "user"
+}
+
+func createAllowCreateOrganizationColumn(x *xorm.Engine) error {
+	return x.Sync2(new(UserV15))
+}

models/org.go

@@ -95,6 +95,10 @@ func (org *User) RemoveOrgRepo(repoID int64) error {
 
 // CreateOrganization creates record of a new organization.
 func CreateOrganization(org, owner *User) (err error) {
+	if !owner.CanCreateOrganization() {
+		return ErrUserNotAllowedCreateOrg{}
+	}
+
 	if err = IsUsableUsername(org.Name); err != nil {
 		return err
 	}

models/user.go

@@ -84,11 +84,12 @@ type User struct {
 	MaxRepoCreation int `xorm:"NOT NULL DEFAULT -1"`
 
 	// Permissions
-	IsActive         bool // Activate primary email
-	IsAdmin          bool
-	AllowGitHook     bool
-	AllowImportLocal bool // Allow migrate repository by local path
-	ProhibitLogin    bool
+	IsActive                bool // Activate primary email
+	IsAdmin                 bool
+	AllowGitHook            bool
+	AllowImportLocal        bool // Allow migrate repository by local path
+	AllowCreateOrganization bool
+	ProhibitLogin           bool
 
 	// Avatar
 	Avatar          string `xorm:"VARCHAR(2048) NOT NULL"`
@@ -185,6 +186,11 @@ func (u *User) CanCreateRepo() bool {
 	return u.NumRepos < u.MaxRepoCreation
 }
 
+// CanCreateOrg returns true if user can create organisation.
+func (u *User) CanCreateOrganization() bool {
+	return u.IsAdmin || u.AllowCreateOrganization
+}
+
 // CanEditGitHook returns true if user can edit Git hooks.
 func (u *User) CanEditGitHook() bool {
 	return u.IsAdmin || u.AllowGitHook

modules/auth/admin.go

@@ -5,12 +5,12 @@
 package auth
 
 import (
-	"gopkg.in/macaron.v1"
+	macaron "gopkg.in/macaron.v1"
 
 	"github.com/go-macaron/binding"
 )
 
-type AdminCrateUserForm struct {
+type AdminCreateUserForm struct {
 	LoginType  string `binding:"Required"`
 	LoginName  string
 	UserName   string `binding:"Required;AlphaDashDot;MaxSize(35)"`
@@ -19,24 +19,25 @@ type AdminCrateUserForm struct {
 	SendNotify bool
 }
 
-func (f *AdminCrateUserForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+func (f *AdminCreateUserForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
 type AdminEditUserForm struct {
-	LoginType        string `binding:"Required"`
-	LoginName        string
-	FullName         string `binding:"MaxSize(100)"`
-	Email            string `binding:"Required;Email;MaxSize(254)"`
-	Password         string `binding:"MaxSize(255)"`
-	Website          string `binding:"MaxSize(50)"`
-	Location         string `binding:"MaxSize(50)"`
-	MaxRepoCreation  int
-	Active           bool
-	Admin            bool
-	AllowGitHook     bool
-	AllowImportLocal bool
-	ProhibitLogin    bool
+	LoginType               string `binding:"Required"`
+	LoginName               string
+	FullName                string `binding:"MaxSize(100)"`
+	Email                   string `binding:"Required;Email;MaxSize(254)"`
+	Password                string `binding:"MaxSize(255)"`
+	Website                 string `binding:"MaxSize(50)"`
+	Location                string `binding:"MaxSize(50)"`
+	MaxRepoCreation         int
+	Active                  bool
+	Admin                   bool
+	AllowGitHook            bool
+	AllowImportLocal        bool
+	AllowCreateOrganization bool
+	ProhibitLogin           bool
 }
 
 func (f *AdminEditUserForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {