From 9bdbfbf6f3289f4df0df5aae9998a08483f22218 Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@users.noreply.github.com>
Date: Tue, 12 Sep 2017 05:25:42 -0400
Subject: [PATCH] Disable custom Git Hooks globally via configuration file
 (#2450)

* Create option to disable githooks globally via configuration file

* Update comment in app.ini to align with @ethantkoenig's suggestion

Signed-off-by: Matti Ranta <matti@mdranta.net>
---
 conf/app.ini                   | 2 ++
 models/user.go                 | 2 +-
 modules/setting/setting.go     | 2 ++
 modules/templates/helper.go    | 3 +++
 templates/admin/user/edit.tmpl | 2 +-
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/conf/app.ini b/conf/app.ini
index 676321d7d5..9674b815c9 100644
--- a/conf/app.ini
+++ b/conf/app.ini
@@ -206,6 +206,8 @@ REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 MIN_PASSWORD_LENGTH = 6
 ; True when users are allowed to import local server paths
 IMPORT_LOCAL_PATHS = false
+; Prevent all users (including admin) from creating custom git hooks
+DISABLE_GIT_HOOKS = false
 
 [openid]
 ;
diff --git a/models/user.go b/models/user.go
index 01f14edb7f..1e2502ebc0 100644
--- a/models/user.go
+++ b/models/user.go
@@ -237,7 +237,7 @@ func (u *User) CanCreateOrganization() bool {
 
 // CanEditGitHook returns true if user can edit Git hooks.
 func (u *User) CanEditGitHook() bool {
-	return u.IsAdmin || u.AllowGitHook
+	return !setting.DisableGitHooks && (u.IsAdmin || u.AllowGitHook)
 }
 
 // CanImportLocal returns true if user can migrate repository by local path.
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 00aaad6913..721dd0f0f7 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -124,6 +124,7 @@ var (
 	ReverseProxyAuthUser string
 	MinPasswordLength    int
 	ImportLocalPaths     bool
+	DisableGitHooks      bool
 
 	// Database settings
 	UseSQLite3    bool
@@ -817,6 +818,7 @@ func NewContext() {
 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
 	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
+	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
 	InternalToken = sec.Key("INTERNAL_TOKEN").String()
 	if len(InternalToken) == 0 {
 		secretBytes := make([]byte, 32)
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 821ff6c9c7..5ac0f6ee54 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -155,6 +155,9 @@ func NewFuncMap() []template.FuncMap {
 			}
 			return out.String()
 		},
+		"DisableGitHooks": func() bool {
+			return setting.DisableGitHooks
+		},
 	}}
 }
 
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 4feeef302a..ae7cb56616 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -86,7 +86,7 @@
 				<div class="inline field">
 					<div class="ui checkbox">
 						<label><strong>{{.i18n.Tr "admin.users.allow_git_hook"}}</strong></label>
-						<input name="allow_git_hook" type="checkbox" {{if .User.CanEditGitHook}}checked{{end}}>
+						<input name="allow_git_hook" type="checkbox" {{if .User.CanEditGitHook}}checked{{end}} {{if DisableGitHooks}}disabled{{end}}>
 					</div>
 				</div>
 				<div class="inline field">