From d6470427f65b7e6c8725b15ad1c2962ba55a512b Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 30 Jul 2022 13:27:29 +0800
Subject: [PATCH 1/8] Allow disalbe part user settings

---
 custom/conf/app.example.ini          |  4 ++
 modules/setting/setting.go           |  2 +
 modules/setting/user.go              | 34 +++++++++++
 routers/web/user/setting/keys.go     | 10 ++++
 routers/web/web.go                   | 27 ++++++---
 templates/user/settings/account.tmpl | 84 +++++++++++++++-------------
 templates/user/settings/keys.tmpl    |  4 +-
 templates/user/settings/navbar.tmpl  | 24 +++++---
 8 files changed, 130 insertions(+), 59 deletions(-)
 create mode 100644 modules/setting/user.go

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 03f004ee90196..1367f40b50ac0 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2481,3 +2481,7 @@ ROUTER = console
 ;PROXY_URL =
 ;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
 ;PROXY_HOSTS =
+
+;[user]
+; Disabled modules from user settings, could be passwods, suicide, security, applications, gpg keys, organiztions
+;USER_SETTING_DISABLED_MODULES =
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 9f2f0933d4eae..962c343933131 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -1128,6 +1128,8 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 	for _, emoji := range UI.CustomEmojis {
 		UI.CustomEmojisMap[emoji] = ":" + emoji + ":"
 	}
+
+	newUserSetting()
 }
 
 func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
diff --git a/modules/setting/user.go b/modules/setting/user.go
new file mode 100644
index 0000000000000..1ea9ff1c79c3d
--- /dev/null
+++ b/modules/setting/user.go
@@ -0,0 +1,34 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package setting
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
+)
+
+// userSetting represents user settings
+type userSetting struct {
+	SettingDisabledModules []string
+}
+
+func (s *userSetting) Enabled(module string) bool {
+	for _, m := range s.SettingDisabledModules {
+		if strings.EqualFold(m, module) {
+			return false
+		}
+	}
+	return true
+}
+
+var User userSetting
+
+func newUserSetting() {
+	sec := Cfg.Section("user")
+	if err := sec.MapTo(&User); err != nil {
+		log.Fatal("user setting mapping failed: %v", err)
+	}
+}
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 89be795599bda..98ad3c5dfebe9 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -5,6 +5,7 @@
 package setting
 
 import (
+	"fmt"
 	"net/http"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
@@ -77,6 +78,11 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
+		if !setting.User.Enabled("gpg keys") {
+			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting are not allowed"))
+			return
+		}
+
 		token := asymkey_model.VerificationToken(ctx.Doer, 1)
 		lastToken := asymkey_model.VerificationToken(ctx.Doer, 0)
 
@@ -216,6 +222,10 @@ func KeysPost(ctx *context.Context) {
 func DeleteKey(ctx *context.Context) {
 	switch ctx.FormString("type") {
 	case "gpg":
+		if !setting.User.Enabled("gpg keys") {
+			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting are not allowed"))
+			return
+		}
 		if err := asymkey_model.DeleteGPGKey(ctx.Doer, ctx.FormInt64("id")); err != nil {
 			ctx.Flash.Error("DeleteGPGKey: " + err.Error())
 		} else {
diff --git a/routers/web/web.go b/routers/web/web.go
index 889a89f0d4ae4..ccdcb5c10b718 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -316,6 +316,14 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
+	userSettingModuleEnabled := func(module string) func(ctx *context.Context) {
+		return func(ctx *context.Context) {
+			if !setting.User.Enabled(module) {
+				ctx.Error(http.StatusNotFound)
+			}
+		}
+	}
+
 	// FIXME: not all routes need go through same middleware.
 	// Especially some AJAX requests, we can reduce middleware number to improve performance.
 	// Routers.
@@ -406,15 +414,15 @@ func RegisterRoutes(m *web.Route) {
 	m.Group("/user/settings", func() {
 		m.Get("", user_setting.Profile)
 		m.Post("", bindIgnErr(forms.UpdateProfileForm{}), user_setting.ProfilePost)
-		m.Get("/change_password", auth.MustChangePassword)
-		m.Post("/change_password", bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost)
+		m.Get("/change_password", userSettingModuleEnabled("password"), auth.MustChangePassword)
+		m.Post("/change_password", userSettingModuleEnabled("password"), bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost)
 		m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), user_setting.AvatarPost)
 		m.Post("/avatar/delete", user_setting.DeleteAvatar)
 		m.Group("/account", func() {
 			m.Combo("").Get(user_setting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), user_setting.AccountPost)
 			m.Post("/email", bindIgnErr(forms.AddEmailForm{}), user_setting.EmailPost)
 			m.Post("/email/delete", user_setting.DeleteEmail)
-			m.Post("/delete", user_setting.DeleteAccount)
+			m.Post("/delete", userSettingModuleEnabled("suicide"), user_setting.DeleteAccount)
 		})
 		m.Group("/appearance", func() {
 			m.Get("", user_setting.Appearance)
@@ -441,7 +449,7 @@ func RegisterRoutes(m *web.Route) {
 				m.Post("/toggle_visibility", security.ToggleOpenIDVisibility)
 			}, openIDSignInEnabled)
 			m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
-		})
+		}, userSettingModuleEnabled("security"))
 		m.Group("/applications/oauth2", func() {
 			m.Get("/{id}", user_setting.OAuth2ApplicationShow)
 			m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
@@ -449,10 +457,10 @@ func RegisterRoutes(m *web.Route) {
 			m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
 			m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
 			m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
-		})
-		m.Combo("/applications").Get(user_setting.Applications).
-			Post(bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
-		m.Post("/applications/delete", user_setting.DeleteApplication)
+		}, userSettingModuleEnabled("applications"))
+		m.Combo("/applications").Get(userSettingModuleEnabled("applications"), user_setting.Applications).
+			Post(userSettingModuleEnabled("applications"), bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
+		m.Post("/applications/delete", userSettingModuleEnabled("applications"), user_setting.DeleteApplication)
 		m.Combo("/keys").Get(user_setting.Keys).
 			Post(bindIgnErr(forms.AddKeyForm{}), user_setting.KeysPost)
 		m.Post("/keys/delete", user_setting.DeleteKey)
@@ -470,13 +478,14 @@ func RegisterRoutes(m *web.Route) {
 				})
 			})
 		}, packagesEnabled)
-		m.Get("/organization", user_setting.Organization)
+		m.Get("/organization", userSettingModuleEnabled("organizations"), user_setting.Organization)
 		m.Get("/repos", user_setting.Repos)
 		m.Post("/repos/unadopted", user_setting.AdoptOrDeleteRepository)
 	}, reqSignIn, func(ctx *context.Context) {
 		ctx.Data["PageIsUserSettings"] = true
 		ctx.Data["AllThemes"] = setting.UI.Themes
 		ctx.Data["EnablePackages"] = setting.Packages.Enabled
+		ctx.Data["UserModules"] = &setting.User
 	})
 
 	m.Group("/user", func() {
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
index 3070e8889c089..5eca448d04b63 100644
--- a/templates/user/settings/account.tmpl
+++ b/templates/user/settings/account.tmpl
@@ -3,40 +3,42 @@
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
-		<h4 class="ui top attached header">
-			{{.locale.Tr "settings.password"}}
-		</h4>
-		<div class="ui attached segment">
-			{{if or (.SignedUser.IsLocal) (.SignedUser.IsOAuth2)}}
-			<form class="ui form ignore-dirty" action="{{AppSubUrl}}/user/settings/account" method="post">
-				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
-				{{if .SignedUser.IsPasswordSet}}
-				<div class="required field {{if .Err_OldPassword}}error{{end}}">
-					<label for="old_password">{{.locale.Tr "settings.old_password"}}</label>
-					<input id="old_password" name="old_password" type="password" autocomplete="current-password" autofocus required>
-				</div>
-				{{end}}
-				<div class="required field {{if .Err_Password}}error{{end}}">
-					<label for="password">{{.locale.Tr "settings.new_password"}}</label>
-					<input id="password" name="password" type="password" autocomplete="new-password" required>
-				</div>
-				<div class="required field {{if .Err_Password}}error{{end}}">
-					<label for="retype">{{.locale.Tr "settings.retype_new_password"}}</label>
-					<input id="retype" name="retype" type="password" autocomplete="new-password" required>
-				</div>
+		{{if $.UserModules.Enabled "password"}}
+			<h4 class="ui top attached header">
+				{{.locale.Tr "settings.password"}}
+			</h4>
+			<div class="ui attached segment">
+				{{if or (.SignedUser.IsLocal) (.SignedUser.IsOAuth2)}}
+				<form class="ui form ignore-dirty" action="{{AppSubUrl}}/user/settings/account" method="post">
+					{{template "base/disable_form_autofill"}}
+					{{.CsrfTokenHtml}}
+					{{if .SignedUser.IsPasswordSet}}
+					<div class="required field {{if .Err_OldPassword}}error{{end}}">
+						<label for="old_password">{{.locale.Tr "settings.old_password"}}</label>
+						<input id="old_password" name="old_password" type="password" autocomplete="current-password" autofocus required>
+					</div>
+					{{end}}
+					<div class="required field {{if .Err_Password}}error{{end}}">
+						<label for="password">{{.locale.Tr "settings.new_password"}}</label>
+						<input id="password" name="password" type="password" autocomplete="new-password" required>
+					</div>
+					<div class="required field {{if .Err_Password}}error{{end}}">
+						<label for="retype">{{.locale.Tr "settings.retype_new_password"}}</label>
+						<input id="retype" name="retype" type="password" autocomplete="new-password" required>
+					</div>
 
-				<div class="field">
-					<button class="ui green button">{{$.locale.Tr "settings.change_password"}}</button>
-					<a href="{{AppSubUrl}}/user/forgot_password?email={{.Email}}">{{.locale.Tr "auth.forgot_password"}}</a>
+					<div class="field">
+						<button class="ui green button">{{$.locale.Tr "settings.change_password"}}</button>
+						<a href="{{AppSubUrl}}/user/forgot_password?email={{.Email}}">{{.locale.Tr "auth.forgot_password"}}</a>
+					</div>
+				</form>
+				{{else}}
+				<div class="ui info message">
+					<p class="text left">{{$.locale.Tr "settings.password_change_disabled"}}</p>
 				</div>
-			</form>
-			{{else}}
-			<div class="ui info message">
-				<p class="text left">{{$.locale.Tr "settings.password_change_disabled"}}</p>
+				{{end}}
 			</div>
-			{{end}}
-		</div>
+		{{end}}
 
 		<h4 class="ui top attached header">
 			{{.locale.Tr "settings.manage_emails"}}
@@ -172,15 +174,17 @@
 	{{template "base/delete_modal_actions" .}}
 </div>
 
-<div class="ui small basic delete modal" id="delete-account">
-	<div class="ui icon header">
-		{{svg "octicon-trash"}}
-		{{.locale.Tr "settings.delete_account_title"}}
-	</div>
-	<div class="content">
-		<p>{{.locale.Tr "settings.delete_account_desc"}}</p>
+{{if $.UserModules.Enabled "suicide"}}
+	<div class="ui small basic delete modal" id="delete-account">
+		<div class="ui icon header">
+			{{svg "octicon-trash"}}
+			{{.locale.Tr "settings.delete_account_title"}}
+		</div>
+		<div class="content">
+			<p>{{.locale.Tr "settings.delete_account_desc"}}</p>
+		</div>
+		{{template "base/delete_modal_actions" .}}
 	</div>
-	{{template "base/delete_modal_actions" .}}
-</div>
+{{end}}
 
 {{template "base/footer" .}}
diff --git a/templates/user/settings/keys.tmpl b/templates/user/settings/keys.tmpl
index c88868d000f43..7ef963ac38fd5 100644
--- a/templates/user/settings/keys.tmpl
+++ b/templates/user/settings/keys.tmpl
@@ -5,7 +5,9 @@
 		{{template "base/alert" .}}
 		{{template "user/settings/keys_ssh" .}}
 		{{template "user/settings/keys_principal" .}}
-		{{template "user/settings/keys_gpg" .}}
+		{{if $.UserModules.Enabled "gpg keys"}}
+			{{template "user/settings/keys_gpg" .}}
+		{{end}}
 	</div>
 </div>
 
diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl
index 8fd869dc40c32..a9798f4a19cda 100644
--- a/templates/user/settings/navbar.tmpl
+++ b/templates/user/settings/navbar.tmpl
@@ -9,12 +9,16 @@
 		<a class="{{if .PageIsSettingsAppearance}}active {{end}}item" href="{{AppSubUrl}}/user/settings/appearance">
 			{{.locale.Tr "settings.appearance"}}
 		</a>
-		<a class="{{if .PageIsSettingsSecurity}}active {{end}}item" href="{{AppSubUrl}}/user/settings/security">
-			{{.locale.Tr "settings.security"}}
-		</a>
-		<a class="{{if .PageIsSettingsApplications}}active {{end}}item" href="{{AppSubUrl}}/user/settings/applications">
-			{{.locale.Tr "settings.applications"}}
-		</a>
+		{{if $.UserModules.Enabled "security"}}
+			<a class="{{if .PageIsSettingsSecurity}}active {{end}}item" href="{{AppSubUrl}}/user/settings/security">
+				{{.locale.Tr "settings.security"}}
+			</a>
+		{{end}}
+		{{if $.UserModules.Enabled "applications"}}
+			<a class="{{if .PageIsSettingsApplications}}active {{end}}item" href="{{AppSubUrl}}/user/settings/applications">
+				{{.locale.Tr "settings.applications"}}
+			</a>
+		{{end}}
 		<a class="{{if .PageIsSettingsKeys}}active {{end}}item" href="{{AppSubUrl}}/user/settings/keys">
 			{{.locale.Tr "settings.ssh_gpg_keys"}}
 		</a>
@@ -23,9 +27,11 @@
 			{{.locale.Tr "packages.title"}}
 		</a>
 		{{end}}
-		<a class="{{if .PageIsSettingsOrganization}}active {{end}}item" href="{{AppSubUrl}}/user/settings/organization">
-			{{.locale.Tr "settings.organization"}}
-		</a>
+		{{if $.UserModules.Enabled "organizations"}}
+			<a class="{{if .PageIsSettingsOrganization}}active {{end}}item" href="{{AppSubUrl}}/user/settings/organization">
+				{{.locale.Tr "settings.organization"}}
+			</a>
+		{{end}}
 		<a class="{{if .PageIsSettingsRepos}}active {{end}}item" href="{{AppSubUrl}}/user/settings/repos">
 			{{.locale.Tr "settings.repos"}}
 		</a>

From 72959dc3960f00f02eadc14f9645e016facf9e95 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 31 Jul 2022 11:54:04 +0800
Subject: [PATCH 2/8] Use a suitable word for deletion of user data

---
 custom/conf/app.example.ini                           | 2 +-
 docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 ++++
 routers/web/web.go                                    | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 1367f40b50ac0..5a00f4b39cf09 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2483,5 +2483,5 @@ ROUTER = console
 ;PROXY_HOSTS =
 
 ;[user]
-; Disabled modules from user settings, could be passwods, suicide, security, applications, gpg keys, organiztions
+; Disabled modules from user settings, could be passwods, deletion, security, applications, gpg keys, organiztions
 ;USER_SETTING_DISABLED_MODULES =
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 37f03b42ea724..700475f238b19 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1284,6 +1284,10 @@ PROXY_URL = socks://127.0.0.1:1080
 PROXY_HOSTS = *.github.com
 ```
 
+## User (`user`)
+
+- `USER_SETTING_DISABLED_MODULES`:**** Disabled modules from user settings, could be passwods, deletion, security, applications, gpg keys, organiztions
+
 ## Other (`other`)
 
 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
diff --git a/routers/web/web.go b/routers/web/web.go
index ccdcb5c10b718..8b8b8c5ce2651 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -422,7 +422,7 @@ func RegisterRoutes(m *web.Route) {
 			m.Combo("").Get(user_setting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), user_setting.AccountPost)
 			m.Post("/email", bindIgnErr(forms.AddEmailForm{}), user_setting.EmailPost)
 			m.Post("/email/delete", user_setting.DeleteEmail)
-			m.Post("/delete", userSettingModuleEnabled("suicide"), user_setting.DeleteAccount)
+			m.Post("/delete", userSettingModuleEnabled("deletion"), user_setting.DeleteAccount)
 		})
 		m.Group("/appearance", func() {
 			m.Get("", user_setting.Appearance)

From e160a0647b76cbd646779d076e65c12ab2f9a9b4 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 31 Jul 2022 11:55:46 +0800
Subject: [PATCH 3/8] Fix missed word

---
 templates/user/settings/account.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
index 5eca448d04b63..b59310bd39b19 100644
--- a/templates/user/settings/account.tmpl
+++ b/templates/user/settings/account.tmpl
@@ -174,7 +174,7 @@
 	{{template "base/delete_modal_actions" .}}
 </div>
 
-{{if $.UserModules.Enabled "suicide"}}
+{{if $.UserModules.Enabled "deletion"}}
 	<div class="ui small basic delete modal" id="delete-account">
 		<div class="ui icon header">
 			{{svg "octicon-trash"}}

From a84950a24f4ee7a35c54e5c447b9ab5fb519a0a9 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 1 Aug 2022 14:12:27 +0800
Subject: [PATCH 4/8] Fix typo

---
 custom/conf/app.example.ini                           | 2 +-
 docs/content/doc/advanced/config-cheat-sheet.en-us.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 5a00f4b39cf09..de807594d678f 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2483,5 +2483,5 @@ ROUTER = console
 ;PROXY_HOSTS =
 
 ;[user]
-; Disabled modules from user settings, could be passwods, deletion, security, applications, gpg keys, organiztions
+; Disabled modules from user settings, could be passwords, deletion, security, applications, gpg keys, organizations
 ;USER_SETTING_DISABLED_MODULES =
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 700475f238b19..349677dae5493 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1286,7 +1286,7 @@ PROXY_HOSTS = *.github.com
 
 ## User (`user`)
 
-- `USER_SETTING_DISABLED_MODULES`:**** Disabled modules from user settings, could be passwods, deletion, security, applications, gpg keys, organiztions
+- `USER_SETTING_DISABLED_MODULES`:**** Disabled modules from user settings, could be a copmosite of `password`, `deletion`, `security`, `applications`, `gpg keys`, `organizations` with a comma.
 
 ## Other (`other`)
 

From a10c911eff9a70e5a443d138717474bce79c5af1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 9 Aug 2022 01:08:16 +0800
Subject: [PATCH 5/8] Use constants

---
 routers/web/user/setting/keys.go | 11 +++++++++--
 routers/web/web.go               | 18 +++++++++---------
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 98ad3c5dfebe9..c047b483b6b01 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -20,6 +20,13 @@ import (
 
 const (
 	tplSettingsKeys base.TplName = "user/settings/keys"
+
+	UserPasswordKey    = "password"
+	UserGPGKeysKey     = "gpg keys"
+	UserDeletionKey    = "deletion"
+	UserSecurityKey    = "security"
+	UserApplicationKey = "applications"
+	UserOrganizations  = "organizations"
 )
 
 // Keys render user's SSH/GPG public keys page
@@ -78,7 +85,7 @@ func KeysPost(ctx *context.Context) {
 		ctx.Flash.Success(ctx.Tr("settings.add_principal_success", form.Content))
 		ctx.Redirect(setting.AppSubURL + "/user/settings/keys")
 	case "gpg":
-		if !setting.User.Enabled("gpg keys") {
+		if !setting.User.Enabled(UserGPGKeysKey) {
 			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting are not allowed"))
 			return
 		}
@@ -222,7 +229,7 @@ func KeysPost(ctx *context.Context) {
 func DeleteKey(ctx *context.Context) {
 	switch ctx.FormString("type") {
 	case "gpg":
-		if !setting.User.Enabled("gpg keys") {
+		if !setting.User.Enabled(UserGPGKeysKey) {
 			ctx.NotFound("Not Found", fmt.Errorf("gpg keys setting are not allowed"))
 			return
 		}
diff --git a/routers/web/web.go b/routers/web/web.go
index 8b8b8c5ce2651..3051205a03269 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -414,15 +414,15 @@ func RegisterRoutes(m *web.Route) {
 	m.Group("/user/settings", func() {
 		m.Get("", user_setting.Profile)
 		m.Post("", bindIgnErr(forms.UpdateProfileForm{}), user_setting.ProfilePost)
-		m.Get("/change_password", userSettingModuleEnabled("password"), auth.MustChangePassword)
-		m.Post("/change_password", userSettingModuleEnabled("password"), bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost)
+		m.Get("/change_password", userSettingModuleEnabled(user_setting.UserPasswordKey), auth.MustChangePassword)
+		m.Post("/change_password", userSettingModuleEnabled(user_setting.UserPasswordKey), bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost)
 		m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), user_setting.AvatarPost)
 		m.Post("/avatar/delete", user_setting.DeleteAvatar)
 		m.Group("/account", func() {
 			m.Combo("").Get(user_setting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), user_setting.AccountPost)
 			m.Post("/email", bindIgnErr(forms.AddEmailForm{}), user_setting.EmailPost)
 			m.Post("/email/delete", user_setting.DeleteEmail)
-			m.Post("/delete", userSettingModuleEnabled("deletion"), user_setting.DeleteAccount)
+			m.Post("/delete", userSettingModuleEnabled(user_setting.UserDeletionKey), user_setting.DeleteAccount)
 		})
 		m.Group("/appearance", func() {
 			m.Get("", user_setting.Appearance)
@@ -449,7 +449,7 @@ func RegisterRoutes(m *web.Route) {
 				m.Post("/toggle_visibility", security.ToggleOpenIDVisibility)
 			}, openIDSignInEnabled)
 			m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
-		}, userSettingModuleEnabled("security"))
+		}, userSettingModuleEnabled(user_setting.UserSecurityKey))
 		m.Group("/applications/oauth2", func() {
 			m.Get("/{id}", user_setting.OAuth2ApplicationShow)
 			m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
@@ -457,10 +457,10 @@ func RegisterRoutes(m *web.Route) {
 			m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
 			m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
 			m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
-		}, userSettingModuleEnabled("applications"))
-		m.Combo("/applications").Get(userSettingModuleEnabled("applications"), user_setting.Applications).
-			Post(userSettingModuleEnabled("applications"), bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
-		m.Post("/applications/delete", userSettingModuleEnabled("applications"), user_setting.DeleteApplication)
+		}, userSettingModuleEnabled(user_setting.UserApplicationKey))
+		m.Combo("/applications").Get(userSettingModuleEnabled(user_setting.UserApplicationKey), user_setting.Applications).
+			Post(userSettingModuleEnabled(user_setting.UserApplicationKey), bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
+		m.Post("/applications/delete", userSettingModuleEnabled(user_setting.UserApplicationKey), user_setting.DeleteApplication)
 		m.Combo("/keys").Get(user_setting.Keys).
 			Post(bindIgnErr(forms.AddKeyForm{}), user_setting.KeysPost)
 		m.Post("/keys/delete", user_setting.DeleteKey)
@@ -478,7 +478,7 @@ func RegisterRoutes(m *web.Route) {
 				})
 			})
 		}, packagesEnabled)
-		m.Get("/organization", userSettingModuleEnabled("organizations"), user_setting.Organization)
+		m.Get("/organization", userSettingModuleEnabled(user_setting.UserOrganizations), user_setting.Organization)
 		m.Get("/repos", user_setting.Repos)
 		m.Post("/repos/unadopted", user_setting.AdoptOrDeleteRepository)
 	}, reqSignIn, func(ctx *context.Context) {

From 68103253f97b9e85ddb9ec7e7b9d839b2472326a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 10 Aug 2022 10:30:09 +0800
Subject: [PATCH 6/8] Fix bug

---
 custom/conf/app.example.ini          |  4 +-
 templates/user/settings/account.tmpl | 75 +++++++++++++++-------------
 2 files changed, 43 insertions(+), 36 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index de807594d678f..3c3f83835b9d5 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2483,5 +2483,5 @@ ROUTER = console
 ;PROXY_HOSTS =
 
 ;[user]
-; Disabled modules from user settings, could be passwords, deletion, security, applications, gpg keys, organizations
-;USER_SETTING_DISABLED_MODULES =
+; Disabled modules from user settings, could be password, deletion, security, applications, gpg keys, organizations
+;SETTING_DISABLED_MODULES =
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
index b59310bd39b19..7319c5e681895 100644
--- a/templates/user/settings/account.tmpl
+++ b/templates/user/settings/account.tmpl
@@ -135,31 +135,40 @@
 			</form>
 		</div>
 
-		<h4 class="ui top attached error header">
-			{{.locale.Tr "settings.delete_account"}}
-		</h4>
-		<div class="ui attached error segment">
-			<div class="ui red message">
-				<p class="text left">{{svg "octicon-alert"}} {{.locale.Tr "settings.delete_prompt" | Str2html}}</p>
-				{{if .UserDeleteWithComments}}
-				<p class="text left" style="font-weight: bold;">{{.locale.Tr "settings.delete_with_all_comments" .UserDeleteWithCommentsMaxTime | Str2html}}</p>
-				{{end}}
-			</div>
-			<form class="ui form ignore-dirty" id="delete-form" action="{{AppSubUrl}}/user/settings/account/delete" method="post">
-				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
-				<div class="required field {{if .Err_Password}}error{{end}}">
-					<label for="password-confirmation">{{.locale.Tr "password"}}</label>
-					<input id="password-confirmation" name="password" type="password" autocomplete="off" required>
+		{{if $.UserModules.Enabled "deletion"}}
+			<h4 class="ui top attached error header">
+				{{.locale.Tr "settings.delete_account"}}
+			</h4>
+			<div class="ui attached error segment">
+				<div class="ui red message">
+					<p class="text left">{{svg "octicon-alert"}} {{.locale.Tr "settings.delete_prompt" | Str2html}}</p>
+					{{if .UserDeleteWithComments}}
+					<p class="text left" style="font-weight: bold;">{{.locale.Tr "settings.delete_with_all_comments" .UserDeleteWithCommentsMaxTime | Str2html}}</p>
+					{{end}}
 				</div>
-				<div class="field">
-					<div class="ui red button delete-button" data-modal-id="delete-account" data-type="form" data-form="#delete-form">
-						{{.locale.Tr "settings.confirm_delete_account"}}
-					</div>
-					<a href="{{AppSubUrl}}/user/forgot_password?email={{.Email}}">{{.locale.Tr "auth.forgot_password"}}</a>
+				<form class="ui form ignore-dirty" id="delete-form" action="{{AppSubUrl}}/user/settings/account/delete" method="post">
+					{{template "base/disable_form_autofill"}}
+					{{.CsrfTokenHtml}}
+					<div class="required field {{if .Err_Password}}error{{end}}">
+						<label for="password-confirmation">{{.locale.Tr "password"}}</label>
+						<input id="password-confirmation" name="password" type="password" autocomplete="off" required>
 				</div>
-			</form>
-		</div>
+				<form class="ui form ignore-dirty" id="delete-form" action="{{AppSubUrl}}/user/settings/account/delete" method="post">
+					{{template "base/disable_form_autofill"}}
+					{{.CsrfTokenHtml}}
+					<div class="required field {{if .Err_Password}}error{{end}}">
+						<label for="password-confirmation">{{.locale.Tr "password"}}</label>
+						<input id="password-confirmation" name="password" type="password" autocomplete="off" required>
+					</div>
+					<div class="field">
+						<div class="ui red button delete-button" data-modal-id="delete-account" data-type="form" data-form="#delete-form">
+							{{.locale.Tr "settings.confirm_delete_account"}}
+						</div>
+						<a href="{{AppSubUrl}}/user/forgot_password?email={{.Email}}">{{.locale.Tr "auth.forgot_password"}}</a>
+					</div>
+				</form>
+			</div>
+		{{end}}
 	</div>
 </div>
 
@@ -174,17 +183,15 @@
 	{{template "base/delete_modal_actions" .}}
 </div>
 
-{{if $.UserModules.Enabled "deletion"}}
-	<div class="ui small basic delete modal" id="delete-account">
-		<div class="ui icon header">
-			{{svg "octicon-trash"}}
-			{{.locale.Tr "settings.delete_account_title"}}
-		</div>
-		<div class="content">
-			<p>{{.locale.Tr "settings.delete_account_desc"}}</p>
-		</div>
-		{{template "base/delete_modal_actions" .}}
+<div class="ui small basic delete modal" id="delete-account">
+	<div class="ui icon header">
+		{{svg "octicon-trash"}}
+		{{.locale.Tr "settings.delete_account_title"}}
 	</div>
-{{end}}
+	<div class="content">
+		<p>{{.locale.Tr "settings.delete_account_desc"}}</p>
+	</div>
+	{{template "base/delete_modal_actions" .}}
+</div>
 
 {{template "base/footer" .}}

From e464f8acd2dc40168a2a032e4f58eb1539cda0e3 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 11 Dec 2022 20:58:22 +0800
Subject: [PATCH 7/8] fix lint

---
 modules/setting/user.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/setting/user.go b/modules/setting/user.go
index 1ea9ff1c79c3d..360a42610ec43 100644
--- a/modules/setting/user.go
+++ b/modules/setting/user.go
@@ -1,6 +1,5 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
+// SPDX-License-Identifier: MIT
 
 package setting
 

From be45ca3efc24b982f98fd7223580928e58e18286 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 8 Mar 2023 12:02:22 +0800
Subject: [PATCH 8/8] Add more limitation for user organization setting

---
 custom/conf/app.example.ini                   |  2 +-
 .../doc/advanced/config-cheat-sheet.en-us.md  |  6 ++++
 routers/web/user/setting/keys.go              |  2 +-
 templates/base/head_navbar.tmpl               |  2 +-
 templates/org/member/members.tmpl             | 30 ++++++++++---------
 templates/org/team/sidebar.tmpl               | 26 ++++++++--------
 templates/org/team/teams.tmpl                 | 24 ++++++++-------
 7 files changed, 52 insertions(+), 40 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index a80c6e45d98de..a6a653d91074d 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2584,5 +2584,5 @@ ROUTER = console
 ;STORAGE_TYPE = local
 
 ;[user]
-; Disabled modules from user settings, could be password, deletion, security, applications, gpg keys, organizations
+; Disabled modules from user settings, could be password, deletion, security, applications, gpg_keys, organizations
 ;SETTING_DISABLED_MODULES =
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index dcefd2207f4ab..57dd9036fc583 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1377,6 +1377,12 @@ although Github don't support this form.
 ## User (`user`)
 
 - `USER_SETTING_DISABLED_MODULES`:**** Disabled modules from user settings, could be a copmosite of `password`, `deletion`, `security`, `applications`, `gpg keys`, `organizations` with a comma.
+  - `password`: User cannot change his password from the website.
+  - `deletion`: User cannot remove himself from the website.
+  - `security`: User cannot update his security settings from the website.
+  - `applications`: User cannot create application himself.
+  - `gpg_keys`: User cannot manage gpg keys himself.
+  - `organizations`: User cannot manage his organizations himself.
 
 ## Other (`other`)
 
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 6f14596e0cda2..6f092e32110a7 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -22,7 +22,7 @@ const (
 	tplSettingsKeys base.TplName = "user/settings/keys"
 
 	UserPasswordKey    = "password"
-	UserGPGKeysKey     = "gpg keys"
+	UserGPGKeysKey     = "gpg_keys"
 	UserDeletionKey    = "deletion"
 	UserSecurityKey    = "security"
 	UserApplicationKey = "applications"
diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl
index 10bbf655b5b9a..64e60d7401b95 100644
--- a/templates/base/head_navbar.tmpl
+++ b/templates/base/head_navbar.tmpl
@@ -142,7 +142,7 @@
 							<span class="fitted">{{svg "octicon-repo-push"}}</span> {{.locale.Tr "new_migrate"}}
 						</a>
 					{{end}}
-					{{if .SignedUser.CanCreateOrganization}}
+					{{if and (.SignedUser.CanCreateOrganization) ($.UserModules.Enabled "organizations")}}
 					<a class="item" href="{{AppSubUrl}}/org/create">
 						<span class="fitted">{{svg "octicon-organization"}}</span> {{.locale.Tr "new_org"}}
 					</a>
diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl
index 0eae60fbfc490..d95b4aa8cb6fe 100644
--- a/templates/org/member/members.tmpl
+++ b/templates/org/member/members.tmpl
@@ -57,20 +57,22 @@
 					{{end}}
 					<div class="ui three wide column">
 						<div class="text right">
-							{{if eq $.SignedUser.ID .ID}}
-								<form>
-									<button class="ui red small button delete-button" data-modal-id="leave-organization"
-										data-url="{{$.OrgLink}}/members/action/leave" data-datauid="{{.ID}}"
-										data-name="{{.DisplayName}}"
-										data-data-organization-name="{{$.Org.DisplayName}}">{{$.locale.Tr "org.members.leave"}}</button>
-								</form>
-							{{else if $.IsOrganizationOwner}}
-								<form>
-									<button class="ui red small button delete-button" data-modal-id="remove-organization-member"
-										data-url="{{$.OrgLink}}/members/action/remove" data-datauid="{{.ID}}"
-										data-name="{{.DisplayName}}"
-										data-data-organization-name="{{$.Org.DisplayName}}">{{$.locale.Tr "org.members.remove"}}</button>
-								</form>
+							{{if ($.UserModules.Enabled "organizations")}}
+								{{if eq $.SignedUser.ID .ID}}
+									<form>
+										<button class="ui red small button delete-button" data-modal-id="leave-organization"
+											data-url="{{$.OrgLink}}/members/action/leave" data-datauid="{{.ID}}"
+											data-name="{{.DisplayName}}"
+											data-data-organization-name="{{$.Org.DisplayName}}">{{$.locale.Tr "org.members.leave"}}</button>
+									</form>
+								{{else if $.IsOrganizationOwner}}
+									<form>
+										<button class="ui red small button delete-button" data-modal-id="remove-organization-member"
+											data-url="{{$.OrgLink}}/members/action/remove" data-datauid="{{.ID}}"
+											data-name="{{.DisplayName}}"
+											data-data-organization-name="{{$.Org.DisplayName}}">{{$.locale.Tr "org.members.remove"}}</button>
+									</form>
+								{{end}}
 							{{end}}
 						</div>
 					</div>
diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl
index 507173e51fcff..385d437fc47f4 100644
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -2,18 +2,20 @@
 	<h4 class="ui top attached header">
 		<strong>{{.Team.Name}}</strong>
 		<div class="ui right">
-			{{if .Team.IsMember $.SignedUser.ID}}
-				<form>
-					<button class="ui red tiny button delete-button" data-modal-id="leave-team-sidebar"
-						data-url="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
-						data-name="{{.Team.Name}}">{{$.locale.Tr "org.teams.leave"}}</button>
-				</form>
-			{{else if .IsOrganizationOwner}}
-				<form method="post" action="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/join">
-					{{$.CsrfTokenHtml}}
-					<input type="hidden" name="page" value="team"/>
-					<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{$.locale.Tr "org.teams.join"}}</button>
-				</form>
+			{{if ($.UserModules.Enabled "organizations")}}
+				{{if .Team.IsMember $.SignedUser.ID}}
+					<form>
+						<button class="ui red tiny button delete-button" data-modal-id="leave-team-sidebar"
+							data-url="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
+							data-name="{{.Team.Name}}">{{$.locale.Tr "org.teams.leave"}}</button>
+					</form>
+				{{else if .IsOrganizationOwner}}
+					<form method="post" action="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/join">
+						{{$.CsrfTokenHtml}}
+						<input type="hidden" name="page" value="team"/>
+						<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{$.locale.Tr "org.teams.join"}}</button>
+					</form>
+				{{end}}
 			{{end}}
 		</div>
 	</h4>
diff --git a/templates/org/team/teams.tmpl b/templates/org/team/teams.tmpl
index df0620af49032..ded51dec226b8 100644
--- a/templates/org/team/teams.tmpl
+++ b/templates/org/team/teams.tmpl
@@ -16,17 +16,19 @@
 					<div class="ui top attached header">
 						<a class="text black" href="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}"><strong>{{.Name}}</strong></a>
 						<div class="ui right">
-							{{if .IsMember $.SignedUser.ID}}
-								<form>
-									<button class="ui red tiny button delete-button" data-modal-id="leave-team"
-										data-url="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
-										data-name="{{.Name}}">{{$.locale.Tr "org.teams.leave"}}</button>
-								</form>
-							{{else if $.IsOrganizationOwner}}
-								<form method="post" action="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/join">
-									{{$.CsrfTokenHtml}}
-									<button type="submit" class="ui primary small button" name="uid" value="{{$.SignedUser.ID}}">{{$.locale.Tr "org.teams.join"}}</button>
-								</form>
+							{{if ($.UserModules.Enabled "organizations")}}
+								{{if .IsMember $.SignedUser.ID}}
+									<form>
+										<button class="ui red tiny button delete-button" data-modal-id="leave-team"
+											data-url="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
+											data-name="{{.Name}}">{{$.locale.Tr "org.teams.leave"}}</button>
+									</form>
+								{{else if $.IsOrganizationOwner}}
+									<form method="post" action="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/join">
+										{{$.CsrfTokenHtml}}
+										<button type="submit" class="ui primary small button" name="uid" value="{{$.SignedUser.ID}}">{{$.locale.Tr "org.teams.join"}}</button>
+									</form>
+								{{end}}
 							{{end}}
 						</div>
 					</div>