Add server config to disable user registered agents

[6543]

As user-/org-agents allow normal (non instance admins) to extract secrets if they know how from the repos they are admin at, this is an hardening option.

normally you already trust users who are admin but in edge cases you want to forbid them to register own agents ...

[woodpecker-bot]

Deployment of preview was torn down

[qwerty287]

Why do we need separate fields in web-config.js? And the option is missing in https://woodpecker-ci.org/docs/administration/server-config#all-server-configuration-options

[6543]

It looked nicer but the only real answer is that i did not come up witj a combined name for the var

[qwerty287]

What about userRegisteredAgents?

[6543]

fixed the fail and added test for it!

[qwerty287]

OK. If you think old ones still should be usable I need to dive more into the code of org/user agents first.

[codecov]

Codecov Report

Attention: Patch coverage is 30.76923% with 9 lines in your changes missing coverage. Please review.

Project coverage is 26.73%. Comparing base (2543105) to head (8e48926).

Files with missing lines	Patch %	Lines
server/web/config.go	0.00%	7 Missing ⚠️
cmd/server/setup.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4206      +/-   ##
==========================================
+ Coverage   26.46%   26.73%   +0.27%     
==========================================
  Files         376      376              
  Lines       27455    27463       +8     
==========================================
+ Hits         7265     7342      +77     
+ Misses      19525    19440      -85     
- Partials      665      681      +16     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[qwerty287]

OK, I checked it out.

If I understand it correctly, if this feature is disabled now and all agents are still manageable from the admin interface, the admin interface will use the api routes for global agents. So we should just disable the org-specific routes I think.

Otherwise the PR seems fine to me.

[6543]

well this would allow instance admins to still create org agents ... but not normal users

there is no much downside in doing so ... this is the same argument i wana have repo agents.

It is easier in therms of UX for the user and do not add much code on our side to maintain

[qwerty287]

It is easier in therms of UX for the user

I don't get that. The ui for this is completely hidden, so the only way how you can create a new org agent is directly using the api.

[anbraten]

well this would allow instance admins to still create org agents ... but not normal users

Would probably help to ask: What would be the argument for an instance admin to disable user agents in general.

[6543]

I wrote that argument also into the docs

[6543]

https://github.com/woodpecker-ci/woodpecker/pull/4206/files#diff-797f56c545a9d6d7c5a0a660ecf679cef504d2538941b85876458b60a6e7933fR63

[qwerty287]

I still think the org agent routes should be disabled completely if the feature is disabled. Or you extend the admin UI to allow to create user agents from there.

[6543]

now the flack disable the function & ui alltogether

[qwerty287]

Code lgtm, untested