Disable seeding of admin user

opf · Nov 26, 2024 · 74e514c · 74e514c
1 parent 239fd54
commit 74e514c
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 7 deletions.
diff --git a/app/seeders/admin_user_seeder.rb b/app/seeders/admin_user_seeder.rb
@@ -27,14 +27,10 @@
 #++
 class AdminUserSeeder < Seeder
   def seed_data!
-    user = new_admin
-    if user.save!(validate: false)
-      seed_data.store_reference(:openproject_admin, user)
+    if Setting.seed_admin_user_enabled?
+      seed_admin!
     else
-      print_error "Seeding admin failed:"
-      user.errors.full_messages.each do |msg|
-        print_error "  #{msg}"
-      end
+      Seeder.logger.debug { "   *** skipped as explicity disabled" }
     end
   end
 
@@ -50,6 +46,18 @@ def not_applicable_message
     "No need to seed an admin as there already is one."
   end
 
+  def seed_admin!
+    user = new_admin
+    if user.save!(validate: false)
+      seed_data.store_reference(:openproject_admin, user)
+    else
+      print_error "Seeding admin failed:"
+      user.errors.full_messages.each do |msg|
+        print_error "  #{msg}"
+      end
+    end
+  end
+
   def new_admin # rubocop:disable Metrics/AbcSize
     User.new.tap do |user|
       user.admin = true

diff --git a/config/constants/settings/definition.rb b/config/constants/settings/definition.rb
@@ -923,6 +923,12 @@ class Definition
         default: "https://releases.openproject.com/v1/check.svg",
         writable: false
       },
+      seed_admin_user_enabled: {
+        description: "Enable setting the admin user on startup. " \
+                     "If you set this to false, You will have to create an admin user manually.",
+        default: true,
+        writable: false
+      },
       seed_admin_user_password: {
         description: 'Password to set for the initially created admin user (Login remains "admin").',
         default: "admin",

diff --git a/docs/installation-and-operations/configuration/README.md b/docs/installation-and-operations/configuration/README.md
@@ -173,6 +173,16 @@ OPENPROJECT_SEED_ADMIN_USER_NAME="OpenProject Admin" # Name to assign to that us
 OPENPROJECT_SEED_ADMIN_USER_MAIL="[email protected]" # Email attribute to assign to that user. Note that in packaged installations, a wizard step will assign this variable as well.
 ```
 
+Optionally, you can also completely disable the creation of such a user.
+
+> [!WARNING]
+> With the admin user seeding disabled, you need to have an LDAP or SSO integration set up through environment variables.
+> Otherwise, you will not be able to retain access to the system.
+
+```shell
+OPENPROJECT_SEED_ADMIN_USER_DISABLED="true"
+```
+
 ### Seeding LDAP connections
 
 OpenProject allows you to create and maintain an LDAP connection with optional synchronized group filters. This is relevant for e.g., automated deployments, where you want to trigger the synchronization right at the start.

diff --git a/spec/seeders/admin_user_seeder_spec.rb b/spec/seeders/admin_user_seeder_spec.rb
@@ -39,6 +39,18 @@
     expect { seeder.seed! }.to change { User.admin.count }.by(1)
   end
 
+  context "when skipped",
+          :settings_reset,
+          with_env: {
+            OPENPROJECT_SEED_ADMIN_USER_ENABLED: "false"
+          } do
+    it "skips the creation" do
+      reset(:seed_admin_user_enabled)
+
+      expect { seeder.seed! }.not_to change { User.admin.count }
+    end
+  end
+
   context "when providing admin user seed variables",
           :settings_reset,
           with_env: {