diff --git a/app/seeders/admin_user_seeder.rb b/app/seeders/admin_user_seeder.rb index 861e5e3fa7e9..dd69aea83bec 100644 --- a/app/seeders/admin_user_seeder.rb +++ b/app/seeders/admin_user_seeder.rb @@ -27,14 +27,10 @@ #++ class AdminUserSeeder < Seeder def seed_data! - user = new_admin - if user.save!(validate: false) - seed_data.store_reference(:openproject_admin, user) + if Setting.seed_admin_user_enabled? + seed_admin! else - print_error "Seeding admin failed:" - user.errors.full_messages.each do |msg| - print_error " #{msg}" - end + Seeder.logger.debug { " *** skipped as explicity disabled" } end end @@ -50,6 +46,18 @@ def not_applicable_message "No need to seed an admin as there already is one." end + def seed_admin! + user = new_admin + if user.save!(validate: false) + seed_data.store_reference(:openproject_admin, user) + else + print_error "Seeding admin failed:" + user.errors.full_messages.each do |msg| + print_error " #{msg}" + end + end + end + def new_admin # rubocop:disable Metrics/AbcSize User.new.tap do |user| user.admin = true diff --git a/config/constants/settings/definition.rb b/config/constants/settings/definition.rb index 16fe9e0705f2..c50422228ff7 100644 --- a/config/constants/settings/definition.rb +++ b/config/constants/settings/definition.rb @@ -923,6 +923,12 @@ class Definition default: "https://releases.openproject.com/v1/check.svg", writable: false }, + seed_admin_user_enabled: { + description: "Enable setting the admin user on startup. " \ + "If you set this to false, You will have to create an admin user manually.", + default: true, + writable: false + }, seed_admin_user_password: { description: 'Password to set for the initially created admin user (Login remains "admin").', default: "admin", diff --git a/docs/installation-and-operations/configuration/README.md b/docs/installation-and-operations/configuration/README.md index 839ec412458f..920cc26e29ae 100644 --- a/docs/installation-and-operations/configuration/README.md +++ b/docs/installation-and-operations/configuration/README.md @@ -173,6 +173,16 @@ OPENPROJECT_SEED_ADMIN_USER_NAME="OpenProject Admin" # Name to assign to that us OPENPROJECT_SEED_ADMIN_USER_MAIL="admin@example.net" # Email attribute to assign to that user. Note that in packaged installations, a wizard step will assign this variable as well. ``` +Optionally, you can also completely disable the creation of such a user. + +> [!WARNING] +> With the admin user seeding disabled, you need to have an LDAP or SSO integration set up through environment variables. +> Otherwise, you will not be able to retain access to the system. + +```shell +OPENPROJECT_SEED_ADMIN_USER_DISABLED="true" +``` + ### Seeding LDAP connections OpenProject allows you to create and maintain an LDAP connection with optional synchronized group filters. This is relevant for e.g., automated deployments, where you want to trigger the synchronization right at the start. diff --git a/spec/seeders/admin_user_seeder_spec.rb b/spec/seeders/admin_user_seeder_spec.rb index 0dcb79608102..5f11961ab11b 100644 --- a/spec/seeders/admin_user_seeder_spec.rb +++ b/spec/seeders/admin_user_seeder_spec.rb @@ -39,6 +39,18 @@ expect { seeder.seed! }.to change { User.admin.count }.by(1) end + context "when skipped", + :settings_reset, + with_env: { + OPENPROJECT_SEED_ADMIN_USER_ENABLED: "false" + } do + it "skips the creation" do + reset(:seed_admin_user_enabled) + + expect { seeder.seed! }.not_to change { User.admin.count } + end + end + context "when providing admin user seed variables", :settings_reset, with_env: {