User Approval System for Protected Content Access #5776
Description
Pre-submission Checklist
- I have searched existing issues and confirmed this feature has not been requested
- This is a feature request, not a bug report or question
Feature Area
User Experience (UX)
Problem or Use Case
Currently, new users can immediately access protected content after registration without requiring admin approval. This poses security risks for organizations that want to control who can access internal content.
The current authentication flow allows any authenticated user to access protected content immediately after registration memo_service.go:303-314 . The CreateUser endpoint is public and allows immediate registration acl_config.go:21 .
Proposed Solution
Proposed Solution
Implement a user approval system that requires admin approval before new users can access protected content. This would involve:
Add User Status Field: Extend the User entity with an approval status field (e.g., PENDING, APPROVED, REJECTED)
Modify Authentication Logic: Update the authenticator to check user approval status in server/auth/authenticator.go
Create Admin Interface: Add endpoints for admins to approve/reject pending users
Update Access Control: Modify memo access checks to consider user approval status
The approval check should be integrated into the existing authentication flow where users are validated via JWT access tokens or Personal Access Tokens token.go:7-11 .
Alternatives Considered
Role-based restrictions: Could use existing role system but would require creating custom roles for each approval state
Instance-level settings: Could disable user registration entirely, but this prevents any new user creation
External authentication: Could rely on SSO providers for approval, but this doesn't help with local user registration
Alternatives Considered
No response
Additional Context
No response
Contribution
- I'm willing to submit a pull request for this feature