How to disable Create Project permission for users by default in GitLab?

Question

I am using the Omnibus GitLab CE system with LDAP authentication.

Because of LDAP authentication, anyone in my company can sign in to GitLab and a new GitLab user account associated with this user is created (according to my understanding).

I want to modify it so that by default this new user (who can automatically sign in based on his LDAP credentials) cannot create new projects.

Then, I as the admin, will probably handle most new project creation.

I might give the Create Project permission to a few special users.

Answer 1

Not an answer to how, but a reminder that the project limit settings in GitLab, globally for new users as well as retroactively for existing users, so far (version <= 17.3), apply only to the personal namespace, i.e.

https://mygitlab.com/$USERNAME/

Inside groups, users can still create projects, if for example their role allows it according to a group's Permissions and group features settings.

Source:

• https://docs.gitlab.com/17.3/ee/administration/settings/account_and_limit_settings.html#default-projects-limit

Answer 2

In newer versions of GitLab >= v7.8 …

This is not a setting in config/gitlab.yml but rather in the GUI for admins.

Simply navigate to https://___[your GitLab URL]___/admin/application_settings/general#js-account-settings, and set Default projects limit to 0.

You can then access individual users's project limit at https://___[your GitLab URL]___/admin/users.

See GitLab's update docs for more settings changed between v7.7 and v7.8.

git diff origin/7-7-stable:config/gitlab.yml.example origin/7-8-stable:config/gitlab.yml.example

Answer 3

For all new users:

Refer to Nick Merrill answer.

For all existing users:

This is the best and quick method to make changes to projects limits:

$ gitlab-rails runner "User.where(projects_limit: 10).each { |u| u.projects_limit = 0; u.save }"

Answer 4

Here's my quick-and-dirty Python script which you can use in case you already have some users created and want to change all your existing users to make them unable to create projects on their own:

#!/usr/bin/env python

import requests
import json

gitlab_url = "https://<your_gitlab_host_and_domain>/api/v3"
headers = {'PRIVATE-TOKEN': '<private_token_of_a_user_with_admin_rights>'}

def set_user_projects_limit_to_zero (user):
    user_id = str(user['id'])
    put = requests.put(gitlab_url + "/users/" + user_id + "?projects_limit=0", headers=headers)
    if put.status_code != 200:
        print "!!! change failed with user id=%s, status code=%s" % (user_id, put.status_code)
        exit(1)
    else:
        print "user with id=%s changed!" % user_id

users_processed = 0
page_no = 1
total_pages = 1
print "processing 1st page of users..."
while page_no <= total_pages:
    users = requests.get(gitlab_url + "/users?page=" + str(page_no), headers=headers)
    total_pages = int(users.headers['X-Total-Pages'])
    for user in users.json():
        set_user_projects_limit_to_zero(user)
        users_processed = users_processed + 1
    print "processed page %s/%s..." % (page_no, total_pages)
    page_no = page_no + 1
print "no of processed users=%s" % users_processed

Tested & working with GitLab CE 8.4.1 052b38d, YMMV.

Answer 5

( Update: This applies to versions <= 7.7:)

The default permissions are set in gitlab.yml

In omnibus, that is /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml

Look for

## User settings
default_projects_limit: 10
# default_can_create_group: false  # default: true

Setting default_projects_limit to zero, and default_can_create_group to false may be what you want. Then an admin can change the limits for individual users.

Update:

This setting was included in the admin GUI in version 7.8 (see answer by @Nick M). At least with Omnibus on Centos7 an upgrade retains the setting.

Note that the setting default_can_create_group is still in gitlab.yml.