Add anonymous access option to core (#385)

* migrate anonymous access logic out of ee

* add anonymous access toggle

* handle anon toggle properly based on perms

* add forceEnableAnonymousAccess setting

* add docs for access settings

* change forceEnableAnonymousAccess to be an env var

* add FORCE_ENABLE_ANONYMOUS_ACCESS to list in docs

* add back the enablePublicAccess setting as deprecated

* add changelog entry

* fix build errors

* add news entry for anonymous access

* feedback

Author: msukkari

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - Fixed typos in UI, docs, code [#369](https://github.com/sourcebot-dev/sourcebot/pull/369)
+- Add anonymous access option to core and deprecate the `enablePublicAccess` config setting. [#385](https://github.com/sourcebot-dev/sourcebot/pull/385)
 
 ## [4.5.1] - 2025-07-14
 

demo-site-config.json

@@ -238,7 +238,6 @@
         }
     },
     "settings": {
-        "reindexIntervalMs": 86400000, // 24 hours
-        "enablePublicAccess": true
+        "reindexIntervalMs": 86400000 // 24 hours
     }
 }

docs/docs.json

@@ -73,7 +73,7 @@
                                 "pages": [
                                     "docs/configuration/auth/overview",
                                     "docs/configuration/auth/providers",
-                                    "docs/configuration/auth/inviting-members",
+                                    "docs/configuration/auth/access-settings",
                                     "docs/configuration/auth/roles-and-permissions",
                                     "docs/configuration/auth/faq"
                                 ]

docs/docs/configuration/auth/access-settings.mdx

@@ -0,0 +1,40 @@
+---
+title: Access Settings
+sidebarTitle: Access settings
+---
+
+There are various settings to control how users access your Sourcebot deployment.
+
+# Anonymous access
+
+<Note>Anonymous access cannot be enabled if you have an enterprise license. If you have any questions about this restriction [reach out to us](https://www.sourcebot.dev/contact).</Note>
+
+By default, your Sourcebot deployment is gated with a login page. If you'd like users to access the deployment anonymously, you can enable anonymous access. 
+
+This can be enabled by navigating to **Settings -> Access** or by setting the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable.
+
+When accessing Sourcebot anonymously, a user's permissions are limited to that of the  [Guest](/docs/configuration/auth/roles-and-permissions) role.
+
+# Member Approval 
+
+By default, Sourcebot requires new members to be approved by the owner of the deployment. This section explains how approvals work and how
+to configure this behavior.
+
+### Configuration
+Member approval can be configured by the owner of the deployment by navigating to **Settings -> Members**:
+
+![Member Approval Toggle](/images/member_approval_toggle.png)
+
+### Managing Requests
+
+If member approval is enabled, new members will be asked to submit a join request after signing up. They will not have access to the Sourcebot deployment
+until this request is approved by the owner.
+
+The owner can see and manage all pending join requests by navigating to **Settings -> Members**.
+
+## Invite link
+
+If member approval is required, an owner of the deployment can enable an invite link. When enabled, users
+can use this invite link to register and be automatically added to the organization without approval:
+
+![Invite Link Toggle](/images/invite_link_toggle.png)

docs/docs/configuration/auth/inviting-members.mdx

@@ -10,4 +10,5 @@ Each member has a role which defines their permissions within an organization:
 | Role | Permission |
 | :--- | :--------- |
 | `Owner` | Each organization has a single `Owner`. This user has full access rights, including: connection management, organization management, and inviting new members. |
-| `Member` | Read-only access to the organization. A `Member` can search across the repos indexed by an organization's connections, but may not manage the organization or its connections. |
+| `Member` | Read-only access to the organization. A `Member` can search across the repos indexed by an organization's connections, as well as view the organizations configuration and member list. However, they cannot modify this configuration or invite new members. |
+| `Guest` | When accessing Sourcebot [anonymously](/docs/configuration/auth/access-settings#anonymous-access), a user has the `Guest` role. `Guest`'s can search across repos indexed by an organization's connections, but cannot view any information regarding the organizations configuration or members. |

docs/docs/configuration/auth/roles-and-permissions.mdx

@@ -21,6 +21,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATABASE_DATA_DIR` | `$DATA_CACHE_DIR/db` | <p>The data directory for the default Postgres database.</p> |
 | `DATABASE_URL` | `postgresql://postgres@ localhost:5432/sourcebot` | <p>Connection string of your Postgres database. By default, a Postgres database is automatically provisioned at startup within the container.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url </p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
+| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
 | `REDIS_DATA_DIR` | `$DATA_CACHE_DIR/redis` | <p>The data directory for the default Redis instance.</p> |
 | `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |

docs/docs/configuration/environment-variables.mdx

@@ -7,23 +7,6 @@ import SupportedPlatforms from '/snippets/platform-support.mdx'
 The following guide will walk you through the steps to deploy Sourcebot on your own infrastructure. Sourcebot is distributed as a [single docker container](/docs/overview#architecture) that can be deployed to a k8s cluster, a VM, or any platform that supports docker.
 
 
-## Walkthrough video
----
-
-Watch this quick walkthrough video to learn how to deploy Sourcebot using Docker.
-
-<iframe
-    src="https://youtube.com/embed/TPQh0z7Qcjg"
-    title="YouTube video player"
-    frameborder="0"
-    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-    allowfullscreen
-    className="aspect-video w-full"
-></iframe>
-
-## Step-by-step guide
----
-
 <Note>Hit an issue? Please let us know on [GitHub discussions](https://github.com/sourcebot-dev/sourcebot/discussions/categories/support) or by [emailing us](mailto:[email protected]).</Note>
 
 <Steps>

docs/docs/deployment-guide.mdx

@@ -66,7 +66,8 @@
         },
         "enablePublicAccess": {
           "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
+          "deprecated": true,
+          "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         }
       },
@@ -180,7 +181,8 @@
         },
         "enablePublicAccess": {
           "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
+          "deprecated": true,
+          "description": "This setting is deprecated. Please use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.",
           "default": false
         }
       },

docs/snippets/schemas/v3/index.schema.mdx

@@ -15,5 +15,5 @@ export const DEFAULT_SETTINGS: Settings = {
     maxRepoGarbageCollectionJobConcurrency: 8,
     repoGarbageCollectionGracePeriodMs: 10 * 1000, // 10 seconds
     repoIndexTimeoutMs: 1000 * 60 * 60 * 2, // 2 hours
-    enablePublicAccess: false,
+    enablePublicAccess: false // deprected, use FORCE_ENABLE_ANONYMOUS_ACCESS instead
 }