7 files changed, 75 insertions, 1 deletions
diff --git a/api4/user_test.go b/api4/user_test.go
index 0c2b86eda..9c554da54 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -2117,6 +2117,57 @@ func TestSwitchAccount(t *testing.T) {
 		t.Fatal("bad link")
 	}
 
+	isLicensed := utils.IsLicensed()
+	license := utils.License()
+	enableAuthenticationTransfer := *th.App.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer
+	defer func() {
+		utils.SetIsLicensed(isLicensed)
+		utils.SetLicense(license)
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ExperimentalEnableAuthenticationTransfer = enableAuthenticationTransfer })
+	}()
+	utils.SetIsLicensed(true)
+	utils.SetLicense(&model.License{Features: &model.Features{}})
+	utils.License().Features.SetDefaults()
+	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ExperimentalEnableAuthenticationTransfer = false })
+
+	sr = &model.SwitchRequest{
+		CurrentService: model.USER_AUTH_SERVICE_EMAIL,
+		NewService:     model.USER_AUTH_SERVICE_GITLAB,
+	}
+
+	_, resp = Client.SwitchAccountType(sr)
+	CheckForbiddenStatus(t, resp)
+
+	th.LoginBasic()
+
+	sr = &model.SwitchRequest{
+		CurrentService: model.USER_AUTH_SERVICE_SAML,
+		NewService:     model.USER_AUTH_SERVICE_EMAIL,
+		Email:          th.BasicUser.Email,
+		NewPassword:    th.BasicUser.Password,
+	}
+
+	_, resp = Client.SwitchAccountType(sr)
+	CheckForbiddenStatus(t, resp)
+
+	sr = &model.SwitchRequest{
+		CurrentService: model.USER_AUTH_SERVICE_EMAIL,
+		NewService:     model.USER_AUTH_SERVICE_LDAP,
+	}
+
+	_, resp = Client.SwitchAccountType(sr)
+	CheckForbiddenStatus(t, resp)
+
+	sr = &model.SwitchRequest{
+		CurrentService: model.USER_AUTH_SERVICE_LDAP,
+		NewService:     model.USER_AUTH_SERVICE_EMAIL,
+	}
+
+	_, resp = Client.SwitchAccountType(sr)
+	CheckForbiddenStatus(t, resp)
+
+	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.ExperimentalEnableAuthenticationTransfer = true })
+
 	th.LoginBasic()
 
 	fakeAuthData := model.NewId()
diff --git a/app/diagnostics.go b/app/diagnostics.go
index 250b38646..513cf11f5 100644
--- a/app/diagnostics.go
+++ b/app/diagnostics.go
@@ -194,6 +194,7 @@ func (a *App) trackConfig() {
 		"enable_user_access_tokens":                        *cfg.ServiceSettings.EnableUserAccessTokens,
 		"enable_custom_emoji":                              *cfg.ServiceSettings.EnableCustomEmoji,
 		"enable_emoji_picker":                              *cfg.ServiceSettings.EnableEmojiPicker,
+		"experimental_enable_authentication_transfer":      *cfg.ServiceSettings.ExperimentalEnableAuthenticationTransfer,
 		"restrict_custom_emoji_creation":                   *cfg.ServiceSettings.RestrictCustomEmojiCreation,
 		"enable_testing":                                   cfg.ServiceSettings.EnableTesting,
 		"enable_developer":                                 *cfg.ServiceSettings.EnableDeveloper,
diff --git a/app/ldap.go b/app/ldap.go
index a01a4aeb6..49f3d034a 100644
--- a/app/ldap.go
+++ b/app/ldap.go
@@ -39,6 +39,10 @@ func (a *App) TestLdap() *model.AppError {
 }
 
 func (a *App) SwitchEmailToLdap(email, password, code, ldapId, ldapPassword string) (string, *model.AppError) {
+	if utils.IsLicensed() && !*a.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer {
+		return "", model.NewAppError("emailToLdap", "api.user.email_to_ldap.not_available.app_error", nil, "", http.StatusForbidden)
+	}
+
 	user, err := a.GetUserByEmail(email)
 	if err != nil {
 		return "", err
@@ -71,6 +75,10 @@ func (a *App) SwitchEmailToLdap(email, password, code, ldapId, ldapPassword stri
 }
 
 func (a *App) SwitchLdapToEmail(ldapPassword, code, email, newPassword string) (string, *model.AppError) {
+	if utils.IsLicensed() && !*a.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer {
+		return "", model.NewAppError("ldapToEmail", "api.user.ldap_to_email.not_available.app_error", nil, "", http.StatusForbidden)
+	}
+
 	user, err := a.GetUserByEmail(email)
 	if err != nil {
 		return "", err
diff --git a/app/oauth.go b/app/oauth.go
index f27facbec..3202ac5ed 100644
--- a/app/oauth.go
+++ b/app/oauth.go
@@ -717,6 +717,10 @@ func (a *App) AuthorizeOAuthUser(w http.ResponseWriter, r *http.Request, service
 }
 
 func (a *App) SwitchEmailToOAuth(w http.ResponseWriter, r *http.Request, email, password, code, service string) (string, *model.AppError) {
+	if utils.IsLicensed() && !*a.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer {
+		return "", model.NewAppError("emailToOAuth", "api.user.email_to_oauth.not_available.app_error", nil, "", http.StatusForbidden)
+	}
+
 	var user *model.User
 	var err *model.AppError
 	if user, err = a.GetUserByEmail(email); err != nil {
@@ -743,6 +747,10 @@ func (a *App) SwitchEmailToOAuth(w http.ResponseWriter, r *http.Request, email,
 }
 
 func (a *App) SwitchOAuthToEmail(email, password, requesterId string) (string, *model.AppError) {
+	if utils.IsLicensed() && !*a.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer {
+		return "", model.NewAppError("oauthToEmail", "api.user.oauth_to_email.not_available.app_error", nil, "", http.StatusForbidden)
+	}
+
 	var user *model.User
 	var err *model.AppError
 	if user, err = a.GetUserByEmail(email); err != nil {
diff --git a/config/default.json b/config/default.json
index 96eb0ed63..e6f9cab1b 100644
--- a/config/default.json
+++ b/config/default.json
@@ -46,6 +46,7 @@
         "RestrictPostDelete": "all",
         "AllowEditPost": "always",
         "PostEditTimeLimit": 300,
+        "ExperimentalEnableAuthenticationTransfer": true,
         "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
         "EnablePostSearch": true,
         "EnableUserTypingMessages": true,
diff --git a/model/config.go b/model/config.go
index 00322156e..e2f05d72e 100644
--- a/model/config.go
+++ b/model/config.go
@@ -203,6 +203,7 @@ type ServiceSettings struct {
 	EnableUserTypingMessages                 *bool
 	EnableChannelViewedMessages              *bool
 	EnableUserStatuses                       *bool
+	ExperimentalEnableAuthenticationTransfer *bool
 	ClusterLogTimeoutMilliseconds            *int
 	CloseUnusedDirectMessages                *bool
 	EnablePreviewFeatures                    *bool
@@ -391,6 +392,10 @@ func (s *ServiceSettings) SetDefaults() {
 		s.AllowEditPost = NewString(ALLOW_EDIT_POST_ALWAYS)
 	}
 
+	if s.ExperimentalEnableAuthenticationTransfer == nil {
+		s.ExperimentalEnableAuthenticationTransfer = NewBool(true)
+	}
+
 	if s.PostEditTimeLimit == nil {
 		s.PostEditTimeLimit = NewInt(300)
 	}
diff --git a/utils/config.go b/utils/config.go
index a91a20711..929e39346 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -526,7 +526,6 @@ func getClientConfig(c *model.Config) map[string]string {
 	props["EnableEmojiPicker"] = strconv.FormatBool(*c.ServiceSettings.EnableEmojiPicker)
 	props["RestrictCustomEmojiCreation"] = *c.ServiceSettings.RestrictCustomEmojiCreation
 	props["MaxFileSize"] = strconv.FormatInt(*c.FileSettings.MaxFileSize, 10)
-
 	props["AppDownloadLink"] = *c.NativeAppSettings.AppDownloadLink
 	props["AndroidAppDownloadLink"] = *c.NativeAppSettings.AndroidAppDownloadLink
 	props["IosAppDownloadLink"] = *c.NativeAppSettings.IosAppDownloadLink
@@ -547,6 +546,7 @@ func getClientConfig(c *model.Config) map[string]string {
 	if IsLicensed() {
 		License := License()
 		props["ExperimentalTownSquareIsReadOnly"] = strconv.FormatBool(*c.TeamSettings.ExperimentalTownSquareIsReadOnly)
+		props["ExperimentalEnableAuthenticationTransfer"] = strconv.FormatBool(*c.ServiceSettings.ExperimentalEnableAuthenticationTransfer)
 
 		if *License.Features.CustomBrand {
 			props["EnableCustomBrand"] = strconv.FormatBool(*c.TeamSettings.EnableCustomBrand)