From 466e701ce1662fd648a4e54f5e651e026fe7531d Mon Sep 17 00:00:00 2001 From: Neal Gompa Date: Sep 24 2020 10:40:06 +0000 Subject: Add support for disabling user registration For public/private Pagure instances where it is intended to be used by a single user, having the ability to turn off user registration prevents confusion and closes an avenue of potential denial of service attacks. Signed-off-by: Neal Gompa --- diff --git a/doc/configuration.rst b/doc/configuration.rst index 735e378..2ea7a66 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -1117,6 +1117,7 @@ Valid options are ``fas``, ``openid``, ``oidc``, or ``local``. the configuration options starting with ``OIDC_`` (see below) to be provided. * ``local`` causes pagure to use the local pagure database for user management. + User registration can be disabled with the ALLOW_USER_REGISTRATION configuration key. Defaults to: ``local``. @@ -1784,6 +1785,18 @@ If turned off, users are managed outside of pagure. Defaults to: ``True`` +ALLOW_USER_REGISTRATION +~~~~~~~~~~~~~~~~~~~~~~~ + +This configuration key can be used to turn on or off user registration +(that is, the ability for users to create an account) in this pagure instance. +If turned off, user accounts cannot be created through the UI or API. +Currently, this key only applies to pagure instances configured with the ``local`` +authentication backend and has no effect with the other authentication backends. + +Defaults to: ``True`` + + SESSION_COOKIE_NAME ~~~~~~~~~~~~~~~~~~~ diff --git a/pagure/default_config.py b/pagure/default_config.py index 045f270..df0cd6b 100644 --- a/pagure/default_config.py +++ b/pagure/default_config.py @@ -78,6 +78,9 @@ ENABLE_GROUP_MNGT = True # Enables / Disables private projects PRIVATE_PROJECTS = True +# Enable / Disable user registration (local auth only) +ALLOW_USER_REGISTRATION = True + # Enable / Disable deleting branches in the UI ALLOW_DELETE_BRANCH = True diff --git a/pagure/templates/login/login.html b/pagure/templates/login/login.html index a65b10a..e209c40 100644 --- a/pagure/templates/login/login.html +++ b/pagure/templates/login/login.html @@ -18,11 +18,13 @@ {{ form.csrf_token }} + {% if config.get('ALLOW_USER_REGISTRATION', True) %}
Create a new account
+ {% endif %} diff --git a/pagure/ui/login.py b/pagure/ui/login.py index 1a0dbd2..7da94a3 100644 --- a/pagure/ui/login.py +++ b/pagure/ui/login.py @@ -38,6 +38,9 @@ _log = logging.getLogger(__name__) def new_user(): """ Create a new user. """ + if not pagure.config.config.get("ALLOW_USER_REGISTRATION", True): + flask.flash("User registration is disabled.", "error") + return flask.redirect(flask.url_for("auth_login")) form = forms.NewUserForm() if form.validate_on_submit(): diff --git a/tests/test_pagure_flask_ui_login.py b/tests/test_pagure_flask_ui_login.py index f11a2b2..8a1d16c 100644 --- a/tests/test_pagure_flask_ui_login.py +++ b/tests/test_pagure_flask_ui_login.py @@ -150,6 +150,30 @@ class PagureFlaskLogintests(tests.SimplePagureTest): self.assertEqual(3, len(items)) @patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"}) + @patch.dict("pagure.config.config", {"ALLOW_USER_REGISTRATION": False}) + @patch("pagure.lib.notify.send_email", MagicMock(return_value=True)) + def test_new_user_disabled(self): + """ Test the disabling of the new_user endpoint. """ + + # Check before: + items = pagure.lib.query.search_user(self.session) + self.assertEqual(2, len(items)) + + # Attempt to access the new user page + output = self.app.get("/user/new", follow_redirects=True) + self.assertEqual(output.status_code, 200) + self.assertIn( + "Login - Pagure", output.get_data(as_text=True) + ) + self.assertIn( + "User registration is disabled.", output.get_data(as_text=True) + ) + + # Check after: + items = pagure.lib.query.search_user(self.session) + self.assertEqual(2, len(items)) + + @patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"}) @patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False}) def test_do_login(self): """ Test the do_login endpoint. """