#4993 Add support for disabling user registration
Merged 3 years ago by pingou. Opened 3 years ago by ngompa.

file modified
+13
@@ -1117,6 +1117,7 @@ 

    the configuration options starting with ``OIDC_`` (see below) to be provided.

  

  * ``local`` causes pagure to use the local pagure database for user management.

+   User registration can be disabled with the ALLOW_USER_REGISTRATION configuration key.

  

  Defaults to: ``local``.

  
@@ -1784,6 +1785,18 @@ 

  Defaults to: ``True``

  

  

+ ALLOW_USER_REGISTRATION

+ ~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ This configuration key can be used to turn on or off user registration

+ (that is, the ability for users to create an account) in this pagure instance.

+ If turned off, user accounts cannot be created through the UI or API.

+ Currently, this key only applies to pagure instances configured with the ``local``

+ authentication backend and has no effect with the other authentication backends.

+ 

+ Defaults to: ``True``

+ 

+ 

  SESSION_COOKIE_NAME

  ~~~~~~~~~~~~~~~~~~~

  

@@ -78,6 +78,9 @@ 

  # Enables / Disables private projects

  PRIVATE_PROJECTS = True

  

+ # Enable / Disable user registration (local auth only)

+ ALLOW_USER_REGISTRATION = True

+ 

  # Enable / Disable deleting branches in the UI

  ALLOW_DELETE_BRANCH = True

  

@@ -18,11 +18,13 @@ 

          <input class="btn btn-primary btn-block mt-4" type="submit" value="Login">

          {{ form.csrf_token }}

        </form>

+       {% if config.get('ALLOW_USER_REGISTRATION', True) %}

        <div>

          <a class="btn btn-link btn-block" href="{{url_for('ui_ns.new_user') }}">

            Create a new account

          </a>

        </div>

+       {% endif %}

      </div>

    </div>

  </div>

file modified
+3
@@ -38,6 +38,9 @@ 

  def new_user():

      """ Create a new user.

      """

+     if not pagure.config.config.get("ALLOW_USER_REGISTRATION", True):

+         flask.flash("User registration is disabled.", "error")

+         return flask.redirect(flask.url_for("auth_login"))

      form = forms.NewUserForm()

      if form.validate_on_submit():

  

@@ -150,6 +150,30 @@ 

          self.assertEqual(3, len(items))

  

      @patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})

+     @patch.dict("pagure.config.config", {"ALLOW_USER_REGISTRATION": False})

+     @patch("pagure.lib.notify.send_email", MagicMock(return_value=True))

+     def test_new_user_disabled(self):

+         """ Test the disabling of the new_user endpoint. """

+ 

+         # Check before:

+         items = pagure.lib.query.search_user(self.session)

+         self.assertEqual(2, len(items))

+ 

+         # Attempt to access the new user page

+         output = self.app.get("/user/new", follow_redirects=True)

+         self.assertEqual(output.status_code, 200)

+         self.assertIn(

+             "<title>Login - Pagure</title>", output.get_data(as_text=True)

+         )

+         self.assertIn(

+             "User registration is disabled.", output.get_data(as_text=True)

+         )

+ 

+         # Check after:

+         items = pagure.lib.query.search_user(self.session)

+         self.assertEqual(2, len(items))

+ 

+     @patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})

      @patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False})

      def test_do_login(self):

          """ Test the do_login endpoint. """

For public/private Pagure instances where it is intended to be used
by a single user, having the ability to turn off user registration
prevents confusion and closes an avenue of potential denial of service
attacks.

Fixes https://pagure.io/pagure/issue/4972

Signed-off-by: Neal Gompa ngompa13@gmail.com

rebased onto 72d0c5513c6db69dce05a014209e8b4d1cb92846

3 years ago

rebased onto 009a635409d43300562eab1a249272050ba893e8

3 years ago

rebased onto 80f0ee414dc38af0a980ca7c596d5da84513b169

3 years ago

Yay, the tests pass! :100:

rebased onto 390bf785df46a6595a230204d6188990c5320b75

3 years ago

That configuration key should have its own section (like all the others)

rebased onto 466e701

3 years ago

Pull-Request has been merged by pingou

3 years ago