rpm/pagure
SHA256
1
0
Fork 0
forked from pool/pagure
Code Pull Requests Activity
pagure/0009-Add-support-for-disabling-user-registration.patch

135 lines
4.9 KiB
Diff
Raw Normal View History

- Backport various fixes from upstream + Patch: 0001-Display-real-line-numbers-on-pull-request-s-diff-vie.patch + Patch: 0002-Show-the-assignee-s-avatar-on-the-board.patch + Patch: 0003-Allow-setting-a-status-as-closing-even-if-the-projec.patch + Patch: 0004-Include-the-assignee-in-the-list-of-people-notified-.patch + Patch: 0005-Introduce-the-collaborator_project_groups-mapping.patch + Patch: 0006-When-a-file-a-detected-as-a-binary-file-return-the-r.patch + Patch: 0007-Remove-fenced-code-block-when-checking-mention.patch + Patch: 0008-Add-support-for-using-cchardet-to-detect-files-encod.patch + Patch: 0009-Add-support-for-disabling-user-registration.patch - Remove mandatory dependency on systemd to ease containerization OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/pagure?expand=0&rev=46
2020-09-24 23:02:09 +00:00
From 8e23c79fb64d4dd4e6f17f809d7e629840f7e91c Mon Sep 17 00:00:00 2001
From: Neal Gompa <ngompa13@gmail.com>
Date: Thu, 24 Sep 2020 06:40:06 -0400
Subject: [PATCH 9/9] Add support for disabling user registration
For public/private Pagure instances where it is intended to be used
by a single user, having the ability to turn off user registration
prevents confusion and closes an avenue of potential denial of service
attacks.
Signed-off-by: Neal Gompa <ngompa13@gmail.com>
---
doc/configuration.rst | 13 +++++++++++++
pagure/default_config.py | 3 +++
pagure/templates/login/login.html | 2 ++
pagure/ui/login.py | 3 +++
tests/test_pagure_flask_ui_login.py | 24 ++++++++++++++++++++++++
5 files changed, 45 insertions(+)
diff --git a/doc/configuration.rst b/doc/configuration.rst
index 735e378c..2ea7a66d 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -1117,6 +1117,7 @@ Valid options are ``fas``, ``openid``, ``oidc``, or ``local``.
the configuration options starting with ``OIDC_`` (see below) to be provided.
* ``local`` causes pagure to use the local pagure database for user management.
+ User registration can be disabled with the ALLOW_USER_REGISTRATION configuration key.
Defaults to: ``local``.
@@ -1784,6 +1785,18 @@ If turned off, users are managed outside of pagure.
Defaults to: ``True``
+ALLOW_USER_REGISTRATION
+~~~~~~~~~~~~~~~~~~~~~~~
+
+This configuration key can be used to turn on or off user registration
+(that is, the ability for users to create an account) in this pagure instance.
+If turned off, user accounts cannot be created through the UI or API.
+Currently, this key only applies to pagure instances configured with the ``local``
+authentication backend and has no effect with the other authentication backends.
+
+Defaults to: ``True``
+
+
SESSION_COOKIE_NAME
~~~~~~~~~~~~~~~~~~~
diff --git a/pagure/default_config.py b/pagure/default_config.py
index 045f2704..df0cd6b0 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -78,6 +78,9 @@ ENABLE_GROUP_MNGT = True
# Enables / Disables private projects
PRIVATE_PROJECTS = True
+# Enable / Disable user registration (local auth only)
+ALLOW_USER_REGISTRATION = True
+
# Enable / Disable deleting branches in the UI
ALLOW_DELETE_BRANCH = True
diff --git a/pagure/templates/login/login.html b/pagure/templates/login/login.html
index a65b10ae..e209c400 100644
--- a/pagure/templates/login/login.html
+++ b/pagure/templates/login/login.html
@@ -18,11 +18,13 @@
<input class="btn btn-primary btn-block mt-4" type="submit" value="Login">
{{ form.csrf_token }}
</form>
+ {% if config.get('ALLOW_USER_REGISTRATION', True) %}
<div>
<a class="btn btn-link btn-block" href="{{url_for('ui_ns.new_user') }}">
Create a new account
</a>
</div>
+ {% endif %}
</div>
</div>
</div>
diff --git a/pagure/ui/login.py b/pagure/ui/login.py
index 1a0dbd24..7da94a37 100644
--- a/pagure/ui/login.py
+++ b/pagure/ui/login.py
@@ -38,6 +38,9 @@ _log = logging.getLogger(__name__)
def new_user():
""" Create a new user.
"""
+ if not pagure.config.config.get("ALLOW_USER_REGISTRATION", True):
+ flask.flash("User registration is disabled.", "error")
+ return flask.redirect(flask.url_for("auth_login"))
form = forms.NewUserForm()
if form.validate_on_submit():
diff --git a/tests/test_pagure_flask_ui_login.py b/tests/test_pagure_flask_ui_login.py
index f11a2b22..8a1d16c7 100644
--- a/tests/test_pagure_flask_ui_login.py
+++ b/tests/test_pagure_flask_ui_login.py
@@ -149,6 +149,30 @@ class PagureFlaskLogintests(tests.SimplePagureTest):
items = pagure.lib.query.search_user(self.session)
self.assertEqual(3, len(items))
+ @patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
+ @patch.dict("pagure.config.config", {"ALLOW_USER_REGISTRATION": False})
+ @patch("pagure.lib.notify.send_email", MagicMock(return_value=True))
+ def test_new_user_disabled(self):
+ """ Test the disabling of the new_user endpoint. """
+
+ # Check before:
+ items = pagure.lib.query.search_user(self.session)
+ self.assertEqual(2, len(items))
+
+ # Attempt to access the new user page
+ output = self.app.get("/user/new", follow_redirects=True)
+ self.assertEqual(output.status_code, 200)
+ self.assertIn(
+ "<title>Login - Pagure</title>", output.get_data(as_text=True)
+ )
+ self.assertIn(
+ "User registration is disabled.", output.get_data(as_text=True)
+ )
+
+ # Check after:
+ items = pagure.lib.query.search_user(self.session)
+ self.assertEqual(2, len(items))
+
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
@patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False})
def test_do_login(self):
--
2.26.2
Copy Permalink