Skip to content

Commit

Permalink
fix: Prevent signup in backend when PREVENT_SIGNUP set to false (#4650
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@khvn26
khvn26 authored Sep 23, 2024
1 parent 025f178 commit 24ce3bd
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 3 deletions.
4 changes: 2 additions & 2 deletions api/app/settings/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -795,7 +795,7 @@
}

USER_CREATE_PERMISSIONS = env.list(
"USER_CREATE_PERMISSIONS", default=["rest_framework.permissions.AllowAny"]
"USER_CREATE_PERMISSIONS", default=["custom_auth.permissions.IsSignupAllowed"]
)

DJOSER = {
Expand Down Expand Up @@ -892,7 +892,6 @@
API_URL = env("API_URL", default="/api/v1/")
ASSET_URL = env("ASSET_URL", default="/")
MAINTENANCE_MODE = env.bool("MAINTENANCE_MODE", default=False)
PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
PREVENT_EMAIL_PASSWORD = env.bool("PREVENT_EMAIL_PASSWORD", default=False)
DISABLE_ANALYTICS_FEATURES = env.bool(
"DISABLE_INFLUXDB_FEATURES", default=False
Expand Down Expand Up @@ -1038,6 +1037,7 @@
)

DISABLE_INVITE_LINKS = env.bool("DISABLE_INVITE_LINKS", False)
PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)

# use a separate boolean setting so that we add it to the API containers in environments
# where we're running the task processor, so we avoid creating unnecessary tasks
Expand Down
10 changes: 9 additions & 1 deletion api/custom_auth/permissions.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
from rest_framework.permissions import IsAuthenticated
from django.conf import settings
from django.views import View
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.request import Request


class CurrentUser(IsAuthenticated):
Expand All @@ -11,3 +14,8 @@ def has_permission(self, request, view):

def has_object_permission(self, request, view, obj):
return obj.id == request.user.id


class IsSignupAllowed(AllowAny):
def has_permission(self, request: Request, view: View) -> bool:
return not settings.PREVENT_SIGNUP

0 comments on commit 24ce3bd

Please sign in to comment.