From 24ce3bd44c8dd8183f33825c367de11e3bb9c531 Mon Sep 17 00:00:00 2001
From: Kim Gustyr <kim.gustyr@flagsmith.com>
Date: Mon, 23 Sep 2024 17:31:05 +0100
Subject: [PATCH] fix: Prevent signup in backend when `PREVENT_SIGNUP` set to
 false (#4650)

---
 api/app/settings/common.py     |  4 ++--
 api/custom_auth/permissions.py | 10 +++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/api/app/settings/common.py b/api/app/settings/common.py
index 2c21244b6df3..73955a870d13 100644
--- a/api/app/settings/common.py
+++ b/api/app/settings/common.py
@@ -795,7 +795,7 @@
 }
 
 USER_CREATE_PERMISSIONS = env.list(
-    "USER_CREATE_PERMISSIONS", default=["rest_framework.permissions.AllowAny"]
+    "USER_CREATE_PERMISSIONS", default=["custom_auth.permissions.IsSignupAllowed"]
 )
 
 DJOSER = {
@@ -892,7 +892,6 @@
 API_URL = env("API_URL", default="/api/v1/")
 ASSET_URL = env("ASSET_URL", default="/")
 MAINTENANCE_MODE = env.bool("MAINTENANCE_MODE", default=False)
-PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
 PREVENT_EMAIL_PASSWORD = env.bool("PREVENT_EMAIL_PASSWORD", default=False)
 DISABLE_ANALYTICS_FEATURES = env.bool(
     "DISABLE_INFLUXDB_FEATURES", default=False
@@ -1038,6 +1037,7 @@
 )
 
 DISABLE_INVITE_LINKS = env.bool("DISABLE_INVITE_LINKS", False)
+PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
 
 # use a separate boolean setting so that we add it to the API containers in environments
 # where we're running the task processor, so we avoid creating unnecessary tasks
diff --git a/api/custom_auth/permissions.py b/api/custom_auth/permissions.py
index 125f65290341..4910456e19a1 100644
--- a/api/custom_auth/permissions.py
+++ b/api/custom_auth/permissions.py
@@ -1,4 +1,7 @@
-from rest_framework.permissions import IsAuthenticated
+from django.conf import settings
+from django.views import View
+from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.request import Request
 
 
 class CurrentUser(IsAuthenticated):
@@ -11,3 +14,8 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return obj.id == request.user.id
+
+
+class IsSignupAllowed(AllowAny):
+    def has_permission(self, request: Request, view: View) -> bool:
+        return not settings.PREVENT_SIGNUP