Mercurial > libervia-web

diff src/server/server.py @ 871:54f6c5b86a87

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server, browser: new "allow_registration" option to enable/disable new account registration through Liberia interface
author Goffi <goffi@goffi.org>
date Mon, 29 Feb 2016 12:40:14 +0100
parents fa7703642c0e
children 0cf250066b8a
line wrap: on
line diff
--- a/src/server/server.py	Mon Feb 29 12:37:58 2016 +0100
+++ b/src/server/server.py	Mon Feb 29 12:40:14 2016 +0100
@@ -943,6 +943,9 @@
             return C.BAD_REQUEST
 
         if submit_type == 'register':
+            if not self.sat_host.options["allow_registration"]:
+                log.warning(u"Registration received while it is not allowed, hack attempt?")
+                return exceptions.PermissionError(u"Registration is not allowed on this server")
             return self._registerNewAccount(request)
         elif submit_type == 'login':
             d = self.asyncBridgeCall("getNewAccountDomain")
@@ -996,6 +999,11 @@
             profile = self.sat_host.bridge.getProfileName(login)
         except Exception:  # XXX: ProfileUnknownError wouldn't work, it's encapsulated
             if login_jid is not None and login_jid.user:  # try to create a new sat profile using the XMPP credentials
+                if not self.sat_host.options["allow_registration"]:
+                    log.warning(u"Trying to register JID account while registration is not allowed")
+                    request.write(C.PROFILE_AUTH_ERROR)
+                    request.finish()
+                    return
                 profile = login # FIXME: what if there is a resource?
                 connect_method = "asyncConnectWithXMPPCredentials"
                 register_with_ext_jid = True
@@ -1140,6 +1148,8 @@
             "plugged" (bool): True if a profile is already plugged
             "warning" (unicode): a security warning message if plugged is False and if it make sense
                 this key may not be present
+            "allow_registration" (bool): True if registration is allowed
+                this key is only present if profile is unplugged
         @return: a couple (registered, message) with:
         - registered:
         - message:
@@ -1152,6 +1162,7 @@
         else:
             metadata["plugged"] = False
             metadata["warning"] = self._getSecurityWarning()
+            metadata["allow_registration"] = self.sat_host.options["allow_registration"]
         return metadata
 
     def jsonrpc_registerParams(self):