Prevent account creation via OAuth when registration is closed

2020-04-20 15:26:53 -04:00 · 2020-04-20 15:26:53 -04:00 · 93c2773412
parent 1c5a0099b6
commit 93c2773412
1 changed files with 9 additions and 1 deletions
--- a/oauth.go
+++ b/oauth.go
@ -240,7 +240,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}

-	// Now that we have the access token, let's use it real quick to make sur
+	// Now that we have the access token, let's use it real quick to make sure
 	// it really really works.
 	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
@ -262,6 +262,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	}

 	if localUserID != -1 {
+		// Existing user, so log in now
 		user, err := h.DB.GetUserByID(localUserID)
 		if err != nil {
 			log.Error("Unable to GetUserByID %d: %s", localUserID, err)
@ -282,6 +283,13 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusFound, "/me/settings"}
 	}

+	// New user registration below.
+	// First, verify that user is allowed to register
+	if !app.cfg.App.OpenRegistration {
+		addSessionFlash(app, w, r, ErrUserNotFound.Error(), nil)
+		return impart.HTTPError{http.StatusFound, "/login"}
+	}
+
 	displayName := tokenInfo.DisplayName
 	if len(displayName) == 0 {
 		displayName = tokenInfo.Username