editMode honors :AllowSignup boolean #2838 #2939

Redirect to 403 (unauthorized) if you try to hack the URL. Also, only show "user.signup.tip" when you are really about to create.
IQSS · Mar 1, 2016 · f328110 · f328110
1 parent aa5391a
commit f328110
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java b/src/main/java/edu/harvard/iq/dataverse/authorization/providers/builtin/BuiltinUserPage.java
@@ -17,6 +17,7 @@
 import edu.harvard.iq.dataverse.DvObject;
 import edu.harvard.iq.dataverse.PermissionServiceBean;
 import edu.harvard.iq.dataverse.RoleAssignment;
+import edu.harvard.iq.dataverse.SettingsWrapper;
 import edu.harvard.iq.dataverse.UserNotification;
 import static edu.harvard.iq.dataverse.UserNotification.Type.CREATEDV;
 import edu.harvard.iq.dataverse.UserNotificationServiceBean;
@@ -27,6 +28,8 @@
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.mydata.MyDataPage;
 import edu.harvard.iq.dataverse.passwordreset.PasswordValidator;
+import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.JsfHelper;
 import static edu.harvard.iq.dataverse.util.JsfHelper.JH;
 import java.io.UnsupportedEncodingException;
@@ -87,6 +90,8 @@ public enum EditMode {
     @EJB
     GroupServiceBean groupService;
     @Inject
+    SettingsWrapper settingsWrapper;
+    @Inject
     MyDataPage mydatapage;
 
     @EJB
@@ -134,10 +139,6 @@ public EditMode getEditMode() {
 
     public void setEditMode(EditMode editMode) {
         this.editMode = editMode;
-
-        if (editMode == EditMode.CREATE) {
-            JH.addMessage(FacesMessage.SEVERITY_INFO, JH.localize("user.signup.tip"));
-        }
     }
 
     public String getRedirectPage() {
@@ -211,8 +212,19 @@ public void setUsernameField(UIInput usernameField) {
     }
 
     public String init() {
+
+        // prevent creating a user if signup not allowed.
+        boolean safeDefaultIfKeyNotFound = true;
+        boolean signupAllowed = settingsWrapper.isTrueForKey(SettingsServiceBean.Key.AllowSignUp.toString(), safeDefaultIfKeyNotFound);
+        logger.fine("signup is allowed: " + signupAllowed);
+
+        if (editMode == EditMode.CREATE && !signupAllowed) {
+            return "/403.xhtml";
+        }
+
         if (editMode == EditMode.CREATE) {
             if (!session.getUser().isAuthenticated()) { // in create mode for new user
+                JH.addMessage(FacesMessage.SEVERITY_INFO, BundleUtil.getStringFromBundle("user.signup.tip"));
                 builtinUser = new BuiltinUser();
                 return "";
             } else {