check if signups are allowed during SignUpPost

Previously you could hide the sign up page with the following configs: ``` [service] SHOW_REGISTRATION_BUTTON = false ``` This would remove the sign up button from the navbar, but the user could still access the page with a direct link. During the http post action, the go action checked if the key `SHOW_REGISTRATION_BUTTON` was set to true. If not, the user received a 403. You can use this scenario for a semi-hidden sign up page that is only accessible through a direct link. I've changed the check in this PR to check if the sign up is allowed or not. The user can access the sign up page (if it's enabled) and sign up even if the value of `SHOW_REGISTRATION_BUTTON` is `false`, the user can sign up. Another solution could be: - unify `SHOW_REGISTRATION_BUTTON ` with `DISABLE_REGISTRATION ` to only show the registration page if it's enabled, but that would dis- allow the mentioned scenario fixes: go-gitea#5183 Signed-off-by: Roman <romaaan.git@gmail.com>
r-52 · Nov 30, 2018 · b33f71b · b33f71b
1 parent f80b4f4
commit b33f71b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -923,7 +923,7 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
 
 	//Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
-	if !setting.Service.ShowRegistrationButton {
+	if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
 		ctx.Error(403)
 		return
 	}