Add SIGNUPS_DISABLED config flag

5 files changed, 124 insertions, 4 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b4d296cee..f7703fea4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
         - Extra fields can be added to report form site-wide. #1743
         - Body users can filter reports by all states. #1790
         - `LOGIN_REQUIRED` config key to limit site access to logged-in users.
+        - `SIGNUPS_DISABLED` config key to prevent new user registrations.
     - Front end improvements:
         - Always show pagination figures even if only one page. #1787
         - Report pages list every update to a report. #1806
diff --git a/conf/general.yml-example b/conf/general.yml-example
index 70bfd48d2..345a6426d 100644
--- a/conf/general.yml-example
+++ b/conf/general.yml-example
@@ -207,3 +207,7 @@ MESSAGE_MANAGER_URL: ''
 
 # If you want to hide all pages from non-logged-in users, set this to 1.
 LOGIN_REQUIRED: 0
+
+# If you want to stop new users from registering, set this to 1.
+# NB: This also disables all Facebook/Twitter logins.
+SIGNUPS_DISABLED: 0
diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index 83fb0554c..825066026 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -128,6 +128,18 @@ sub email_sign_in : Private {
         return;
     }
 
+    # If user registration is disabled then bail out at this point
+    # if there's not already a user with this email address.
+    # NB this uses the same template as a successful sign in to stop
+    # enumeration of valid email addresses.
+    if ( FixMyStreet->config('SIGNUPS_DISABLED')
+         && !$c->model('DB::User')->search({ email => $good_email })->count
+         && !$c->stash->{current_user} # don't break the change email flow
+    ) {
+        $c->stash->{template} = 'auth/token.html';
+        return;
+    }
+
     my $user_params = {};
     $user_params->{password} = $c->get_param('password_register')
         if $c->get_param('password_register');
@@ -199,6 +211,10 @@ sub token : Path('/M') : Args(1) {
 
     my $user = $c->model('DB::User')->find_or_new({ email => $data->{email} });
 
+    # Bail out if this is a new user and SIGNUPS_DISABLED is set
+    $c->detach( '/page_error_403_access_denied', [] )
+        if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_email};
+
     if ($data->{old_email}) {
         # Were logged in as old_email, want to switch to email ($user)
         if ($user->in_storage) {
@@ -244,6 +260,8 @@ sub fb : Private {
 sub facebook_sign_in : Private {
     my ( $self, $c ) = @_;
 
+    $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED');
+
     my $fb = $c->forward('/auth/fb');
     my $url = $fb->get_authorization_url(scope => ['email']);
 
@@ -302,6 +320,8 @@ sub tw : Private {
 sub twitter_sign_in : Private {
     my ( $self, $c ) = @_;
 
+    $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED');
+
     my $twitter = $c->forward('/auth/tw');
     my $url = $twitter->get_authentication_url(callback => $c->uri_for('/auth/Twitter'));
 
diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t
index 388216a1f..cb7d16969 100644
--- a/t/app/controller/auth.t
+++ b/t/app/controller/auth.t
@@ -5,6 +5,7 @@ my $mech = FixMyStreet::TestMech->new;
 
 my $test_email    = 'test@example.com';
 my $test_email2   = 'test@example.net';
+my $test_email3   = 'newuser@example.org';
 my $test_password = 'foobar';
 
 END {
@@ -279,6 +280,94 @@ subtest "sign in but have email form autofilled" => sub {
     is $mech->uri->path, '/my', "redirected to correct page";
 };
 
+$mech->log_out_ok;
 
-# more test:
-# TODO: test that email are always lowercased
+subtest "sign in with uppercase email" => sub {
+    $mech->get_ok('/auth');
+    my $uc_test_email = uc $test_email;
+    $mech->submit_form_ok(
+        {
+            form_name => 'general_auth',
+            fields    => {
+                email    => $uc_test_email,
+                password_sign_in => $test_password,
+            },
+            button => 'sign_in',
+        },
+        "sign in with '$uc_test_email' and auto-completed name"
+    );
+    is $mech->uri->path, '/my', "redirected to correct page";
+
+    $mech->content_contains($test_email);
+    $mech->content_lacks($uc_test_email);
+
+    my $count = FixMyStreet::App->model('DB::User')->search( { email => $uc_test_email } )->count;
+    is $count, 0, "uppercase user wasn't created";
+};
+
+
+FixMyStreet::override_config {
+    SIGNUPS_DISABLED => 1,
+}, sub {
+    subtest 'signing in with an unknown email address disallowed' => sub {
+        $mech->log_out_ok;
+        # create a new account
+        $mech->clear_emails_ok;
+        $mech->get_ok('/auth');
+        $mech->submit_form_ok(
+            {
+                form_name => 'general_auth',
+                fields    => { email => $test_email3, },
+                button    => 'email_sign_in',
+            },
+            "create a new account"
+        );
+
+        ok $mech->email_count_is(0);
+
+        my $count = FixMyStreet::App->model('DB::User')->search( { email => $test_email3 } )->count;
+        is $count, 0, "no user exists";
+    };
+
+    subtest 'signing in as known email address with new password is allowed' => sub {
+        my $new_password = "myshinynewpassword";
+
+        $mech->clear_emails_ok;
+        $mech->get_ok('/auth');
+        $mech->submit_form_ok(
+            {
+                form_name => 'general_auth',
+                fields    => {
+                    email             => "$test_email",
+                    password_register => $new_password,
+                    r                 => 'faq', # Just as a test
+                },
+                button    => 'email_sign_in',
+            },
+            "email_sign_in with '$test_email'"
+        );
+
+        $mech->not_logged_in_ok;
+
+        ok $mech->email_count_is(1);
+        my $link = $mech->get_link_from_email;
+        $mech->get_ok($link);
+        is $mech->uri->path, '/faq', "redirected to the Help page";
+
+        $mech->log_out_ok;
+
+        $mech->get_ok('/auth');
+        $mech->submit_form_ok(
+            {
+                form_name => 'general_auth',
+                fields    => {
+                    email    => $test_email,
+                    password_sign_in => $new_password,
+                },
+                button => 'sign_in',
+            },
+            "sign in with '$test_email' and new password"
+        );
+        is $mech->uri->path, '/my', "redirected to correct page";
+    };
+};
diff --git a/templates/web/base/auth/token.html b/templates/web/base/auth/token.html
index a4dedcec3..9a79a5e67 100644
--- a/templates/web/base/auth/token.html
+++ b/templates/web/base/auth/token.html
@@ -14,8 +14,14 @@
 
   <div class="confirmation-header confirmation-header--inbox">
 
-    <h1>[% loc("Nearly done! Now check your email&hellip;") %]</h1>
-    <p>[% loc("Click the link in our confirmation email to sign in.") %]</p>
+    [% IF c.config.SIGNUPS_DISABLED %]
+        <h1>[% loc("Nearly done!") %]</h1>
+        <p>[% loc("If there's a user associated with the address you entered, we've sent a confirmation email.") %]</p>
+        <p>[% loc("Click the link in that email to sign in.") %]</p>
+    [% ELSE %]
+        <h1>[% loc("Nearly done! Now check your email&hellip;") %]</h1>
+        <p>[% loc("Click the link in our confirmation email to sign in.") %]</p>
+    [% END %]
 
     <p>
         [% loc("Can&rsquo;t find our email? Check your spam folder&nbsp;&ndash; that&rsquo;s the solution 99% of the time.") %]