Block OAuth account creation when disabled in config (#5506)

2 files changed, 38 insertions, 0 deletions

diff --git a/app/user.go b/app/user.go
index a0cb2a49f..9f428089b 100644
--- a/app/user.go
+++ b/app/user.go
@@ -218,6 +218,10 @@ func createUser(user *model.User) (*model.User, *model.AppError) {
 }
 
 func CreateOAuthUser(service string, userData io.Reader, teamId string) (*model.User, *model.AppError) {
+	if !utils.Cfg.TeamSettings.EnableUserCreation {
+		return nil, model.NewAppError("CreateOAuthUser", "api.user.create_user.disabled.app_error", nil, "", http.StatusNotImplemented)
+	}
+
 	var user *model.User
 	provider := einterfaces.GetOauthProvider(service)
 	if provider == nil {
diff --git a/app/user_test.go b/app/user_test.go
index 5b994d219..0dba86241 100644
--- a/app/user_test.go
+++ b/app/user_test.go
@@ -4,7 +4,12 @@
 package app
 
 import (
+	"strings"
 	"testing"
+
+	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/model/gitlab"
+	"github.com/mattermost/platform/utils"
 )
 
 func TestIsUsernameTaken(t *testing.T) {
@@ -51,3 +56,32 @@ func TestCheckUserDomain(t *testing.T) {
 		}
 	}
 }
+
+func TestCreateOAuthUser(t *testing.T) {
+	th := Setup().InitBasic()
+	glUser := oauthgitlab.GitLabUser{Id: 1000, Username: model.NewId(), Email: model.NewId() + "@simulator.amazonses.com", Name: "Joram Wilander"}
+
+	json := glUser.ToJson()
+	user, err := CreateOAuthUser(model.USER_AUTH_SERVICE_GITLAB, strings.NewReader(json), th.BasicTeam.Id)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if user.Username != glUser.Username {
+		t.Fatal("usernames didn't match")
+	}
+
+	PermanentDeleteUser(user)
+
+	userCreation := utils.Cfg.TeamSettings.EnableUserCreation
+	defer func() {
+		utils.Cfg.TeamSettings.EnableUserCreation = userCreation
+	}()
+	utils.Cfg.TeamSettings.EnableUserCreation = false
+
+	_, err = CreateOAuthUser(model.USER_AUTH_SERVICE_GITLAB, strings.NewReader(json), th.BasicTeam.Id)
+	if err == nil {
+		t.Fatal("should have failed - user creation disabled")
+	}
+
+}