From f35d7bbc3acfaf947dab01093ae02782b3ee6055 Mon Sep 17 00:00:00 2001
From: Eric Musyoka <wambua.eric01@gmail.com>
Date: Thu, 29 Aug 2024 14:06:08 +0300
Subject: [PATCH] Add config to disable user creation

---
 .../tests/viewsets/test_user_profile_viewset.py   | 15 +++++++++++++++
 onadata/apps/api/viewsets/user_profile_viewset.py |  8 +++++++-
 onadata/settings/common.py                        |  3 +++
 onadata/settings/github_actions_test.py           |  3 +++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/onadata/apps/api/tests/viewsets/test_user_profile_viewset.py b/onadata/apps/api/tests/viewsets/test_user_profile_viewset.py
index cdcef75cd1..df58448d8f 100644
--- a/onadata/apps/api/tests/viewsets/test_user_profile_viewset.py
+++ b/onadata/apps/api/tests/viewsets/test_user_profile_viewset.py
@@ -290,6 +290,21 @@ def test_profile_create(self, mock_send_verification_email):
         self.assertTrue(user.is_active)
         self.assertTrue(user.check_password(password), password)
 
+    @override_settings(DISABLE_CREATING_USERS=True)
+    def test_block_profile_create(self):
+        data = _profile_data()
+        request = self.factory.post(
+            "/api/v1/profiles",
+            data=json.dumps(data),
+            content_type="application/json",
+            **self.extra,
+        )
+        response = self.view(request)
+        self.assertEqual(
+            str(response.data["detail"]),
+            "You do not have permission to create user.")
+        self.assertEqual(response.status_code, 403)
+
     def _create_user_using_profiles_endpoint(self, data):
         request = self.factory.post(
             "/api/v1/profiles",
diff --git a/onadata/apps/api/viewsets/user_profile_viewset.py b/onadata/apps/api/viewsets/user_profile_viewset.py
index 80aeae83b8..d8a31cf2df 100644
--- a/onadata/apps/api/viewsets/user_profile_viewset.py
+++ b/onadata/apps/api/viewsets/user_profile_viewset.py
@@ -20,7 +20,7 @@
 from registration.models import RegistrationProfile
 from rest_framework import serializers, status
 from rest_framework.decorators import action
-from rest_framework.exceptions import ParseError
+from rest_framework.exceptions import ParseError, PermissionDenied
 from rest_framework.filters import OrderingFilter
 from rest_framework.generics import get_object_or_404
 from rest_framework.response import Response
@@ -224,6 +224,12 @@ def retrieve(self, request, *args, **kwargs):
 
     def create(self, request, *args, **kwargs):
         """Create and cache user profile"""
+        disable_user_creation = getattr(settings, "DISABLE_CREATING_USERS", False)
+        if disable_user_creation:
+            raise PermissionDenied(
+                _("You do not have permission to create user.")
+            )
+
         response = super().create(request, *args, **kwargs)
         profile = response.data
         user_name = profile.get("username")
diff --git a/onadata/settings/common.py b/onadata/settings/common.py
index dc7686e711..9e1ab922ce 100644
--- a/onadata/settings/common.py
+++ b/onadata/settings/common.py
@@ -185,6 +185,9 @@
 # needed by guardian
 ANONYMOUS_DEFAULT_USERNAME = "AnonymousUser"
 
+# disable creating users
+DISABLE_CREATING_USERS = False
+
 INSTALLED_APPS = (
     "django.contrib.contenttypes",
     "django.contrib.auth",
diff --git a/onadata/settings/github_actions_test.py b/onadata/settings/github_actions_test.py
index 68d2dd503f..2b166f1dd1 100644
--- a/onadata/settings/github_actions_test.py
+++ b/onadata/settings/github_actions_test.py
@@ -69,3 +69,6 @@
 ODK_TOKEN_FERNET_KEY = "ROsB4T8s1rCJskAdgpTQEKfH2x2K_EX_YBi3UFyoYng="  # nosec
 OPENID_CONNECT_PROVIDERS = {}
 AUTH_PASSWORD_VALIDATORS = []
+
+# disable user creation
+DISABLE_CREATING_USERS = False