Disable admin user creation when email login is disabled.

Right now, we only support creating users with email and password, so it doesn't make sense to allow this operation when that login method is disabled. Signed-off-by: David Calavera <david.calavera@gmail.com>
netlify · Feb 9, 2018 · 62c633f · 62c633f
1 parent 38da7cf
commit 62c633f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/api/admin_test.go b/api/admin_test.go
@@ -44,6 +44,7 @@ func TestAdmin(t *testing.T) {
 
 func (ts *AdminTestSuite) SetupTest() {
 	models.TruncateAll(ts.API.db)
+	ts.Config.External.Email.Enabled = true
 	ts.token = ts.makeSuperAdmin("test@example.com")
 }
 
@@ -429,3 +430,22 @@ func (ts *AdminTestSuite) TestAdminUserCreateWithManagementToken() {
 	assert.NotNil(ts.T(), data.ID)
 	assert.Equal(ts.T(), "test2@example.com", data.Email)
 }
+
+func (ts *AdminTestSuite) TestAdminUserCreateWithDisabledEmailLogin() {
+	var buffer bytes.Buffer
+	require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
+		"email":    "test1@example.com",
+		"password": "test1",
+	}))
+
+	// Setup request
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodPost, "/admin/users", &buffer)
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+
+	ts.Config.External.Email.Enabled = false
+
+	ts.API.handler.ServeHTTP(w, req)
+	require.Equal(ts.T(), http.StatusBadRequest, w.Code)
+}
diff --git a/api/api.go b/api/api.go
@@ -90,8 +90,8 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 
 		r.With(api.requireEmailProvider).Post("/signup", api.Signup)
 		r.With(api.requireEmailProvider).Post("/recover", api.Recover)
-		r.With(api.requireEmailProvider).Post("/verify", api.Verify)
 		r.With(api.requireEmailProvider).Post("/token", api.Token)
+		r.Post("/verify", api.Verify)
 
 		r.With(api.requireAuthentication).Post("/logout", api.Logout)
 
@@ -110,7 +110,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 
 			r.Route("/users", func(r *router) {
 				r.Get("/", api.adminUsers)
-				r.Post("/", api.adminUserCreate)
+				r.With(api.requireEmailProvider).Post("/", api.adminUserCreate)
 
 				r.Route("/{user_id}", func(r *router) {
 					r.Use(api.loadUser)