Browse Source

allow SAREGISTER even when normal registration is fully disabled

tags/v1.0.0-rc1
Shivaram Lingamneni 5 years ago
parent
commit
d147708158
5 changed files with 17 additions and 11 deletions
  1. 2
    2
      docs/MANUAL.md
  2. 6
    0
      irc/accounts.go
  3. 1
    1
      irc/errors.go
  4. 1
    1
      irc/handlers.go
  5. 7
    7
      irc/nickserv.go

+ 2
- 2
docs/MANUAL.md View File

@@ -179,11 +179,11 @@ The following additional configs are recommended:
179 179
 
180 180
 This mode is comparable to Slack, Mattermost, or similar products intended as internal chat servers for an organization or team. In this mode, clients cannot connect to the server unless they log in with SASL as part of the initial handshake. This allows Oragono to be deployed facing the public Internet, with fine-grained control over who can log in.
181 181
 
182
-In this mode, clients must have a valid account to connect, so they cannot register their own accounts. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg nickserv help saregister`.) To bootstrap this process, the SASL requirement can be disabled initially so that a first account can be created. Alternately, connections from localhost are exempt (by default) from the SASL requirement.
182
+In this mode, clients must have a valid account to connect, so they cannot register their own accounts. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg nickserv help saregister`.) To bootstrap this process, the SASL requirement can be disabled initially so that a first account can be created. Alternately, connections from localhost are exempt (by default) from the SASL requirement. You can also exempt your internal network, e.g., `10.0.0.0/8`.
183 183
 
184 184
 To enable this mode, set the following configs:
185 185
 
186
-* `accounts.registration.enabled = true`
186
+* `accounts.registration.enabled = false`
187 187
 * `accounts.authentication-enabled = true`
188 188
 * `accounts.require-sasl.enabled = true`
189 189
 * `accounts.nick-reservation.enabled = true`

+ 6
- 0
irc/accounts.go View File

@@ -307,6 +307,12 @@ func (am *AccountManager) Register(client *Client, account string, callbackNames
307 307
 	}
308 308
 
309 309
 	config := am.server.AccountConfig()
310
+
311
+	// final "is registration allowed" check, probably redundant:
312
+	if !(config.Registration.Enabled || callbackNamespace == "admin") {
313
+		return errFeatureDisabled
314
+	}
315
+
310 316
 	// if nick reservation is enabled, you can only register your current nickname
311 317
 	// as an account; this prevents "land-grab" situations where someone else
312 318
 	// registers your nick out from under you and then NS GHOSTs you

+ 1
- 1
irc/errors.go View File

@@ -41,7 +41,7 @@ var (
41 41
 	errSaslFail                       = errors.New("SASL failed")
42 42
 	errResumeTokenAlreadySet          = errors.New("Client was already assigned a resume token")
43 43
 	errInvalidUsername                = errors.New("Invalid username")
44
-	errFeatureDisabled                = errors.New("That feature is disabled")
44
+	errFeatureDisabled                = errors.New(`That feature is disabled`)
45 45
 	errInvalidParams                  = errors.New("Invalid parameters")
46 46
 )
47 47
 

+ 1
- 1
irc/handlers.go View File

@@ -183,7 +183,7 @@ func registrationErrorToMessageAndCode(err error) (message, numeric string) {
183 183
 	case errAccountAlreadyRegistered, errAccountAlreadyVerified:
184 184
 		message = err.Error()
185 185
 		numeric = ERR_ACCOUNT_ALREADY_EXISTS
186
-	case errAccountCreation, errAccountMustHoldNick, errAccountBadPassphrase, errCertfpAlreadyExists:
186
+	case errAccountCreation, errAccountMustHoldNick, errAccountBadPassphrase, errCertfpAlreadyExists, errFeatureDisabled:
187 187
 		message = err.Error()
188 188
 	}
189 189
 	return

+ 7
- 7
irc/nickserv.go View File

@@ -18,12 +18,12 @@ func servCmdRequiresAuthEnabled(config *Config) bool {
18 18
 	return config.Accounts.AuthenticationEnabled
19 19
 }
20 20
 
21
-func nsGroupEnabled(config *Config) bool {
21
+func servCmdRequiresNickRes(config *Config) bool {
22 22
 	return config.Accounts.AuthenticationEnabled && config.Accounts.NickReservation.Enabled
23 23
 }
24 24
 
25 25
 func nsEnforceEnabled(config *Config) bool {
26
-	return config.Accounts.NickReservation.Enabled && config.Accounts.NickReservation.AllowCustomEnforcement
26
+	return servCmdRequiresNickRes(config) && config.Accounts.NickReservation.AllowCustomEnforcement
27 27
 }
28 28
 
29 29
 const nickservHelp = `NickServ lets you register and login to an account.
@@ -42,7 +42,7 @@ var (
42 42
 
43 43
 DROP de-links the given (or your current) nickname from your user account.`,
44 44
 			helpShort:    `$bDROP$b de-links your current (or the given) nickname from your user account.`,
45
-			enabled:      servCmdRequiresAccreg,
45
+			enabled:      servCmdRequiresNickRes,
46 46
 			authRequired: true,
47 47
 		},
48 48
 		"enforce": {
@@ -78,7 +78,7 @@ same user account, letting you reclaim your nickname.`,
78 78
 GROUP links your current nickname with your logged-in account, preventing other
79 79
 users from changing to it (or forcing them to rename).`,
80 80
 			helpShort:    `$bGROUP$b links your current nickname to your user account.`,
81
-			enabled:      nsGroupEnabled,
81
+			enabled:      servCmdRequiresNickRes,
82 82
 			authRequired: true,
83 83
 		},
84 84
 		"identify": {
@@ -119,7 +119,7 @@ certificate (and you will need to use that certificate to login in future).`,
119 119
 SADROP forcibly de-links the given nickname from the attached user account.`,
120 120
 			helpShort: `$bSADROP$b forcibly de-links the given nickname from its user account.`,
121 121
 			capabs:    []string{"accreg"},
122
-			enabled:   servCmdRequiresAccreg,
122
+			enabled:   servCmdRequiresNickRes,
123 123
 			minParams: 1,
124 124
 		},
125 125
 		"saregister": {
@@ -130,7 +130,7 @@ SAREGISTER registers an account on someone else's behalf.
130 130
 This is for use in configurations that require SASL for all connections;
131 131
 an administrator can set use this command to set up user accounts.`,
132 132
 			helpShort: `$bSAREGISTER$b registers an account on someone else's behalf.`,
133
-			enabled:   servCmdRequiresAccreg,
133
+			enabled:   servCmdRequiresAuthEnabled,
134 134
 			capabs:    []string{"accreg"},
135 135
 			minParams: 2,
136 136
 		},
@@ -143,7 +143,7 @@ IRC operator with the correct permissions). To prevent accidental
143 143
 unregistrations, a verification code is required; invoking the command without
144 144
 a code will display the necessary code.`,
145 145
 			helpShort: `$bUNREGISTER$b lets you delete your user account.`,
146
-			enabled:   servCmdRequiresAccreg,
146
+			enabled:   servCmdRequiresAuthEnabled,
147 147
 			minParams: 1,
148 148
 		},
149 149
 		"verify": {

Loading…
Cancel
Save