allow SAREGISTER even when normal registration is fully disabled

docs/MANUAL.md

 
 This mode is comparable to Slack, Mattermost, or similar products intended as internal chat servers for an organization or team. In this mode, clients cannot connect to the server unless they log in with SASL as part of the initial handshake. This allows Oragono to be deployed facing the public Internet, with fine-grained control over who can log in.
 
-In this mode, clients must have a valid account to connect, so they cannot register their own accounts. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg nickserv help saregister`.) To bootstrap this process, the SASL requirement can be disabled initially so that a first account can be created. Alternately, connections from localhost are exempt (by default) from the SASL requirement.
+In this mode, clients must have a valid account to connect, so they cannot register their own accounts. Accordingly, an operator must do the initial account creation, using the `SAREGISTER` command of NickServ. (For more details, `/msg nickserv help saregister`.) To bootstrap this process, the SASL requirement can be disabled initially so that a first account can be created. Alternately, connections from localhost are exempt (by default) from the SASL requirement. You can also exempt your internal network, e.g., `10.0.0.0/8`.
 
 To enable this mode, set the following configs:
 
-* `accounts.registration.enabled = true`
+* `accounts.registration.enabled = false`
 * `accounts.authentication-enabled = true`
 * `accounts.require-sasl.enabled = true`
 * `accounts.nick-reservation.enabled = true`

irc/accounts.go

 	}
 
 	config := am.server.AccountConfig()
+
+	// final "is registration allowed" check, probably redundant:
+	if !(config.Registration.Enabled || callbackNamespace == "admin") {
+		return errFeatureDisabled
+	}
+
 	// if nick reservation is enabled, you can only register your current nickname
 	// as an account; this prevents "land-grab" situations where someone else
 	// registers your nick out from under you and then NS GHOSTs you

irc/errors.go

 	errSaslFail                       = errors.New("SASL failed")
 	errResumeTokenAlreadySet          = errors.New("Client was already assigned a resume token")
 	errInvalidUsername                = errors.New("Invalid username")
-	errFeatureDisabled                = errors.New("That feature is disabled")
+	errFeatureDisabled                = errors.New(`That feature is disabled`)
 	errInvalidParams                  = errors.New("Invalid parameters")
 )
 

irc/handlers.go

 	case errAccountAlreadyRegistered, errAccountAlreadyVerified:
 		message = err.Error()
 		numeric = ERR_ACCOUNT_ALREADY_EXISTS
-	case errAccountCreation, errAccountMustHoldNick, errAccountBadPassphrase, errCertfpAlreadyExists:
+	case errAccountCreation, errAccountMustHoldNick, errAccountBadPassphrase, errCertfpAlreadyExists, errFeatureDisabled:
 		message = err.Error()
 	}
 	return

irc/nickserv.go

 	return config.Accounts.AuthenticationEnabled
 }
 
-func nsGroupEnabled(config *Config) bool {
+func servCmdRequiresNickRes(config *Config) bool {
 	return config.Accounts.AuthenticationEnabled && config.Accounts.NickReservation.Enabled
 }
 
 func nsEnforceEnabled(config *Config) bool {
-	return config.Accounts.NickReservation.Enabled && config.Accounts.NickReservation.AllowCustomEnforcement
+	return servCmdRequiresNickRes(config) && config.Accounts.NickReservation.AllowCustomEnforcement
 }
 
 const nickservHelp = `NickServ lets you register and login to an account.
 
 DROP de-links the given (or your current) nickname from your user account.`,
 			helpShort:    `$bDROP$b de-links your current (or the given) nickname from your user account.`,
-			enabled:      servCmdRequiresAccreg,
+			enabled:      servCmdRequiresNickRes,
 			authRequired: true,
 		},
 		"enforce": {
 GROUP links your current nickname with your logged-in account, preventing other
 users from changing to it (or forcing them to rename).`,
 			helpShort:    `$bGROUP$b links your current nickname to your user account.`,
-			enabled:      nsGroupEnabled,
+			enabled:      servCmdRequiresNickRes,
 			authRequired: true,
 		},
 		"identify": {
 SADROP forcibly de-links the given nickname from the attached user account.`,
 			helpShort: `$bSADROP$b forcibly de-links the given nickname from its user account.`,
 			capabs:    []string{"accreg"},
-			enabled:   servCmdRequiresAccreg,
+			enabled:   servCmdRequiresNickRes,
 			minParams: 1,
 		},
 		"saregister": {
 This is for use in configurations that require SASL for all connections;
 an administrator can set use this command to set up user accounts.`,
 			helpShort: `$bSAREGISTER$b registers an account on someone else's behalf.`,
-			enabled:   servCmdRequiresAccreg,
+			enabled:   servCmdRequiresAuthEnabled,
 			capabs:    []string{"accreg"},
 			minParams: 2,
 		},
 unregistrations, a verification code is required; invoking the command without
 a code will display the necessary code.`,
 			helpShort: `$bUNREGISTER$b lets you delete your user account.`,
-			enabled:   servCmdRequiresAccreg,
+			enabled:   servCmdRequiresAuthEnabled,
 			minParams: 1,
 		},
 		"verify": {