mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-08-14 21:05:27 -04:00
Allow admins to require a manual approval process before new accounts can be used (using MSC3866) (#13556)
This commit is contained in:
parent
8625ad8099
commit
be76cd8200
21 changed files with 731 additions and 34 deletions
|
@ -21,10 +21,15 @@ from twisted.web.server import Request
|
|||
import synapse
|
||||
import synapse.api.auth
|
||||
import synapse.types
|
||||
from synapse.api.constants import APP_SERVICE_REGISTRATION_TYPE, LoginType
|
||||
from synapse.api.constants import (
|
||||
APP_SERVICE_REGISTRATION_TYPE,
|
||||
ApprovalNoticeMedium,
|
||||
LoginType,
|
||||
)
|
||||
from synapse.api.errors import (
|
||||
Codes,
|
||||
InteractiveAuthIncompleteError,
|
||||
NotApprovedError,
|
||||
SynapseError,
|
||||
ThreepidValidationError,
|
||||
UnrecognizedRequestError,
|
||||
|
@ -414,6 +419,11 @@ class RegisterRestServlet(RestServlet):
|
|||
hs.config.registration.inhibit_user_in_use_error
|
||||
)
|
||||
|
||||
self._require_approval = (
|
||||
hs.config.experimental.msc3866.enabled
|
||||
and hs.config.experimental.msc3866.require_approval_for_new_accounts
|
||||
)
|
||||
|
||||
self._registration_flows = _calculate_registration_flows(
|
||||
hs.config, self.auth_handler
|
||||
)
|
||||
|
@ -734,6 +744,12 @@ class RegisterRestServlet(RestServlet):
|
|||
access_token=return_dict.get("access_token"),
|
||||
)
|
||||
|
||||
if self._require_approval:
|
||||
raise NotApprovedError(
|
||||
msg="This account needs to be approved by an administrator before it can be used.",
|
||||
approval_notice_medium=ApprovalNoticeMedium.NONE,
|
||||
)
|
||||
|
||||
return 200, return_dict
|
||||
|
||||
async def _do_appservice_registration(
|
||||
|
@ -778,7 +794,9 @@ class RegisterRestServlet(RestServlet):
|
|||
"user_id": user_id,
|
||||
"home_server": self.hs.hostname,
|
||||
}
|
||||
if not params.get("inhibit_login", False):
|
||||
# We don't want to log the user in if we're going to deny them access because
|
||||
# they need to be approved first.
|
||||
if not params.get("inhibit_login", False) and not self._require_approval:
|
||||
device_id = params.get("device_id")
|
||||
initial_display_name = params.get("initial_device_display_name")
|
||||
(
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue