Block new accounts after registering if configured to do so

babolivier · babolivier · commit 685f76f9bb79 · 2022-08-22T09:31:26.000+01:00
diff --git a/synapse/rest/client/register.py b/synapse/rest/client/register.py
@@ -433,6 +433,11 @@ def __init__(self, hs: "HomeServer"):
             hs.config.registration.inhibit_user_in_use_error
         )
 
+        self._require_approval = (
+            hs.config.experimental.msc3866.enabled
+            and hs.config.experimental.msc3866.require_approval_for_new_accounts
+        )
+
         self._registration_flows = _calculate_registration_flows(
             hs.config, self.auth_handler
         )
@@ -756,6 +761,13 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
                 access_token=return_dict.get("access_token"),
             )
 
+            if self._require_approval:
+                raise SynapseError(
+                    code=403,
+                    errcode=Codes.USER_AWAITING_APPROVAL,
+                    msg="This account needs to be approved by an administrator before it can be used.",
+                )
+
         return 200, return_dict
 
     async def _do_appservice_registration(
diff --git a/tests/rest/client/test_register.py b/tests/rest/client/test_register.py
@@ -765,6 +765,29 @@ def test_inhibit_user_in_use_error(self) -> None:
         self.assertEqual(channel.code, 400, channel.json_body)
         self.assertEqual(channel.json_body["errcode"], Codes.USER_IN_USE)
 
+    @override_config(
+        {
+            "experimental_features": {
+                "msc3866": {
+                    "enabled": True,
+                    "require_approval_for_new_accounts": True,
+                }
+            }
+        }
+    )
+    def test_require_approval(self) -> None:
+        channel = self.make_request(
+            "POST",
+            "register",
+            {
+                "username": "kermit",
+                "password": "monkey",
+                "auth": {"type": LoginType.DUMMY},
+            },
+        )
+        self.assertEqual(403, channel.code, channel.result)
+        self.assertEqual(Codes.USER_AWAITING_APPROVAL, channel.json_body["errcode"])
+
 
 class AccountValidityTestCase(unittest.HomeserverTestCase):
 
