Add feature flag to allow users to be created only if invited to join a team

Allows for open user creation, but only if extended an invitation by someone who already has access

endpoints/api/user.py

@@ -21,6 +21,7 @@ from auth.permissions import (AdministerOrganizationPermission, CreateRepository
 from data import model
 from data.billing import get_plan
 from data.database import Repository as RepositoryTable
+from data.users.shared import can_create_user
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
                            log_action, internal_only, require_user_admin, parse_args,
                            query_param, require_scope, format_date, show_if,
@@ -424,9 +425,20 @@ class User(ApiResource):
     if existing_user:
       raise request_error(message='The username already exists')
 
+    # Ensure an e-mail address was specified if required.
     if features.MAILING and not user_data.get('email'):
       raise request_error(message='Email address is required')
 
+    # If invite-only user creation is turned on and no invite code was sent, return an error.
+    # Technically, this is handled by the can_create_user call below as well, but it makes
+    # a nicer error.
+    if features.INVITE_ONLY_USER_CREATION and not invite_code:
+      raise request_error(message='Cannot create non-invited user')
+
+    # Ensure that this user can be created.
+    if not can_create_user(user_data.get('email')):
+      raise request_error(message='Creation of a user account for this e-mail is disabled; please contact an administrator')
+
     try:
       prompts = model.user.get_default_user_prompts(features)
       new_user = model.user.create_user(user_data['username'], user_data['password'],