fix: User creation through API when signups are supposed to be disabled (#2622)

* fix user creation when signups are supposed to be diabled

* add user registration tests

* run formatter

* fix test filename

---------

Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>

mealie/services/user_services/registration_service.py

@@ -63,14 +63,10 @@ class RegistrationService:
         elif self.repos.users.get_one(registration.email, "email"):
             raise HTTPException(status.HTTP_409_CONFLICT, {"message": self.t("exceptions.email-conflict-error")})
 
-        self.logger.info(f"Registering user {registration.username}")
         token_entry = None
         new_group = False
 
-        if registration.group:
+        if registration.group_token and registration.group_token != "":
-            new_group = True
-            group = self._register_new_group()
-        elif registration.group_token and registration.group_token != "":
             token_entry = self.repos.group_invite_tokens.get_one(registration.group_token)
             if not token_entry:
                 raise HTTPException(status.HTTP_400_BAD_REQUEST, {"message": "Invalid group token"})
@@ -81,9 +77,13 @@ class RegistrationService:
                 raise HTTPException(status.HTTP_400_BAD_REQUEST, {"message": "Invalid group token"})
 
             group = maybe_none_group
+        elif registration.group:
+            new_group = True
+            group = self._register_new_group()
         else:
             raise HTTPException(status.HTTP_400_BAD_REQUEST, {"message": "Missing group"})
 
+        self.logger.info(f"Registering user {registration.username}")
         user = self._create_new_user(group, new_group)
 
         if new_group and registration.seed_data:

tests/integration_tests/user_tests/test_user_registration.py

@@ -0,0 +1,34 @@
+import random
+import string
+
+from fastapi.testclient import TestClient
+from mealie.core.config import get_app_settings
+from tests.utils import api_routes
+from tests.utils.factories import user_registration_factory
+
+
+def test_register_user(api_client: TestClient, monkeypatch):
+    # create random registration
+    registration = user_registration_factory()
+
+    # signup disabled but valid request
+    monkeypatch.setenv("ALLOW_SIGNUP", "False")
+    get_app_settings.cache_clear()
+    response = api_client.post(api_routes.users_register, json=registration.dict(by_alias=True))
+    assert response.status_code == 403
+
+    # signup disabled, request includes non valid group token
+    registration.group_token = "".join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10)).strip()
+    response = api_client.post(api_routes.users_register, json=registration.dict(by_alias=True))
+    assert response.status_code == 400
+
+    # signup enabled but contains non valid group token
+    monkeypatch.setenv("ALLOW_SIGNUP", "True")
+    get_app_settings.cache_clear()
+    response = api_client.post(api_routes.users_register, json=registration.dict(by_alias=True))
+    assert response.status_code == 400
+
+    # signup enabled and valid request
+    registration.group_token = None
+    response = api_client.post(api_routes.users_register, json=registration.dict(by_alias=True))
+    assert response.status_code == 201