From f0860b77c78c9889bcbd6d6b88c81e3fc66ae193 Mon Sep 17 00:00:00 2001
From: Gertjan van den Burg <gertjanvandenburg@gmail.com>
Date: Mon, 13 May 2019 13:48:39 -0400
Subject: add support for user filtering

---
 .env.example      |  4 ++++
 app/auth/forms.py | 14 ++++++++++++++
 config.py         | 12 ++++++++++++
 flask.sh          |  0
 4 files changed, 30 insertions(+)
 mode change 100755 => 100644 flask.sh

diff --git a/.env.example b/.env.example
index 1a3da6d..f6c5ee0 100644
--- a/.env.example
+++ b/.env.example
@@ -7,6 +7,10 @@ FLASK_ENV=development
 DB_TYPE=mysql
 # secret key for flask
 SECRET_KEY=my-long-and-hard-to-guess-secret-key
+# user email domains allowed (semicolon separated, empty means all)
+USER_EMAIL_DOMAINS=
+# specific user emails allowed (semicolon separated)
+USER_EMAILS=
 
 ## Mail configuration
 #
diff --git a/app/auth/forms.py b/app/auth/forms.py
index 8f7662a..06bad3f 100644
--- a/app/auth/forms.py
+++ b/app/auth/forms.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 
+from flask import current_app
 from flask_wtf import FlaskForm
 
 from wtforms import StringField, PasswordField, BooleanField, SubmitField
@@ -37,6 +38,19 @@ class RegistrationForm(FlaskForm):
             raise ValidationError(
                 "Email address already in use, please use a different one."
             )
+        if current_app.config["USER_EMAILS"]:
+            if email.data in current_app.config["USER_EMAILS"]:
+                return
+        if current_app.config["USER_EMAIL_DOMAINS"]:
+            if not email.data in current_app.config["USER_EMAIL_DOMAINS"]:
+                raise ValidationError(
+                    "Access to AnnotateChange is restricted to "
+                    "individuals with email addresses from specific "
+                    "institutions. Please use your employee email address "
+                    "when signing up. If that does not solve the issue, "
+                    "you unfortunately do not have access to "
+                    "AnnotateChange at this time."
+                )
 
 
 class ResetPasswordRequestForm(FlaskForm):
diff --git a/config.py b/config.py
index 1f0ca83..865e098 100644
--- a/config.py
+++ b/config.py
@@ -50,3 +50,15 @@ class Config(object):
     # task distribution settings
     TASKS_MAX_PER_USER = 5
     TASKS_NUM_PER_DATASET = 10
+
+    # user emails allowed
+    USER_EMAIL_DOMAINS = os.environ.get("USER_EMAIL_DOMAINS") or ""
+    USER_EMAIL_DOMAINS = [
+        x.split() for x in USER_EMAIL_DOMAINS.split(";")
+    ]
+    USER_EMAIL_DOMAINS = (
+        None if not USER_EMAIL_DOMAINS else USER_EMAIL_DOMAINS
+    )
+    USER_EMAILS = os.environ.get("USER_EMAILS") or ""
+    USER_EMAILS = [x.split() for x in USER_EMAILS.split(";")]
+    USER_EMAILS = None if not USER_EMAILS else USER_EMAILS
diff --git a/flask.sh b/flask.sh
old mode 100755
new mode 100644
-- 
cgit v1.2.3