From 49befa263c9ef3335a806f4049beab1a1e3094ec Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Mon, 16 May 2022 17:53:45 -0400
Subject: [PATCH] fix(api): v1 security fix

---
 src/controllers/api/v1/tickets.js | 16 ++++++++++++++--
 src/controllers/api/v1/users.js   | 12 +++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/controllers/api/v1/tickets.js b/src/controllers/api/v1/tickets.js
index 9312ccd5b..c58b88477 100644
--- a/src/controllers/api/v1/tickets.js
+++ b/src/controllers/api/v1/tickets.js
@@ -530,11 +530,23 @@ apiTickets.createPublicTicket = function (req, res) {
 
   var user, group, ticket, plainTextPass
 
+  var settingSchema = require('../../../models/setting')
+
   async.waterfall(
     [
       function (next) {
-        var settingSchmea = require('../../../models/setting')
-        settingSchmea.getSetting('role:user:default', function (err, roleDefault) {
+        settingSchema.getSetting('allowPublicTickets:enable', function (err, allowPublicTickets) {
+          if (err) return next(err)
+          if (!allowPublicTickets) {
+            winston.warn('Public ticket creation attempted while disabled!')
+            return next('Public ticket creation is disabled!')
+          }
+
+          return next()
+        })
+      },
+      function (next) {
+        settingSchema.getSetting('role:user:default', function (err, roleDefault) {
           if (err) return next(err)
           if (!roleDefault) {
             winston.error('No Default User Role Set. (Settings > Permissions > Default User Role)')
diff --git a/src/controllers/api/v1/users.js b/src/controllers/api/v1/users.js
index 50fd5d95e..042b2634a 100644
--- a/src/controllers/api/v1/users.js
+++ b/src/controllers/api/v1/users.js
@@ -263,7 +263,6 @@ apiUsers.create = function (req, res) {
  */
 apiUsers.createPublicAccount = function (req, res) {
   const SettingSchema = require('../../../models/setting')
-  const SettingsUtil = require('../../../settings/settingsUtil')
 
   const response = {}
   response.success = true
@@ -274,6 +273,17 @@ apiUsers.createPublicAccount = function (req, res) {
 
   async.waterfall(
     [
+      function (next) {
+        SettingSchema.getSetting('allowUserRegistration:enable', function (err, allowUserRegistration) {
+          if (err) return next(err)
+          if (!allowUserRegistration) {
+            winston.warn('Public account creation was attempted while disabled!')
+            return next({ message: 'Public account creation is disabled.' })
+          }
+
+          return next()
+        })
+      },
       function (next) {
         SettingSchema.getSetting('role:user:default', function (err, roleDefault) {
           if (err) return next(err)