From d79a55b4c683247fedeb75c5ac36409f3f25670a Mon Sep 17 00:00:00 2001
From: Tiago Vasconcelos <talvasconcelos@gmail.com>
Date: Tue, 26 Sep 2023 07:08:36 +0100
Subject: [PATCH] Don't create user if allowed users is set (#1822)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* dont allow creating of users when allowed users are set
* add info to .env.example

---------

Co-authored-by: dni ⚡ <office@dnilabs.com>
---
 .env.example             | 1 +
 lnbits/core/views/api.py | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/.env.example b/.env.example
index 8ee75b9a..8412d7d2 100644
--- a/.env.example
+++ b/.env.example
@@ -15,6 +15,7 @@ LNBITS_ALLOWED_IPS=""
 LNBITS_BLOCKED_IPS=""
 
 # Allow users and admins by user IDs (comma separated list)
+# if set new users will not be able to create accounts
 LNBITS_ALLOWED_USERS=""
 LNBITS_ADMIN_USERS=""
 # Extensions only admin can access
diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index 6df09d39..ebb06fbd 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -172,6 +172,11 @@ async def api_create_wallet(
 
 @api_router.post("/api/v1/account", response_model=Wallet)
 async def api_create_account(data: CreateWallet) -> Wallet:
+    if len(settings.lnbits_allowed_users) > 0:
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail="Account creation is disabled.",
+        )
     account = await create_account()
     return await create_wallet(user_id=account.id, wallet_name=data.name)