From 00a11b1b784af6283a8321d240a309bb637d23a6 Mon Sep 17 00:00:00 2001
From: Miro Prasil <miro@circleci.com>
Date: Fri, 1 Nov 2019 22:34:42 +0000
Subject: [PATCH] Stop leaking usernames when SIGNUPS_ALLOWED=false

This fixes #691 - respond in less specific way to not leak the
fact that user is already registered on the server.
---
 src/api/core/accounts.rs | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 3b16514..9c9e7da 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -62,7 +62,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => {
             if !user.password_hash.is_empty() {
-                err!("User already exists")
+                if CONFIG.signups_allowed() {
+                    err!("User already exists")
+                } else {
+                    err!("Registration not allowed or user already exists")
+                }
             }
 
             if let Some(token) = data.Token {
@@ -82,14 +86,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
             } else if CONFIG.signups_allowed() {
                 err!("Account with this email already exists")
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
         None => {
             if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
                 User::new(data.Email.clone())
             } else {
-                err!("Registration not allowed")
+                err!("Registration not allowed or user already exists")
             }
         }
     };