I have been tasked with disabling public account creation in a Tutor installation (Open edX 18.1.3), and it is not going so well. We don’t care if the ‘Register for free’ link shows up, but users need to be created exclusively through the Django interface.
What I have tried this far:
Set ALLOW_PUBLIC_ACCOUNT_CREATION: false in both cms.env.yml and lms.env.yml. I see this recommended in a number of places, but it does not seem to do anything.
Set REGISTRATION_EMAIL_PATTERNS_ALLOWED: "^GO_AWAY$. This is ‘security through obscurity’ and people will find a way to bypass it (according to Management - they will not budge on that).
Set response /authn/register 403 in /etc/caddy/Caddyfile. This will block the registration page, but people will find a way to craft a POST request directly to whatever script handles the request.
ALLOW_PUBLIC_ACCOUNT_CREATION should be enough. Please note that this is not a Django setting but a FEATURE flag. Make sure you set it properly using a Tutor patch to common-env-features.
By the way, DO NOT try to create users using the Django interface, this will not work. You should then register users by using the registration API.
My problem is that I have it in lms.env.yml, and I have double checked that it has not been overwritten yet - but I am still able to create accounts through the ‘Register for free’ link.
How do I verify that this setting has taken effect?
Well… there is no single approach nor easy way to troubleshoot problems like this. I would first open a python shell in the LMS container and check that the settings are arriving properly. The registration form is in the authn MFE, so it should arrive to the browser in the MFE context, that can be seen in your browser’s console. Then I would dive into the code and find how it operates. We use a lot this function, so I know it works. But sometimes it’s tricky to make things work here.