Add team creation disable configuration (#1802)

* Add ability for admins to disable public team creation * Closes #1364
2025-12-18 14:34:21 +01:00 · 2021-02-12 18:26:03 -05:00
parent abdc366bb7
commit 5c9b3e7070
4 changed files with 52 additions and 2 deletions
--- a/CTFd/forms/config.py
+++ b/CTFd/forms/config.py
@@ -33,8 +33,15 @@ class AccountSettingsForm(BaseForm):
        "Account Email Whitelist",
        description="Comma-seperated email domains which users can register under (e.g. ctfd.io, gmail.com, yahoo.com)",
    )
+    team_creation = SelectField(
+        "Team Creation",
+        description="Control whether users can create their own teams (Teams mode only)",
+        choices=[("true", "Enabled"), ("false", "Disabled")],
+        default="true",
+    )
    team_size = IntegerField(
-        widget=NumberInput(min=0), description="Amount of users per team"
+        widget=NumberInput(min=0),
+        description="Amount of users per team (Teams mode only)",
    )
    verify_emails = SelectField(
        "Verify Emails",
--- a/CTFd/teams.py
+++ b/CTFd/teams.py
@@ -191,6 +191,12 @@ def new():
    infos = get_infos()
    errors = get_errors()

+    if bool(get_config("team_creation", default=True)) is False:
+        abort(
+            403,
+            description="Team creation is currently disabled. Please join an existing team.",
+        )
+
    user = get_current_user_attrs()
    if user.team_id:
        errors.append("You are already in a team. You cannot join another.")
--- a/CTFd/themes/admin/templates/configs/accounts.html
+++ b/CTFd/themes/admin/templates/configs/accounts.html
@@ -2,7 +2,8 @@

 	{% set verify_emails = "true" if verify_emails == True else "false" %}
 	{% set name_changes = "true" if name_changes == True else "false" %}
-	{% with form = Forms.config.AccountSettingsForm(verify_emails=verify_emails, name_changes=name_changes, team_disbanding=team_disbanding) %}
+	{% set team_creation = "true" if team_creation == True else "false" %}
+	{% with form = Forms.config.AccountSettingsForm(verify_emails=verify_emails, name_changes=name_changes, team_disbanding=team_disbanding, team_creation=team_creation) %}
 	<form method="POST" autocomplete="off" class="w-100">

 		<div class="form-group">
@@ -21,6 +22,14 @@
 			</small>
 		</div>

+		<div class="form-group">
+			{{ form.team_creation.label }}
+			{{ form.team_creation(class="form-control", value=team_creation) }}
+			<small class="form-text text-muted">
+				{{ form.team_creation.description }}
+			</small>
+		</div>
+
 		<div class="form-group">
 			{{ form.team_size.label }}
 			{{ form.team_size(class="form-control", value=team_size) }}
--- a/tests/teams/test_teams.py
+++ b/tests/teams/test_teams.py
@@ -179,3 +179,31 @@ def test_team_size_limit():
            resp = r.get_data(as_text=True)
            assert len(Teams.query.filter_by(id=team_id).first().members) == 2
    destroy_ctfd(app)
+
+
+def test_team_creation_disable():
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        register_user(app)
+        with login_as_user(app) as client:
+            # Team creation page should be available
+            r = client.get("/teams/new")
+            assert r.status_code == 200
+
+            # Disable team creation in config
+            set_config("team_creation", False)
+
+            # Can't access the public team creation page
+            r = client.get("/teams/new")
+            assert r.status_code == 403
+
+            # User should be blocked from creating teams as well
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "team_name",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/teams/new", data=data)
+            assert r.status_code == 403
+    destroy_ctfd(app)