From 0780b5168f4b11071811d498dbf1c0a282a1063b Mon Sep 17 00:00:00 2001 From: Adam Haris Date: Tue, 9 Dec 2025 15:40:01 +0100 Subject: [PATCH] add env variable to disable multi-tenancy --- README.md | 2 ++ app/controllers/concerns/authorization.rb | 5 +++++ app/controllers/signups_controller.rb | 5 +++++ app/models/signup.rb | 5 +++++ app/views/sessions/magic_links/show.html.erb | 7 ++++++- app/views/sessions/new.html.erb | 6 +++++- config/deploy.yml | 1 + test/controllers/signups_controller_test.rb | 15 +++++++++++++++ 8 files changed, 44 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 27440196e..00b8e76ae 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ We've added comments to that file to highlight what each setting needs to be, bu - `proxy/ssl` and `proxy/host`: Kamal can set up SSL certificates for you automatically. To enable that, set the hostname again as `host`. If you don't want SSL for some reason, you can set `ssl: false` to turn it off. - `env/clear/MAILER_FROM_ADDRESS`: This is the email address that Fizzy will send emails from. It should usually be an address from the same domain where you're running Fizzy. - `env/clear/SMTP_ADDRESS`: The address of an SMTP server that you can send email through. You can use a 3rd-party service for this, like Sendgrid or Postmark, in which case their documentation will tell you what to use for this. +- `env/clear/SINGLE_TENANT`: Set to `true` to enable single-tenant mode (disable multi-account signups). + Fizzy also requires a few environment variables to be set up, some of which contain secrets. The simplest way to do this is to put them in a file called `.kamal/secrets`. diff --git a/app/controllers/concerns/authorization.rb b/app/controllers/concerns/authorization.rb index 81bd0c781..3b3e17a14 100644 --- a/app/controllers/concerns/authorization.rb +++ b/app/controllers/concerns/authorization.rb @@ -4,6 +4,7 @@ module Authorization included do before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? } before_action :ensure_only_staff_can_access_non_production_remote_environments, if: :authenticated? + helper_method :single_tenant? end class_methods do @@ -37,4 +38,8 @@ module Authorization def redirect_existing_user redirect_to root_path if Current.user end + + def single_tenant? + ENV.fetch("SINGLE_TENANT", "false") == "true" + end end diff --git a/app/controllers/signups_controller.rb b/app/controllers/signups_controller.rb index 776421201..ec39063ce 100644 --- a/app/controllers/signups_controller.rb +++ b/app/controllers/signups_controller.rb @@ -3,6 +3,7 @@ class SignupsController < ApplicationController allow_unauthenticated_access rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_signup_path, alert: "Try again later." } before_action :redirect_authenticated_user + before_action :prevent_signup_when_users_exist, if: -> { single_tenant? && User.any? } layout "public" @@ -27,4 +28,8 @@ class SignupsController < ApplicationController def signup_params params.expect signup: :email_address end + + def prevent_signup_when_users_exist + redirect_to new_session_url, alert: "Your account hasn’t been set up yet. Please request an invitation from one of your coworkers." + end end diff --git a/app/models/signup.rb b/app/models/signup.rb index 110c253ef..4409c589c 100644 --- a/app/models/signup.rb +++ b/app/models/signup.rb @@ -16,6 +16,7 @@ class Signup end def create_identity + return if single_tenant? @identity = Identity.find_or_create_by!(email_address: email_address) @identity.send_magic_link for: :sign_up end @@ -96,4 +97,8 @@ class Signup attributes[:referrer] = Current.referrer end end + + def single_tenant? + ENV.fetch("SINGLE_TENANT", "false") == "true" + end end diff --git a/app/views/sessions/magic_links/show.html.erb b/app/views/sessions/magic_links/show.html.erb index 4e94f411e..810b3527a 100644 --- a/app/views/sessions/magic_links/show.html.erb +++ b/app/views/sessions/magic_links/show.html.erb @@ -3,7 +3,12 @@
">

<%= @page_title %>

-

Then enter the verification code included in the email below:

+

+ <% if single_tenant? %> + iIf your email belongs to an existing account. + <% end %> + Then enter the verification code included in the email below: +

<%= form_with url: session_magic_link_path, method: :post, html: { data: { controller: "magic-link" } } do |form| %> diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index fc89bf681..643c9b66c 100644 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -10,7 +10,11 @@
-

New here? <%= link_to "Sign up", new_signup_path %> to create an account. Already have an account? Enter your email and we’ll get you signed in.

+ <% if single_tenant? %> +

Enter your email and we’ll get you signed in.

+ <% else %> +

New here? <%= link_to "Sign up", new_signup_path %> to create an account. Already have an account? Enter your email and we’ll get you signed in.

+ <% end %>