feat: implement user page access control based on disableUserPages setting

apps/app/src/server/routes/apiv3/page/create-page.ts

@@ -6,6 +6,7 @@ import {
   isCreatablePage,
   isUserPage,
   isUsersHomepage,
+  isUsersTopPage,
 } from '@growi/core/dist/utils/page-path-utils';
 import {
   attachTitleHeader,
@@ -310,6 +311,16 @@ export const createPageHandlersFactory: CreatePageHandlersFactory = (crowi) => {
         );
       }
 
+      const disableUserPages = configManager.getConfig(
+        'security:disableUserPages',
+      );
+      if (
+        (disableUserPages && isUsersTopPage(pathToCreate)) ||
+        isUserPage(pathToCreate)
+      ) {
+        return res.apiv3Err('User pages are disabled');
+      }
+
       if (isUserPage(pathToCreate)) {
         const isExistUser = await User.isExistUserByUserPagePath(pathToCreate);
         if (!isExistUser) {

apps/app/src/server/routes/apiv3/page/update-page.ts

@@ -5,7 +5,9 @@ import { ErrorV3 } from '@growi/core/dist/models';
 import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
 import {
   isTopPage,
+  isUserPage,
   isUsersProtectedPages,
+  isUsersTopPage,
 } from '@growi/core/dist/utils/page-path-utils';
 import type { Request, RequestHandler } from 'express';
 import type { ValidationChain } from 'express-validator';
@@ -29,6 +31,7 @@ import {
   serializePageSecurely,
   serializeRevisionSecurely,
 } from '~/server/models/serializers';
+import { configManager } from '~/server/service/config-manager/config-manager';
 import { preNotifyService } from '~/server/service/pre-notify';
 import { normalizeLatestRevisionIfBroken } from '~/server/service/revision/normalize-latest-revision-if-broken';
 import { getYjsService } from '~/server/service/yjs';
@@ -224,6 +227,16 @@ export const updatePageHandlersFactory: UpdatePageHandlersFactory = (crowi) => {
         );
       }
 
+      const disableUserPages = configManager.getConfig(
+        'security:disableUserPages',
+      );
+      if (
+        (disableUserPages && isUsersTopPage(currentPage.path)) ||
+        isUserPage(currentPage.path)
+      ) {
+        return res.apiv3Err('User pages are disabled');
+      }
+
       const isGrantImmutable =
         isTopPage(currentPage.path) || isUsersProtectedPages(currentPage.path);
 

apps/app/src/server/routes/apiv3/pages/index.js

@@ -6,6 +6,7 @@ import {
   isCreatablePage,
   isTrashPage,
   isUserPage,
+  isUsersTopPage,
 } from '@growi/core/dist/utils/page-path-utils';
 import {
   addHeadingSlash,
@@ -763,6 +764,16 @@ module.exports = (crowi) => {
         );
       }
 
+      const disableUserPages = configManager.getConfig(
+        'security:disableUserPages',
+      );
+      if (
+        (disableUserPages && isUsersTopPage(pathToCreate)) ||
+        isUserPage(pathToCreate)
+      ) {
+        return res.apiv3Err('User pages are disabled');
+      }
+
       if (isUserPage(newPagePath)) {
         const isExistUser = await User.isExistUserByUserPagePath(newPagePath);
         if (!isExistUser) {