From 57d77e0a5529c3b92a97c992079b54a87257cec8 Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@zulip.com>
Date: Sun, 6 Apr 2025 02:31:52 +0800
Subject: [PATCH] realm_creation: Disable open realm creation if no password
 backend.

---
 zerver/tests/test_signup.py  | 15 +++++++++++++++
 zerver/views/registration.py | 16 +++++++++++-----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/zerver/tests/test_signup.py b/zerver/tests/test_signup.py
index db2b08b9af..cd46bb90e6 100644
--- a/zerver/tests/test_signup.py
+++ b/zerver/tests/test_signup.py
@@ -1472,6 +1472,21 @@ class RealmCreationTest(ZulipTestCase):
             self.assertEqual(result.status_code, 200)
             self.assert_in_response("Organization creation link required", result)
 
+    @override_settings(OPEN_REALM_CREATION=True)
+    def test_create_realm_without_password_backend_enabled(self) -> None:
+        email = "user@example.com"
+        with self.settings(
+            AUTHENTICATION_BACKENDS=(
+                "zproject.backends.SAMLAuthBackend",
+                "zproject.backends.ZulipDummyBackend",
+            )
+        ):
+            result = self.submit_realm_creation_form(
+                email, realm_subdomain="custom-test", realm_name="Zulip test"
+            )
+            self.assertEqual(result.status_code, 200)
+            self.assert_in_response("Organization creation link required", result)
+
     @override_settings(OPEN_REALM_CREATION=True)
     def test_create_realm_with_subdomain(self) -> None:
         password = "test"
diff --git a/zerver/views/registration.py b/zerver/views/registration.py
index 6169d53c9e..dd93c11be6 100644
--- a/zerver/views/registration.py
+++ b/zerver/views/registration.py
@@ -891,11 +891,17 @@ def create_realm(request: HttpRequest, creation_key: str | None = None) -> HttpR
             request,
             "zerver/portico_error_pages/realm_creation_link_invalid.html",
         )
-    if not settings.OPEN_REALM_CREATION and key_record is None:
-        return TemplateResponse(
-            request,
-            "zerver/portico_error_pages/realm_creation_disabled.html",
-        )
+    if key_record is None:
+        if not settings.OPEN_REALM_CREATION:
+            return TemplateResponse(
+                request,
+                "zerver/portico_error_pages/realm_creation_disabled.html",
+            )
+        if not password_auth_enabled():
+            return TemplateResponse(
+                request,
+                "zerver/portico_error_pages/realm_creation_disabled.html",
+            )
 
     # When settings.OPEN_REALM_CREATION is enabled, anyone can create a new realm,
     # with a few restrictions on their email address.