use new restricting access toggle for DS connection

domain-server/src/DomainServer.cpp

@@ -48,7 +48,6 @@ const QString MAXIMUM_USER_CAPACITY = "security.maximum_user_capacity";
 const QString ALLOWED_EDITORS_SETTINGS_KEYPATH = "security.allowed_editors";
 const QString EDITORS_ARE_REZZERS_KEYPATH = "security.editors_are_rezzers";
 
-
 DomainServer::DomainServer(int argc, char* argv[]) :
     QCoreApplication(argc, argv),
     _httpManager(DOMAIN_SERVER_HTTP_PORT, QString("%1/resources/web/").arg(QCoreApplication::applicationDirPath()), this),
@@ -774,9 +773,8 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
                                                  const HifiSockAddr& senderSockAddr,
                                                  QString& reasonReturn) {
 
-    const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(),
+    bool isRestrictingAccess =
-                                                                 ALLOWED_USERS_SETTINGS_KEYPATH);
+        _settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool();
-    QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList();
 
     // we always let in a user who is sending a packet from our local socket or from the localhost address
     if (senderSockAddr.getAddress() == DependencyManager::get<LimitedNodeList>()->getLocalSockAddr().getAddress()
@@ -784,18 +782,24 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
         return true;
     }
 
-    if (allowedUsers.count() > 0) {
+    if (isRestrictingAccess) {
+
+        QStringList allowedUsers =
+            _settingsManager.valueOrDefaultValueForKeyPath(ALLOWED_USERS_SETTINGS_KEYPATH).toStringList();
+
         if (allowedUsers.contains(username, Qt::CaseInsensitive)) {
-            if (verifyUsersKey(username, usernameSignature, reasonReturn)) {
+            if (!verifyUsersKey(username, usernameSignature, reasonReturn)) {
-                return true;
+                return false;
             }
         } else {
             qDebug() << "Connect request denied for user" << username << "not in allowed users list.";
             reasonReturn = "User not on whitelist.";
-        }
+
             return false;
-    } else {
+        }
-        // we have no allowed user list.
+    }
+
+    // either we aren't restricting users, or this user is in the allowed list
 
     // if this user is in the editors list, exempt them from the max-capacity check
     const QVariant* allowedEditorsVariant =
@@ -823,7 +827,6 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
 
     return true;
 }
-}
 
 void DomainServer::preloadAllowedUserPublicKeys() {
     const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(), ALLOWED_USERS_SETTINGS_KEYPATH);
@@ -1253,10 +1256,8 @@ void DomainServer::sendHeartbeatToDataServer(const QString& networkAddress) {
     // add a flag to indicate if this domain uses restricted access - for now that will exclude it from listings
     const QString RESTRICTED_ACCESS_FLAG = "restricted";
 
-    const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(),
+    domainObject[RESTRICTED_ACCESS_FLAG] =
-                                                          ALLOWED_USERS_SETTINGS_KEYPATH);
+        _settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool();
-    QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList();
-    domainObject[RESTRICTED_ACCESS_FLAG] = (allowedUsers.size() > 0);
 
     // add the number of currently connected agent users
     int numConnectedAuthedUsers = 0;