Reject actual logins when admin is disabled.

MANIFEST.in

@@ -11,6 +11,7 @@ include isso/js/count.dev.js
 include isso/defaults.ini
 
 include isso/templates/admin.html
+include isso/templates/disabled.html
 include isso/templates/login.html
 include isso/css/admin.css
 include isso/css/isso.css

isso/views/comments.py

@@ -1067,6 +1067,8 @@ class API(object):
         )
 
     def login(self, env, req):
+        if not self.isso.conf.getboolean("admin", "enabled"):
+            return render_template('disabled.html')
         data = req.form
         password = self.isso.conf.get("admin", "password")
         if data['password'] and data['password'] == password:
@@ -1088,8 +1090,7 @@ class API(object):
     def admin(self, env, req):
         isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host
         if not self.isso.conf.getboolean("admin", "enabled"):
-            return render_template(
+            return render_template('disabled.html')
-                'disabled.html', isso_host_script=isso_host_script)
         try:
             data = self.isso.unsign(req.cookies.get('admin-session', ''),
                                     max_age=60 * 60 * 24)

share/isso.conf

@@ -63,7 +63,7 @@ gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon
 enabled = false
 
 # Admin access password
-_password = please_choose_a_strong_password
+password = please_choose_a_strong_password
 
 [moderation]
 # enable comment moderation queue. This option only affects new comments.