Silently fail if user tries to sneak in

When 'invite only' is enabled, there's no way for a user to create an
account unless they try and sneak in by POSTing to /users/. We will
silently fail if this happens.

app/controllers/users_controller.rb

@@ -145,16 +145,7 @@ class UsersController < ApplicationController
   end
 
   def create
-
-    if honeypot_or_challenge_fails?(params)
-      # Don't give any indication that we caught you in the honeypot
-      honey_pot_response = {
-        success: true,
-        active: false,
-        message: I18n.t("login.activate_email", email: params[:email])
-      }
-      return render(json: honey_pot_response)
-    end
+    return fake_success_reponse if suspicious? params
 
     user = User.new_from_params(params)
 
@@ -349,6 +340,20 @@ class UsersController < ApplicationController
       '3019774c067cc2b'
     end
 
+    def suspicious?(params)
+      honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
+    end
+
+    def fake_success_reponse
+      render(
+        json: {
+          success: true,
+          active: false,
+          message: I18n.t("login.activate_email", email: params[:email])
+        }
+      )
+    end
+
     def honeypot_or_challenge_fails?(params)
       params[:password_confirmation] != honeypot_value ||
       params[:challenge] != challenge_value.try(:reverse)