diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs
index 1ae406b8a..415b51f59 100644
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@@ -13,7 +13,6 @@ using API.Interfaces.Services;
using API.Services;
using AutoMapper;
using Kavita.Common;
-using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
@@ -79,7 +78,6 @@ namespace API.Controllers
///
///
///
- [Authorize(Policy = "RequireAdminRole")]
[HttpPost("register")]
public async Task> Register(RegisterDto registerDto)
{
@@ -90,6 +88,17 @@ namespace API.Controllers
return BadRequest("Username is taken.");
}
+ // If we are registering an admin account, ensure there are no existing admins or user registering is an admin
+ if (registerDto.IsAdmin)
+ {
+ var firstTimeFlow = !(await _userManager.GetUsersInRoleAsync("Admin")).Any();
+ if (!firstTimeFlow && !await _unitOfWork.UserRepository.IsUserAdmin(
+ await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername())))
+ {
+ return BadRequest("You are not permitted to create an admin account");
+ }
+ }
+
var user = _mapper.Map(registerDto);
user.UserPreferences ??= new AppUserPreferences();
user.ApiKey = HashUtil.ApiKey();
@@ -105,6 +114,7 @@ namespace API.Controllers
if (!result.Succeeded) return BadRequest(result.Errors);
+
var role = registerDto.IsAdmin ? PolicyConstants.AdminRole : PolicyConstants.PlebRole;
var roleResult = await _userManager.AddToRoleAsync(user, role);
diff --git a/Kavita.Common/Kavita.Common.csproj b/Kavita.Common/Kavita.Common.csproj
index 0c00c0d36..005b8a5b8 100644
--- a/Kavita.Common/Kavita.Common.csproj
+++ b/Kavita.Common/Kavita.Common.csproj
@@ -4,7 +4,7 @@
net5.0
kavitareader.com
Kavita
- 0.4.9.1
+ 0.4.9.2
en
@@ -18,4 +18,4 @@
-
\ No newline at end of file
+