From 7fb41f09456ddb544a045482f986e952777889ca Mon Sep 17 00:00:00 2001
From: Joseph Milazzo <joseph.v.milazzo@gmail.com>
Date: Wed, 5 Jan 2022 14:59:29 -0800
Subject: [PATCH] Fixed a bug with previous hotfix which prevented registration
 for new users. (#899)

---
 API/Controllers/AccountController.cs | 14 ++++++++++++--
 Kavita.Common/Kavita.Common.csproj   |  4 ++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs
index 1ae406b8a..415b51f59 100644
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@@ -13,7 +13,6 @@ using API.Interfaces.Services;
 using API.Services;
 using AutoMapper;
 using Kavita.Common;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
@@ -79,7 +78,6 @@ namespace API.Controllers
         /// </summary>
         /// <param name="registerDto"></param>
         /// <returns></returns>
-        [Authorize(Policy = "RequireAdminRole")]
         [HttpPost("register")]
         public async Task<ActionResult<UserDto>> Register(RegisterDto registerDto)
         {
@@ -90,6 +88,17 @@ namespace API.Controllers
                     return BadRequest("Username is taken.");
                 }
 
+                // If we are registering an admin account, ensure there are no existing admins or user registering is an admin
+                if (registerDto.IsAdmin)
+                {
+                    var firstTimeFlow = !(await _userManager.GetUsersInRoleAsync("Admin")).Any();
+                    if (!firstTimeFlow && !await _unitOfWork.UserRepository.IsUserAdmin(
+                            await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername())))
+                    {
+                        return BadRequest("You are not permitted to create an admin account");
+                    }
+                }
+
                 var user = _mapper.Map<AppUser>(registerDto);
                 user.UserPreferences ??= new AppUserPreferences();
                 user.ApiKey = HashUtil.ApiKey();
@@ -105,6 +114,7 @@ namespace API.Controllers
 
                 if (!result.Succeeded) return BadRequest(result.Errors);
 
+
                 var role = registerDto.IsAdmin ? PolicyConstants.AdminRole : PolicyConstants.PlebRole;
                 var roleResult = await _userManager.AddToRoleAsync(user, role);
 
diff --git a/Kavita.Common/Kavita.Common.csproj b/Kavita.Common/Kavita.Common.csproj
index 0c00c0d36..005b8a5b8 100644
--- a/Kavita.Common/Kavita.Common.csproj
+++ b/Kavita.Common/Kavita.Common.csproj
@@ -4,7 +4,7 @@
         <TargetFramework>net5.0</TargetFramework>
         <Company>kavitareader.com</Company>
         <Product>Kavita</Product>
-        <AssemblyVersion>0.4.9.1</AssemblyVersion>
+        <AssemblyVersion>0.4.9.2</AssemblyVersion>
         <NeutralLanguage>en</NeutralLanguage>
     </PropertyGroup>
 
@@ -18,4 +18,4 @@
     </ItemGroup>
 
 
-</Project>
\ No newline at end of file
+</Project>