From a6d8c833e61365b244075cccf034b3c14c1e2a7b Mon Sep 17 00:00:00 2001
From: Joseph Milazzo <joseph.v.milazzo@gmail.com>
Date: Wed, 5 Jan 2022 10:55:00 -0800
Subject: [PATCH] Only admins should be able to create new users (#895)

---
 API/Controllers/AccountController.cs         | 2 ++
 UI/Web/src/app/admin/admin-routing.module.ts | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs
index 3c9960402..1ae406b8a 100644
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@@ -13,6 +13,7 @@ using API.Interfaces.Services;
 using API.Services;
 using AutoMapper;
 using Kavita.Common;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
@@ -78,6 +79,7 @@ namespace API.Controllers
         /// </summary>
         /// <param name="registerDto"></param>
         /// <returns></returns>
+        [Authorize(Policy = "RequireAdminRole")]
         [HttpPost("register")]
         public async Task<ActionResult<UserDto>> Register(RegisterDto registerDto)
         {
diff --git a/UI/Web/src/app/admin/admin-routing.module.ts b/UI/Web/src/app/admin/admin-routing.module.ts
index a29927171..ad55b01d4 100644
--- a/UI/Web/src/app/admin/admin-routing.module.ts
+++ b/UI/Web/src/app/admin/admin-routing.module.ts
@@ -4,7 +4,7 @@ import { AdminGuard } from '../_guards/admin.guard';
 import { DashboardComponent } from './dashboard/dashboard.component';
 
 const routes: Routes = [
-  {path: '**', component: DashboardComponent, pathMatch: 'full'},
+  {path: '**', component: DashboardComponent, pathMatch: 'full', canActivate: [AdminGuard]},
   {
     runGuardsAndResolvers: 'always',
     canActivate: [AdminGuard],