From bc947a14aeefcb10a6c095ebb95c070e90fe932b Mon Sep 17 00:00:00 2001
From: ReAnzu <anzu@reanzu.com>
Date: Fri, 23 Feb 2018 22:05:58 -0600
Subject: [PATCH] Working on adding functionality for administrators to
 directly add users to the application

---
 .../controllers/top_navigation_controller.js  |  6 ++-
 .../user_registration_controller.js           |  3 +-
 server/szurubooru/api/user_api.py             | 39 +++++++++++--------
 .../tests/api/test_user_creating.py           |  2 +-
 4 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/client/js/controllers/top_navigation_controller.js b/client/js/controllers/top_navigation_controller.js
index b1de03ec..550400cf 100644
--- a/client/js/controllers/top_navigation_controller.js
+++ b/client/js/controllers/top_navigation_controller.js
@@ -47,10 +47,12 @@ class TopNavigationController {
             topNavigation.hide('users');
         }
         if (api.isLoggedIn()) {
-            topNavigation.hide('register');
+            if (!api.hasPrivilege('users:create:any')) {
+                topNavigation.hide('register');
+            }
             topNavigation.hide('login');
         } else {
-            if (!api.hasPrivilege('users:create')) {
+            if (!api.hasPrivilege('users:create:self')) {
                 topNavigation.hide('register');
             }
             topNavigation.hide('account');
diff --git a/client/js/controllers/user_registration_controller.js b/client/js/controllers/user_registration_controller.js
index 7d822380..cc224ced 100644
--- a/client/js/controllers/user_registration_controller.js
+++ b/client/js/controllers/user_registration_controller.js
@@ -10,7 +10,7 @@ const EmptyView = require('../views/empty_view.js');
 
 class UserRegistrationController {
     constructor() {
-        if (!api.hasPrivilege('users:create')) {
+        if (!api.hasPrivilege('users:create:self')) {
             this._view = new EmptyView();
             this._view.showError('Registration is closed.');
             return;
@@ -30,6 +30,7 @@ class UserRegistrationController {
         user.email = e.detail.email;
         user.password = e.detail.password;
         user.save().then(() => {
+            // TODO: Support the flow where an admin creates a user. Don't log them out...
             api.forget();
             return api.login(e.detail.name, e.detail.password, false);
         }).then(() => {
diff --git a/server/szurubooru/api/user_api.py b/server/szurubooru/api/user_api.py
index 782a9e95..95d8e4fe 100644
--- a/server/szurubooru/api/user_api.py
+++ b/server/szurubooru/api/user_api.py
@@ -26,24 +26,29 @@ def get_users(
 @rest.routes.post('/users/?')
 def create_user(
         ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
-    if config.config['registration_enabled']:
-        auth.verify_privilege(ctx.user, 'users:create')
-        name = ctx.get_param_as_string('name')
-        password = ctx.get_param_as_string('password')
-        email = ctx.get_param_as_string('email', default='')
-        user = users.create_user(name, password, email)
-        if ctx.has_param('rank'):
-            users.update_user_rank(user, ctx.get_param_as_string('rank'), ctx.user)
-        if ctx.has_param('avatarStyle'):
-            users.update_user_avatar(
-                user,
-                ctx.get_param_as_string('avatarStyle'),
-                ctx.get_file('avatar', default=b''))
-        ctx.session.add(user)
-        ctx.session.commit()
-        return _serialize(ctx, user, force_show_email=True)
+    if ctx.user.user_id is None:
+        auth.verify_privilege(ctx.user, 'users:create:self')
     else:
-        raise errors.ValidationError('User Registration Disabled')
+        auth.verify_privilege(ctx.user, 'users:create:any')
+
+    name = ctx.get_param_as_string('name')
+    password = ctx.get_param_as_string('password')
+    email = ctx.get_param_as_string('email', default='')
+    user = users.create_user(name, password, email)
+    if ctx.has_param('rank'):
+        users.update_user_rank(user, ctx.get_param_as_string('rank'), ctx.user)
+    if ctx.has_param('avatarStyle'):
+        users.update_user_avatar(
+            user,
+            ctx.get_param_as_string('avatarStyle'),
+            ctx.get_file('avatar', default=b''))
+    ctx.session.add(user)
+    ctx.session.commit()
+
+    if ctx.user.user_id is not None:
+        user = ctx.user
+
+    return _serialize(ctx, user, force_show_email=True)
 
 
 @rest.routes.get('/user/(?P<user_name>[^/]+)/?')
diff --git a/server/szurubooru/tests/api/test_user_creating.py b/server/szurubooru/tests/api/test_user_creating.py
index b5f36e39..699bfefb 100644
--- a/server/szurubooru/tests/api/test_user_creating.py
+++ b/server/szurubooru/tests/api/test_user_creating.py
@@ -6,7 +6,7 @@ from szurubooru.func import users
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'users:create': 'regular'}})
+    config_injector({'privileges': {'users:create:self': 'regular'}})
 
 
 def test_creating_user(user_factory, context_factory, fake_datetime):