Working on adding functionality for administrators to directly add users to the application

client/js/controllers/top_navigation_controller.js

@@ -47,10 +47,12 @@ class TopNavigationController {
             topNavigation.hide('users');
         }
         if (api.isLoggedIn()) {
-            topNavigation.hide('register');
+            if (!api.hasPrivilege('users:create:any')) {
+                topNavigation.hide('register');
+            }
             topNavigation.hide('login');
         } else {
-            if (!api.hasPrivilege('users:create')) {
+            if (!api.hasPrivilege('users:create:self')) {
                 topNavigation.hide('register');
             }
             topNavigation.hide('account');

client/js/controllers/user_registration_controller.js

@@ -10,7 +10,7 @@ const EmptyView = require('../views/empty_view.js');
 
 class UserRegistrationController {
     constructor() {
-        if (!api.hasPrivilege('users:create')) {
+        if (!api.hasPrivilege('users:create:self')) {
             this._view = new EmptyView();
             this._view.showError('Registration is closed.');
             return;
@@ -30,6 +30,7 @@ class UserRegistrationController {
         user.email = e.detail.email;
         user.password = e.detail.password;
         user.save().then(() => {
+            // TODO: Support the flow where an admin creates a user. Don't log them out...
             api.forget();
             return api.login(e.detail.name, e.detail.password, false);
         }).then(() => {

server/szurubooru/api/user_api.py

@@ -26,24 +26,29 @@ def get_users(
 @rest.routes.post('/users/?')
 def create_user(
         ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
-    if config.config['registration_enabled']:
+    if ctx.user.user_id is None:
-        auth.verify_privilege(ctx.user, 'users:create')
+        auth.verify_privilege(ctx.user, 'users:create:self')
-        name = ctx.get_param_as_string('name')
-        password = ctx.get_param_as_string('password')
-        email = ctx.get_param_as_string('email', default='')
-        user = users.create_user(name, password, email)
-        if ctx.has_param('rank'):
-            users.update_user_rank(user, ctx.get_param_as_string('rank'), ctx.user)
-        if ctx.has_param('avatarStyle'):
-            users.update_user_avatar(
-                user,
-                ctx.get_param_as_string('avatarStyle'),
-                ctx.get_file('avatar', default=b''))
-        ctx.session.add(user)
-        ctx.session.commit()
-        return _serialize(ctx, user, force_show_email=True)
     else:
-        raise errors.ValidationError('User Registration Disabled')
+        auth.verify_privilege(ctx.user, 'users:create:any')
+
+    name = ctx.get_param_as_string('name')
+    password = ctx.get_param_as_string('password')
+    email = ctx.get_param_as_string('email', default='')
+    user = users.create_user(name, password, email)
+    if ctx.has_param('rank'):
+        users.update_user_rank(user, ctx.get_param_as_string('rank'), ctx.user)
+    if ctx.has_param('avatarStyle'):
+        users.update_user_avatar(
+            user,
+            ctx.get_param_as_string('avatarStyle'),
+            ctx.get_file('avatar', default=b''))
+    ctx.session.add(user)
+    ctx.session.commit()
+
+    if ctx.user.user_id is not None:
+        user = ctx.user
+
+    return _serialize(ctx, user, force_show_email=True)
 
 
 @rest.routes.get('/user/(?P<user_name>[^/]+)/?')

server/szurubooru/tests/api/test_user_creating.py

@@ -6,7 +6,7 @@ from szurubooru.func import users
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'users:create': 'regular'}})
+    config_injector({'privileges': {'users:create:self': 'regular'}})
 
 
 def test_creating_user(user_factory, context_factory, fake_datetime):