From 26377b543d8b1cc4f3c0c60300d49fcbb2dcfa13 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sun, 3 Aug 2025 23:14:59 +0200
Subject: Fix create user bugs (#7783)

* Fix registration regression due to #7753
* Add missing access check
---
 app/Controllers/userController.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index c4c3c00a8..0acdc65c7 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -365,7 +365,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 			Minz_Error::error(403);
 		}
 
-		if (self::reauthRedirect()) {
+		if (FreshRSS_Auth::hasAccess('admin') && self::reauthRedirect()) {
 			return;
 		}
 
@@ -422,10 +422,15 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 				);
 			}
 
+			$is_admin = false;
+			if (FreshRSS_Auth::hasAccess('admin')) {
+				$is_admin = Minz_Request::paramBoolean('new_user_is_admin');
+			}
+
 			$ok = self::createUser($new_user_name, $email, $passwordPlain, [
 				'language' => Minz_Request::paramString('new_user_language') ?: FreshRSS_Context::userConf()->language,
 				'timezone' => Minz_Request::paramString('new_user_timezone'),
-				'is_admin' => Minz_Request::paramBoolean('new_user_is_admin'),
+				'is_admin' => $is_admin,
 				'enabled' => true,
 			]);
 			Minz_Request::_param('new_user_passwordPlain');	//Discard plain-text password ASAP
-- 
cgit v1.2.3