diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts index 7250d1c24d..78b97401fd 100644 --- a/packages/backend/src/core/SignupService.ts +++ b/packages/backend/src/core/SignupService.ts @@ -55,6 +55,7 @@ export class SignupService { host?: string | null; reason?: string | null; ignorePreservedUsernames?: boolean; + approved?: boolean; }) { const { username, password, passwordHash, host, reason } = opts; let hash = passwordHash; @@ -115,9 +116,6 @@ export class SignupService { )); let account!: MiUser; - let defaultApproval = false; - - if (!this.meta.approvalRequiredForSignup) defaultApproval = true; // Start transaction await this.db.transaction(async transactionalEntityManager => { @@ -135,7 +133,7 @@ export class SignupService { host: this.utilityService.toPunyNullable(host), token: secret, isRoot: isTheFirstUser, - approved: defaultApproval, + approved: opts.approved ?? !this.meta.approvalRequiredForSignup, signupReason: reason, })); diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts index a7e8a3b018..3cb4029780 100644 --- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts +++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts @@ -3,16 +3,15 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Inject, Injectable } from '@nestjs/common'; -import { IsNull } from 'typeorm'; +import { Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; -import type { UsersRepository } from '@/models/_.js'; +import { MiUser } from '@/models/_.js'; import { SignupService } from '@/core/SignupService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { InstanceActorService } from '@/core/InstanceActorService.js'; import { localUsernameSchema, passwordSchema } from '@/models/User.js'; -import { DI } from '@/di-symbols.js'; import { Packed } from '@/misc/json-schema.js'; +import { RoleService } from '@/core/RoleService.js'; export const meta = { tags: ['admin'], @@ -42,22 +41,21 @@ export const paramDef = { @Injectable() export default class extends Endpoint { // eslint-disable-line import/no-default-export constructor( - @Inject(DI.usersRepository) - private usersRepository: UsersRepository, - + private roleService: RoleService, private userEntityService: UserEntityService, private signupService: SignupService, private instanceActorService: InstanceActorService, ) { - super(meta, paramDef, async (ps, _me, token) => { - const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null; - const realUsers = await this.instanceActorService.realLocalUsersPresent(); - if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied'); + super(meta, paramDef, async (ps, _me) => { + if (!await this.canCreate(_me)) { + throw new Error('access denied'); + } const { account, secret } = await this.signupService.signup({ username: ps.username, password: ps.password, ignorePreservedUsernames: true, + approved: true, }); const res = await this.userEntityService.pack(account, account, { @@ -70,4 +68,14 @@ export default class extends Endpoint { // eslint- return res; }); } + + private async canCreate(me: MiUser | null): Promise { + // Allow the first user to be created without authentication, as part of normal setup flow + if (!me) { + return !await this.instanceActorService.realLocalUsersPresent(); + } + + // Administrators (including root) can always create users + return await this.roleService.isAdministrator(me); + } }