From 2ac638fc261a9066b5a909dc97f2bd9986516100 Mon Sep 17 00:00:00 2001
From: Mel O'Hagan <mel@budibase.com>
Date: Tue, 29 Nov 2022 11:36:24 +0000
Subject: [PATCH] Only allow admin to create new user

---
 packages/worker/src/api/controllers/global/users.ts | 4 ++++
 packages/worker/src/api/routes/global/users.js      | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts
index ea1df5b45a..d76c1741a3 100644
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@@ -23,6 +23,10 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
 
 export const save = async (ctx: any) => {
   try {
+    if (!ctx.request.body._id && !ctx.internal &&
+      (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
+        ctx.throw(403, "Only admin user can create new user.")
+    }
     ctx.body = await sdk.users.save(ctx.request.body)
   } catch (err: any) {
     ctx.throw(err.status || 400, err)
diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js
index 99c2f52c6f..7740276dee 100644
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@@ -57,14 +57,14 @@ router
   )
   .post(
     "/api/global/users/bulk",
-    builderOrAdmin,
+    adminOnly,
     users.buildUserBulkUserValidation(),
     controller.bulkUpdate
   )
 
   .get("/api/global/users", builderOrAdmin, controller.fetch)
   .post("/api/global/users/search", builderOrAdmin, controller.search)
-  .delete("/api/global/users/:id", builderOrAdmin, controller.destroy)
+  .delete("/api/global/users/:id", adminOnly, controller.destroy)
   .get("/api/global/users/count/:appId", builderOrAdmin, controller.countByApp)
   .get("/api/global/roles/:appId")
   .post(