server/users: let administrators add new users

* Added functionality for administrators to directly add users to the
  application
* Added permission users:create:any to handle level that users are
  allowed to create other users
* Moved old permission users:create to users:create:self

client/js/controllers/top_navigation_controller.js

@@ -47,10 +47,12 @@ class TopNavigationController {
             topNavigation.hide('users');
         }
         if (api.isLoggedIn()) {
-            topNavigation.hide('register');
+            if (!api.hasPrivilege('users:create:any')) {
+                topNavigation.hide('register');
+            }
             topNavigation.hide('login');
         } else {
-            if (!api.hasPrivilege('users:create')) {
+            if (!api.hasPrivilege('users:create:self')) {
                 topNavigation.hide('register');
             }
             topNavigation.hide('account');

client/js/controllers/user_registration_controller.js

@@ -10,7 +10,7 @@ const EmptyView = require('../views/empty_view.js');
 
 class UserRegistrationController {
     constructor() {
-        if (!api.hasPrivilege('users:create')) {
+        if (!api.hasPrivilege('users:create:self')) {
             this._view = new EmptyView();
             this._view.showError('Registration is closed.');
             return;
@@ -29,12 +29,22 @@ class UserRegistrationController {
         user.name = e.detail.name;
         user.email = e.detail.email;
         user.password = e.detail.password;
+        const isLoggedIn = api.isLoggedIn();
         user.save().then(() => {
-            api.forget();
+            if (isLoggedIn) {
-            return api.login(e.detail.name, e.detail.password, false);
+                return Promise.resolve();
+            } else {
+                api.forget();
+                return api.login(e.detail.name, e.detail.password, false);
+            }
         }).then(() => {
-            const ctx = router.show(uri.formatClientLink());
+            if (isLoggedIn) {
-            ctx.controller.showSuccess('Welcome aboard!');
+                const ctx = router.show(uri.formatClientLink('users'));
+                ctx.controller.showSuccess('User added!');
+            } else {
+                const ctx = router.show(uri.formatClientLink());
+                ctx.controller.showSuccess('Welcome aboard!');
+            }
         }, error => {
             this._view.showError(error.message);
             this._view.enableForm();

config.yaml.dist

@@ -62,7 +62,8 @@ default_rank: regular
 
 
 privileges:
-    'users:create':                 anonymous
+    'users:create:self':            anonymous # Registration permission
+    'users:create:any':             administrator
     'users:list':                   regular
     'users:view':                   regular
     'users:edit:any:name':          moderator

server/szurubooru/api/user_api.py

@@ -26,7 +26,11 @@ def get_users(
 @rest.routes.post('/users/?')
 def create_user(
         ctx: rest.Context, _params: Dict[str, str] = {}) -> rest.Response:
-    auth.verify_privilege(ctx.user, 'users:create')
+    if ctx.user.user_id is None:
+        auth.verify_privilege(ctx.user, 'users:create:self')
+    else:
+        auth.verify_privilege(ctx.user, 'users:create:any')
+
     name = ctx.get_param_as_string('name')
     password = ctx.get_param_as_string('password')
     email = ctx.get_param_as_string('email', default='')
@@ -40,6 +44,7 @@ def create_user(
             ctx.get_file('avatar', default=b''))
     ctx.session.add(user)
     ctx.session.commit()
+
     return _serialize(ctx, user, force_show_email=True)
 
 

server/szurubooru/tests/api/test_user_creating.py

@@ -6,7 +6,7 @@ from szurubooru.func import users
 
 @pytest.fixture(autouse=True)
 def inject_config(config_injector):
-    config_injector({'privileges': {'users:create': 'regular'}})
+    config_injector({'privileges': {'users:create:self': 'regular'}})
 
 
 def test_creating_user(user_factory, context_factory, fake_datetime):