From 411549d09707b129d93a200c3688ad9228dc903a Mon Sep 17 00:00:00 2001
From: Marcin-Ramotowski <marcin00.mr@gmail.com>
Date: Sat, 15 Mar 2025 16:27:17 +0000
Subject: [PATCH] Only admin can create admin accounts

---
 api/user_views.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/api/user_views.py b/api/user_views.py
index 07c3b2e..6be00ca 100644
--- a/api/user_views.py
+++ b/api/user_views.py
@@ -30,7 +30,14 @@ def get_user(user_id):
 @user_bp.route('/users', methods=['POST'])
 def create_user():
     data = request.get_json()
-    user = User(username=data['username'], email=data['email'], password=data['password'])
+    new_user_role = data['role']
+    # Only administrator can create admin accounts
+    if new_user_role == "Administrator":
+        logged_user_id = int(get_jwt_identity())
+        logged_user_role = User.query.get(logged_user_id).role
+        if logged_user_role != "Administrator":
+            return jsonify({'error': f'You can not create admin users.'}), 403
+    user = User(username=data['username'], email=data['email'], password=data['password'], role=new_user_role)
     db.session.add(user)
     db.session.commit()
     return jsonify(user.to_dict()), 201