From a63573b67eb302167b4c4f218361a2d0c138deab Mon Sep 17 00:00:00 2001
From: Henrique Dias <mail@hacdias.com>
Date: Sat, 14 Mar 2026 08:23:10 +0100
Subject: [PATCH] fix: signup handler shouldn't create admins

---
 http/auth.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/http/auth.go b/http/auth.go
index 4eceeafe..d975beae 100644
--- a/http/auth.go
+++ b/http/auth.go
@@ -167,6 +167,10 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int,
 
 	d.settings.Defaults.Apply(user)
 
+	// Users signed up via the signup handler should never become admins, even
+	// if that is the default permission.
+	user.Perm.Admin = false
+
 	pwd, err := users.ValidateAndHashPwd(info.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
 		return http.StatusBadRequest, err