fix: signup handler shouldn't create admins

2026-03-14 08:23:10 +01:00
parent 4bd7d69c82
commit a63573b67e
1 changed files with 4 additions and 0 deletions
--- a/http/auth.go
+++ b/http/auth.go
@@ -167,6 +167,10 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int,

 	d.settings.Defaults.Apply(user)

+	// Users signed up via the signup handler should never become admins, even
+	// if that is the default permission.
+	user.Perm.Admin = false
+
 	pwd, err := users.ValidateAndHashPwd(info.Password, d.settings.MinimumPasswordLength)
 	if err != nil {
 		return http.StatusBadRequest, err