1 files changed, 7 insertions, 3 deletions

diff --git a/src/api/routes/auth/registerPOST.js b/src/api/routes/auth/registerPOST.js
index 1cf3630..54e683e 100644
--- a/src/api/routes/auth/registerPOST.js
+++ b/src/api/routes/auth/registerPOST.js
@@ -2,6 +2,7 @@ const bcrypt = require('bcrypt');
 const moment = require('moment');
 const Route = require('../../structures/Route');
 const log = require('../../utils/Log');
+const Util = require('../../utils/Util');
 
 class registerPOST extends Route {
 	constructor() {
@@ -9,7 +10,10 @@ class registerPOST extends Route {
 	}
 
 	async run(req, res, db) {
-		if (process.env.USER_ACCOUNTS === 'false') return res.status(401).json({ message: 'Creation of new accounts is currently disabled' });
+		// Only allow admins to create new accounts if the sign up is deactivated
+		const user = await Util.isAuthorized(req);
+		if ((!user || !user.isAdmin) && process.env.USER_ACCOUNTS === 'false') return res.status(401).json({ message: 'Creation of new accounts is currently disabled' });
+
 		if (!req.body) return res.status(400).json({ message: 'No body provided' });
 		const { username, password } = req.body;
 		if (!username || !password) return res.status(401).json({ message: 'Invalid body provided' });
@@ -24,8 +28,8 @@ class registerPOST extends Route {
 		/*
 			Make sure the username doesn't exist yet
 		*/
-		const user = await db.table('users').where('username', username).first();
-		if (user) return res.status(401).json({ message: 'Username already exists' });
+		const exists = await db.table('users').where('username', username).first();
+		if (exists) return res.status(401).json({ message: 'Username already exists' });
 
 		/*
 			Hash the supplied password