1 files changed, 23 insertions, 1 deletions

diff --git a/models/users.js b/models/users.js
index c2238cde..3d4ff935 100644
--- a/models/users.js
+++ b/models/users.js
@@ -108,6 +108,10 @@ Users.attachSchema(new SimpleSchema({
     type: Boolean,
     optional: true,
   },
+  createdThroughApi: {
+    type: Boolean,
+    optional: true,
+  },
 }));
 
 // Search a user in the complete server database by its name or username. This
@@ -435,6 +439,12 @@ if (Meteor.isServer) {
       user.isAdmin = true;
       return user;
     }
+
+    if (options.from === 'admin') {
+      user.createdThroughApi = true;
+      return user;
+    }
+
     const disableRegistration = Settings.findOne().disableRegistration;
     if (!disableRegistration) {
       return user;
@@ -524,6 +534,17 @@ if (Meteor.isServer) {
 
   Users.after.insert((userId, doc) => {
 
+    if (doc.createdThroughApi) {
+      // The admin user should be able to create a user despite disabling registration because
+      // it is two different things (registration and creation).
+      // So, when a new user is created via the api (only admin user can do that) one must avoid
+      // the disableRegistration check.
+      // Issue : https://github.com/wekan/wekan/issues/1232
+      // PR    : https://github.com/wekan/wekan/pull/1251
+      Users.update(doc._id, { $set: { createdThroughApi: '' } });
+      return;
+    }
+
     //invite user to corresponding boards
     const disableRegistration = Settings.findOne().disableRegistration;
     if (disableRegistration) {
@@ -581,7 +602,8 @@ if (Meteor.isServer) {
     const id = Accounts.createUser({
       username: req.body.username,
       email: req.body.email,
-      password: 'default',
+      password: req.body.password,
+      from: 'admin',
     });
 
     JsonRoutes.sendResult(res, {