Fixed a critical bug where registration was broken for first time flow. Refactored how backup before migrations occured such that it now puts the db in temp. The db will be deleted automatically that night. (#900)

API/Controllers/AccountController.cs

@@ -78,7 +78,6 @@ namespace API.Controllers
         /// </summary>
         /// <param name="registerDto"></param>
         /// <returns></returns>
-        [Authorize(Policy = "RequireAdminRole")]
         [HttpPost("register")]
         public async Task<ActionResult<UserDto>> Register(RegisterDto registerDto)
         {
@@ -89,6 +88,17 @@ namespace API.Controllers
                     return BadRequest("Username is taken.");
                 }
 
+                // If we are registering an admin account, ensure there are no existing admins or user registering is an admin
+                if (registerDto.IsAdmin)
+                {
+                    var firstTimeFlow = !(await _userManager.GetUsersInRoleAsync("Admin")).Any();
+                    if (!firstTimeFlow && !await _unitOfWork.UserRepository.IsUserAdminAsync(
+                            await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername())))
+                    {
+                        return BadRequest("You are not permitted to create an admin account");
+                    }
+                }
+
                 var user = _mapper.Map<AppUser>(registerDto);
                 user.UserPreferences ??= new AppUserPreferences();
                 user.ApiKey = HashUtil.ApiKey();
@@ -104,6 +114,7 @@ namespace API.Controllers
 
                 if (!result.Succeeded) return BadRequest(result.Errors);
 
+
                 var role = registerDto.IsAdmin ? PolicyConstants.AdminRole : PolicyConstants.PlebRole;
                 var roleResult = await _userManager.AddToRoleAsync(user, role);
 
@@ -156,7 +167,7 @@ namespace API.Controllers
 
             if (user == null) return Unauthorized("Invalid username");
 
-            var isAdmin = await _unitOfWork.UserRepository.IsUserAdmin(user);
+            var isAdmin = await _unitOfWork.UserRepository.IsUserAdminAsync(user);
             var settings = await _unitOfWork.SettingsRepository.GetSettingsDtoAsync();
             if (!settings.EnableAuthentication && !isAdmin)
             {