From b7fb379984fba66a927092ad472e0a7a708bdd9a Mon Sep 17 00:00:00 2001
From: "Manuel Weiser (aider)" <manuel.weiser@me.com>
Date: Mon, 2 Sep 2024 11:09:26 +0200
Subject: [PATCH] fix: restrict user creation to admin users only

---
 game_collection/user_management.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/game_collection/user_management.py b/game_collection/user_management.py
index e00cf13..44e861e 100644
--- a/game_collection/user_management.py
+++ b/game_collection/user_management.py
@@ -36,6 +36,8 @@ def before_request():
 
 @user_bp.route('/users', methods=['POST'])
 def create_user():
+    if not authenticate() or g.user.role != 'admin':
+        return jsonify({'message': 'Unauthorized access! Only admins can create users.'}), 401
     data = request.json
     hashed_password = generate_password_hash(data['password'])
     new_user = User(