From 7f2eaeb02ba847a0ecfd709c68099260ef016b41 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 13 Jul 2020 19:08:45 -0500
Subject: [PATCH] Fix #4541: Possible to create new user while logged in.

---
 app/policies/user_policy.rb              | 2 +-
 test/functional/users_controller_test.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 2814fde68..0c9c0469c 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -1,6 +1,6 @@
 class UserPolicy < ApplicationPolicy
   def create?
-    !sockpuppet?
+    user.is_anonymous? && !sockpuppet?
   end
 
   def update?
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 027d22ba8..c342a98a0 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -165,6 +165,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
         assert_no_enqueued_emails
       end
 
+      should "not allow logged in users to create a new account" do
+        post_auth users_path, @user, params: { user: { name: "xxx", password: "xxxxx1", password_confirmation: "xxxxx1" }}
+        assert_response 403
+      end
+
       should "create a user with a valid email" do
         post users_path, params: { user: { name: "xxx", password: "xxxxx1", password_confirmation: "xxxxx1", email: "webmaster@danbooru.donmai.us" }}