From ccfca65c417a6733379aa4dea2279cd5f0e86be3 Mon Sep 17 00:00:00 2001
From: rockstardev <rockstardev@users.noreply.github.com>
Date: Wed, 18 Mar 2020 18:55:45 -0500
Subject: [PATCH] Reverting changes to UsersController because of
 CanCreateUsersViaAPI test

---
 BTCPayServer/Controllers/RestApi/Users/UsersController.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/BTCPayServer/Controllers/RestApi/Users/UsersController.cs b/BTCPayServer/Controllers/RestApi/Users/UsersController.cs
index f1589465a..35493547d 100644
--- a/BTCPayServer/Controllers/RestApi/Users/UsersController.cs
+++ b/BTCPayServer/Controllers/RestApi/Users/UsersController.cs
@@ -90,11 +90,11 @@ namespace BTCPayServer.Controllers.RestApi.Users
                 return Forbid(AuthenticationSchemes.ApiKey);
             }
 
-            // check if we have permission to create users
-            var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser.Key))).Succeeded;
-            if (!canCreateUser)
+            if (!isAdmin && policies.LockSubscription)
             {
-                return Forbid(AuthenticationSchemes.ApiKey);
+                // If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
+                if (!isAuth || !(await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser.Key))).Succeeded)
+                    return Forbid(AuthenticationSchemes.ApiKey);
             }
 
             var user = new ApplicationUser