From 2f5a74e34c5e33ed2c46cd1963461678a00b259c Mon Sep 17 00:00:00 2001
From: William Desportes <williamdes@wdes.fr>
Date: Sun, 15 Mar 2026 12:01:33 +0100
Subject: [PATCH] Fix User creation API permission check (#37504)

Fixes #30465

Bug introduced by 3c9d8bc931799f9cbf7e04d6cedcf1a3bff44ab8
And still present in the change 7b54824d49f53df651860ae91e768d64170e5c6a
See: https://github.com/Dolibarr/dolibarr/commit/7b54824d49f53df651860ae91e768d64170e5c6a#diff-64e82e2f84fc5a1af766e17f0e533221c48231c6bbe3f342af899ee6854748fb
---
 htdocs/user/class/api_users.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php
index 627e486ee51..2adbd3f4058 100644
--- a/htdocs/user/class/api_users.class.php
+++ b/htdocs/user/class/api_users.class.php
@@ -306,7 +306,7 @@ class Users extends DolibarrApi
 	public function post($request_data = null)
 	{
 		// Check user authorization
-		if (!DolibarrApiAccess::$user->hasRight('user', 'creer') && empty(DolibarrApiAccess::$user->admin)) {
+		if (!DolibarrApiAccess::$user->hasRight('user', 'user', 'creer') && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(403, "User creation not allowed for login ".DolibarrApiAccess::$user->login);
 		}