FIX: allow API to create users when invite_only is true

app/controllers/users_controller.rb

@@ -182,7 +182,8 @@ class UsersController < ApplicationController
       render json: {
         success: true,
         active: user.active?,
-        message: activation.message
+        message: activation.message,
+        user_id: user.id
       }
     else
       render json: {
@@ -501,10 +502,14 @@ class UsersController < ApplicationController
     end
 
     def suspicious?(params)
+      return false if current_user && is_api? && current_user.admin?
+
       honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
     end
 
     def honeypot_or_challenge_fails?(params)
+      return false if is_api?
+
       params[:password_confirmation] != honeypot_value ||
         params[:challenge] != challenge_value.try(:reverse)
     end

spec/integration/invite_only_registration_spec.rb

@@ -0,0 +1,41 @@
+# encoding: UTF-8
+
+require 'spec_helper'
+
+describe 'invite only' do
+
+  describe '#create invite only' do
+    it 'can create user via API' do
+
+      SiteSetting.invite_only = true
+
+      admin = Fabricate(:admin)
+      api_key = Fabricate(:api_key, user: admin)
+
+      xhr :post, '/users',
+        name: 'bob',
+        username: 'bob',
+        password: 'strongpassword',
+        email: 'bob@bob.com',
+        api_key: api_key.key,
+        api_username: admin.username
+
+      user_id = JSON.parse(response.body)["user_id"]
+      user_id.should be > 0
+
+      # activate and approve
+      xhr :put, "/admin/users/#{user_id}/activate",
+          api_key: api_key.key,
+          api_username: admin.username
+
+      xhr :put, "/admin/users/#{user_id}/approve",
+          api_key: api_key.key,
+          api_username: admin.username
+
+      u = User.find(user_id)
+      u.active.should == true
+      u.approved.should == true
+
+    end
+  end
+end