diff -ur roundup-1.4.8.orig/roundup/cgi/actions.py roundup-1.4.8/roundup/cgi/actions.py
--- roundup-1.4.8.orig/roundup/cgi/actions.py	2009-03-17 22:49:57.000000000 +0000
+++ roundup-1.4.8/roundup/cgi/actions.py	2009-06-12 22:16:22.601449566 +0100
@@ -643,11 +643,6 @@
                 % str(message))
             return
 
-        # guard against new user creation that would bypass security checks
-        for key in props:
-            if 'user' in key:
-                return
-
         # handle the props - edit or create
         try:
             # when it hits the None element, it'll set self.nodeid
@@ -809,7 +804,7 @@
 
 class RegisterAction(RegoCommon, EditCommon):
     name = 'register'
-    permissionType = 'Create'
+    permissionType = 'Register'
 
     def handle(self):
         """Attempt to create a new user based on the contents of the form
diff -ur roundup-1.4.8.orig/roundup/cgi/templating.py roundup-1.4.8/roundup/cgi/templating.py
--- roundup-1.4.8.orig/roundup/cgi/templating.py	2009-03-17 22:58:23.000000000 +0000
+++ roundup-1.4.8/roundup/cgi/templating.py	2009-06-12 22:16:22.613452124 +0100
@@ -1268,7 +1268,9 @@
             return self._db.security.hasPermission('Edit', self._client.userid,
                 self._classname, self._name, self._nodeid)
         return self._db.security.hasPermission('Create', self._client.userid,
-            self._classname, self._name)
+            self._classname, self._name) or \
+            self._db.security.hasPermission('Register', self._client.userid,
+                                            self._classname, self._name)
 
     def is_view_ok(self):
         """ Is the user allowed to View the current class?
diff -ur roundup-1.4.8.orig/share/roundup/templates/classic/html/page.html roundup-1.4.8/share/roundup/templates/classic/html/page.html
--- roundup-1.4.8.orig/share/roundup/templates/classic/html/page.html	2009-03-08 21:58:24.000000000 +0000
+++ roundup-1.4.8/share/roundup/templates/classic/html/page.html	2009-06-12 22:20:37.113454739 +0100
@@ -136,7 +136,7 @@
     <input type="hidden" name="__came_from" tal:attributes="value string:${request/base}${request/env/PATH_INFO}">
     <span tal:replace="structure request/indexargs_form" />
     <a href="user?@template=register"
-       tal:condition="python:request.user.hasPermission('Create', 'user')"
+       tal:condition="python:request.user.hasPermission('Register', 'user')"
      i18n:translate="">Register</a><br>
     <a href="user?@template=forgotten" i18n:translate="">Lost&nbsp;your&nbsp;login?</a><br>
    </p>
diff -ur roundup-1.4.8.orig/share/roundup/templates/classic/schema.py roundup-1.4.8/share/roundup/templates/classic/schema.py
--- roundup-1.4.8.orig/share/roundup/templates/classic/schema.py	2009-03-13 22:30:38.000000000 +0000
+++ roundup-1.4.8/share/roundup/templates/classic/schema.py	2009-06-12 22:19:20.045744084 +0100
@@ -47,6 +47,8 @@
                 roles=String(),     # comma-separated string of Role names
                 timezone=String())
 user.setkey("username")
+db.security.addPermission(name="Register", klass="user",
+                          description="User is allowed to register new user")
 
 # FileClass automatically gets this property in addition to the Class ones:
 #   content = String()    [saved to disk in <tracker home>/db/files/]
@@ -154,7 +156,7 @@
 # Assign the appropriate permissions to the anonymous user's Anonymous
 # Role. Choices here are:
 # - Allow anonymous users to register
-db.security.addPermissionToRole('Anonymous', 'Create', 'user')
+db.security.addPermissionToRole('Anonymous', 'Register', 'user')
 
 # Allow anonymous users access to view issues (and the related, linked
 # information)
diff -ur roundup-1.4.8.orig/share/roundup/templates/minimal/html/page.html roundup-1.4.8/share/roundup/templates/minimal/html/page.html
--- roundup-1.4.8.orig/share/roundup/templates/minimal/html/page.html	2009-03-08 21:58:24.000000000 +0000
+++ roundup-1.4.8/share/roundup/templates/minimal/html/page.html	2009-06-12 22:25:06.961461937 +0100
@@ -135,7 +135,7 @@
     <input type="hidden" name="__came_from" tal:attributes="value string:${request/base}${request/env/PATH_INFO}">
     <span tal:replace="structure request/indexargs_form" />
     <a href="user?@template=register"
-       tal:condition="python:request.user.hasPermission('Create', 'user')"
+       tal:condition="python:request.user.hasPermission('Register', 'user')"
      i18n:translate="">Register</a><br>
     <a href="user?@template=forgotten" i18n:translate="">Lost&nbsp;your&nbsp;login?</a><br>
    </p>
diff -ur roundup-1.4.8.orig/share/roundup/templates/minimal/schema.py roundup-1.4.8/share/roundup/templates/minimal/schema.py
--- roundup-1.4.8.orig/share/roundup/templates/minimal/schema.py	2009-03-08 21:58:24.000000000 +0000
+++ roundup-1.4.8/share/roundup/templates/minimal/schema.py	2009-06-12 22:24:50.001451187 +0100
@@ -15,6 +15,9 @@
 user = Class(db, "user", username=String(), password=Password(),
     address=String(), alternate_addresses=String(), roles=String())
 user.setkey("username")
+db.security.addPermission(name="Register", klass="user",
+                          description="User is allowed to register new user")
+
 #
 # TRACKER SECURITY SETTINGS
 #
@@ -60,6 +63,6 @@
 # Assign the appropriate permissions to the anonymous user's
 # Anonymous Role. Choices here are:
 # - Allow anonymous users to register
-db.security.addPermissionToRole('Anonymous', 'Create', 'user')
+db.security.addPermissionToRole('Anonymous', 'Register', 'user')
 
 # vim: set et sts=4 sw=4 :