Roundup's self-registration logic seems to have a bug.

In particular, the way the mechanism works is that:

1. The user submits their registration form, which fires RegisterAction.

2. RegisterAction creates a temporary entry in the 
database (using "one-time keys") that represents the user 
ID.  A URL is sent to the user's email address.

3. When the user visits the URL, the user record is 
created *by the admin user*.  This is true even though 
Roundup requires that the anonymous user have the "Create 
user" permission for self-registration.

Note that this means that an auditor for users cannot 
distinguish an administrative creation of a user from 
self-registration.  This might well result in auditors 
being too generous, in that they might permit users to 
register with invalid settings of fields that would be
permitted for administrators, but not for ordinary users.