diff --git a/core/modules/rest/src/Plugin/rest/resource/UserRegistrationResource.php b/core/modules/rest/src/Plugin/rest/resource/UserRegistrationResource.php
index 2612dd7..6899058 100644
--- a/core/modules/rest/src/Plugin/rest/resource/UserRegistrationResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/UserRegistrationResource.php
@@ -105,7 +105,9 @@ public function post(UserInterface $account = NULL) {
       throw new BadRequestHttpException('An ID has been set and only new user accounts can be registered.');
     }
 
-    // The current resource only allows anonymous users to register users.
+    // Only allow anonymous users to register, authenticated users with the
+    // necessary permissions can POST a new user to the "user" REST resource.
+    // @see \Drupal\rest\Plugin\rest\resource\EntityResource
     if (!$this->currentUser->isAnonymous()) {
       throw new AccessDeniedHttpException('Only anonymous users can register users.');
     }
diff --git a/core/modules/rest/src/Tests/RegisterUserTest.php b/core/modules/rest/src/Tests/RegisterUserTest.php
index b39ebc9..f167ea3 100644
--- a/core/modules/rest/src/Tests/RegisterUserTest.php
+++ b/core/modules/rest/src/Tests/RegisterUserTest.php
@@ -71,7 +71,10 @@ public function testRegisterUser() {
     // Create a HAL+JSON version for the user entity we want to create.
     $serialized = $this->container->get('serializer')->serialize($data, 'hal_json');
 
-    // Verify that an authenticated user cannot register a new user.
+    // Verify that an authenticated user cannot register a new user, despite
+    // being granted permission to do so because only anonymous users can
+    // register themselves, authenticated users with the necessary permissions
+    // can POST a new user to the "user" REST resource.
     $user = $this->createUser();
     $this->drupalLogin($user);
     $this->httpRequest('/user/register', 'POST', $serialized, 'application/hal+json');