Merge pull request #273 from tmuncks/dont-revoke-your-own-rights

Restrict certain admin changes on the current user
2025-09-16 15:22:30 +00:00 · 2018-06-07 08:48:44 +07:00
parent 36bf492cb6 ccec6c37b4
commit 2c5a98aca4
2 changed files with 6 additions and 2 deletions
--- a/app/views.py
+++ b/app/views.py
@@ -1098,6 +1098,8 @@ def admin_manageuser():
            data = jdata['data']

            if jdata['action'] == 'delete_user':
+                if username == current_user.username:
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot delete yourself.' } ), 400)
                user = User(username=data)
                result = user.delete()
                if result:
@@ -1119,6 +1121,8 @@ def admin_manageuser():

            elif jdata['action'] == 'set_admin':
                username = data['username']
+                if username == current_user.username:
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot change you own admin rights.' } ), 400)
                is_admin = data['is_admin']
                user = User(username=username)
                result = user.set_admin(is_admin)