From ccec6c37b4ed51b4faa81350dc09467c8283d0db Mon Sep 17 00:00:00 2001
From: Thomas M Steenholdt <tsteenholdt@cascadetechnologypartners.com>
Date: Wed, 6 Jun 2018 09:14:48 -0200
Subject: [PATCH] Restrict certain admin changes on the current user

Disable the admin toggle and delete operations from the current user, to avoid accidents.

(cherry picked from commit b0f5ac6df5d31f612dc833a88cfca8936c4137d7)
---
 app/templates/admin_manageuser.html | 4 ++--
 app/views.py                        | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/templates/admin_manageuser.html b/app/templates/admin_manageuser.html
index 745e08a..03545bb 100644
--- a/app/templates/admin_manageuser.html
+++ b/app/templates/admin_manageuser.html
@@ -47,7 +47,7 @@
                                 <td>{{ user.lastname }}</td>
                                 <td>{{ user.email }}</td>
                                 <td>
-                                    <input type="checkbox" id="{{ user.username }}" class="admin_toggle" {% if user.role.name=='Administrator' %}checked{% endif %}>
+                                    <input type="checkbox" id="{{ user.username }}" class="admin_toggle" {% if user.role.name=='Administrator' %}checked{% endif %} {% if user.username==current_user.username %}disabled{% endif %}>
                                 </td>
                                 <td width="6%">
                                     <button type="button" class="btn btn-flat btn-warning button_revoke" id="{{ user.username }}">
@@ -55,7 +55,7 @@
                                     </button>
                                 </td>
                                 <td width="6%">
-                                    <button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}">
+                                    <button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}" {% if user.username==current_user.username %}disabled{% endif %}>
                                         Delete&nbsp;<i class="fa fa-trash"></i>
                                     </button>
                                 </td>
diff --git a/app/views.py b/app/views.py
index 1c65ca1..e453f6c 100644
--- a/app/views.py
+++ b/app/views.py
@@ -1098,6 +1098,8 @@ def admin_manageuser():
             data = jdata['data']
 
             if jdata['action'] == 'delete_user':
+                if username == current_user.username:
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot delete yourself.' } ), 400)
                 user = User(username=data)
                 result = user.delete()
                 if result:
@@ -1119,6 +1121,8 @@ def admin_manageuser():
 
             elif jdata['action'] == 'set_admin':
                 username = data['username']
+                if username == current_user.username:
+                    return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot change you own admin rights.' } ), 400)
                 is_admin = data['is_admin']
                 user = User(username=username)
                 result = user.set_admin(is_admin)