Restrict certain admin changes on the current user

Disable the admin toggle and delete operations from the current user, to avoid accidents.

(cherry picked from commit b0f5ac6df5d31f612dc833a88cfca8936c4137d7)
This commit is contained in:
Thomas M Steenholdt 2018-06-06 09:14:48 -02:00
parent 0fb6e10cf5
commit ccec6c37b4
2 changed files with 6 additions and 2 deletions

View File

@ -47,7 +47,7 @@
<td>{{ user.lastname }}</td> <td>{{ user.lastname }}</td>
<td>{{ user.email }}</td> <td>{{ user.email }}</td>
<td> <td>
<input type="checkbox" id="{{ user.username }}" class="admin_toggle" {% if user.role.name=='Administrator' %}checked{% endif %}> <input type="checkbox" id="{{ user.username }}" class="admin_toggle" {% if user.role.name=='Administrator' %}checked{% endif %} {% if user.username==current_user.username %}disabled{% endif %}>
</td> </td>
<td width="6%"> <td width="6%">
<button type="button" class="btn btn-flat btn-warning button_revoke" id="{{ user.username }}"> <button type="button" class="btn btn-flat btn-warning button_revoke" id="{{ user.username }}">
@ -55,7 +55,7 @@
</button> </button>
</td> </td>
<td width="6%"> <td width="6%">
<button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}"> <button type="button" class="btn btn-flat btn-danger button_delete" id="{{ user.username }}" {% if user.username==current_user.username %}disabled{% endif %}>
Delete&nbsp;<i class="fa fa-trash"></i> Delete&nbsp;<i class="fa fa-trash"></i>
</button> </button>
</td> </td>

View File

@ -1098,6 +1098,8 @@ def admin_manageuser():
data = jdata['data'] data = jdata['data']
if jdata['action'] == 'delete_user': if jdata['action'] == 'delete_user':
if username == current_user.username:
return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot delete yourself.' } ), 400)
user = User(username=data) user = User(username=data)
result = user.delete() result = user.delete()
if result: if result:
@ -1119,6 +1121,8 @@ def admin_manageuser():
elif jdata['action'] == 'set_admin': elif jdata['action'] == 'set_admin':
username = data['username'] username = data['username']
if username == current_user.username:
return make_response(jsonify( { 'status': 'error', 'msg': 'You cannot change you own admin rights.' } ), 400)
is_admin = data['is_admin'] is_admin = data['is_admin']
user = User(username=username) user = User(username=username)
result = user.set_admin(is_admin) result = user.set_admin(is_admin)