fix: disable admin self user delete

2023-12-28 23:07:46 -08:00 · 2023-12-28 23:07:46 -08:00 · ad1cb5fc25
commit ad1cb5fc25
parent b61bb77950
1 changed files with 10 additions and 4 deletions
--- a/backend/apps/web/routers/users.py
+++ b/backend/apps/web/routers/users.py
@ -87,15 +87,21 @@ async def delete_user_by_id(user_id: str, cred=Depends(bearer_scheme)):

    if user:
        if user.role == "admin":
+            if user.id != user_id:
                result = Users.delete_user_by_id(user_id)

                if result:
                    return True
                else:
                    raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
+                        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                        detail=ERROR_MESSAGES.DELETE_USER_ERROR,
                    )
+            else:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=ERROR_MESSAGES.ACTION_PROHIBITED,
+                )
        else:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,