fix: disable admin self user delete

ad1cb5fc · Timothy J. Baek · b61bb779 · ad1cb5fc
Commit ad1cb5fc authored Dec 28, 2023 by Timothy J. Baek
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 5 deletions

backend/apps/web/routers/users.py backend/apps/web/routers/users.py +11 -5

No files found.
--- a/backend/apps/web/routers/users.py
+++ b/backend/apps/web/routers/users.py
@@ -87,14 +87,20 @@ async def delete_user_by_id(user_id: str, cred=Depends(bearer_scheme)):

    if user:
        if user.role == "admin":
-            result = Users.delete_user_by_id(user_id)
-
-            if result:
-                return True
+            if user.id != user_id:
+                result = Users.delete_user_by_id(user_id)
+
+                if result:
+                    return True
+                else:
+                    raise HTTPException(
+                        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                        detail=ERROR_MESSAGES.DELETE_USER_ERROR,
+                    )
            else:
                raise HTTPException(
                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail=ERROR_MESSAGES.DELETE_USER_ERROR,
+                    detail=ERROR_MESSAGES.ACTION_PROHIBITED,
                )
        else:
            raise HTTPException(