fix: disable admin self user delete

ad1cb5fc · Timothy J. Baek · b61bb779 · ad1cb5fc
Commit ad1cb5fc authored Dec 28, 2023 by Timothy J. Baek
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 5 deletions

backend/apps/web/routers/users.py backend/apps/web/routers/users.py +11 -5

No files found.
--- a/backend/apps/web/routers/users.py
+++ b/backend/apps/web/routers/users.py
@@ -87,15 +87,21 @@ async def delete_user_by_id(user_id: str, cred=Depends(bearer_scheme)):
    if user:
        if user.role == "admin":
+            if user.id != user_id:
                result = Users.delete_user_by_id(user_id)
                if result:
                    return True
                else:
                    raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
+                        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                        detail=ERROR_MESSAGES.DELETE_USER_ERROR,
                    )
+            else:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=ERROR_MESSAGES.ACTION_PROHIBITED,
+                )
        else:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,