synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-08 11:39:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: disallow deleting self (#6306)

Browse Source 
* fix: api: disallow user self-deletion

* feat(site): TableRowMenu: allow disabling individual menu items

* fix(site): UsersTable: disallow deleting self
This commit is contained in:
Cian Johnston
2023-02-22 16:48:16 +00:00
committed by GitHub
parent b412ef0dbb
commit 6149905a83
11 changed files with 45 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
coderd/users.go
View File

@ -387,6 +387,7 @@ func (api *API) deleteUser(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
auditor := *api.Auditor.Load()
user := httpmw.UserParam(r)
auth := httpmw.UserAuthorization(r)
aReq, commitAudit := audit.InitRequest[database.User](rw, &audit.RequestParams{
Audit: auditor,
Log: api.Logger,
@ -401,6 +402,13 @@ func (api *API) deleteUser(rw http.ResponseWriter, r *http.Request) {
return
}
if auth.Actor.ID == user.ID.String() {
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
Message: "You cannot delete yourself!",
})
return
}
workspaces, err := api.Database.GetWorkspaces(ctx, database.GetWorkspacesParams{
OwnerID: user.ID,
})

10
coderd/users_test.go
View File

@ -327,6 +327,16 @@ func TestDeleteUser(t *testing.T) {
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusExpectationFailed, apiErr.StatusCode())
})
t.Run("Self", func(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, nil)
user := coderdtest.CreateFirstUser(t, client)
err := client.DeleteUser(context.Background(), user.UserID)
var apiErr *codersdk.Error
require.Error(t, err, "should not be able to delete self")
require.ErrorAs(t, err, &apiErr, "should be a coderd error")
require.Equal(t, http.StatusForbidden, apiErr.StatusCode(), "should be forbidden")
})
}
func TestPostLogout(t *testing.T) {