fix: disallow deleting self (#6306)

* fix: api: disallow user self-deletion * feat(site): TableRowMenu: allow disabling individual menu items * fix(site): UsersTable: disallow deleting self
2025-07-03 16:13:58 +00:00 · 2023-02-22 16:48:16 +00:00
parent b412ef0dbb
commit 6149905a83
11 changed files with 45 additions and 3 deletions
--- a/coderd/users.go
+++ b/coderd/users.go
@ -387,6 +387,7 @@ func (api *API) deleteUser(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	auditor := *api.Auditor.Load()
 	user := httpmw.UserParam(r)
+	auth := httpmw.UserAuthorization(r)
 	aReq, commitAudit := audit.InitRequest[database.User](rw, &audit.RequestParams{
 		Audit:   auditor,
 		Log:     api.Logger,
@ -401,6 +402,13 @@ func (api *API) deleteUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if auth.Actor.ID == user.ID.String() {
+		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+			Message: "You cannot delete yourself!",
+		})
+		return
+	}
+
 	workspaces, err := api.Database.GetWorkspaces(ctx, database.GetWorkspacesParams{
 		OwnerID: user.ID,
 	})