Make sure user can not delete himself

2026-06-06 05:38:44 +08:00 · 2024-05-28 16:26:08 +08:00
parent 5b854728fa
commit df54fc1210
1 changed files with 5 additions and 4 deletions
--- a/routes/api/user.ts
+++ b/routes/api/user.ts
@@ -20,15 +20,13 @@ export const handler: Handlers = {
        }
        const id = await parse_int(data.get("id"), null);
        const username = await get_string(data.get("username"));
-        if (id === null && !username && !user) {
+        if (id === null && !username) {
            return return_error(1, "user not specified.");
        }
        const m = get_task_manager();
        const us = id !== null
            ? m.db.get_user(id)
-            : username
-            ? m.db.get_user_by_name(username)
-            : user;
+            : m.db.get_user_by_name(username ?? "");
        if (!us) return return_error(404, "User not found.");
        if (us.id == 0) return return_error(6, "root user can not be deleted.");
        if (user && us.is_admin && user.id != 0) {
@@ -38,6 +36,9 @@ export const handler: Handlers = {
                403,
            );
        }
+        if (user && us.id == user.id) {
+            return return_error(8, "User can not delete himself.");
+        }
        m.db.delete_user(us.id);
        return return_data(true);
    },