Skip to content

Commit

Permalink
Allow non admin users to delete themselves (#1185)
Browse files Browse the repository at this point in the history
  • Loading branch information
onyxvd authored Sep 25, 2024
1 parent a124a4c commit a220391
Show file tree
Hide file tree
Showing 2 changed files with 167 additions and 74 deletions.
33 changes: 30 additions & 3 deletions server/actions/user.js
Original file line number Diff line number Diff line change
Expand Up @@ -594,16 +594,38 @@ exports.userDelete = upgradeAction('ah17', {
name: 'user:delete',
description: 'user:delete',
outputExample: {},
middleware: ['auth', 'admin'],
middleware: ['auth'],

inputs: {
id: { required: true }
},

run: async function (api, data, next) {
data.response.success = false
const sessionUser = data.session.user
const userId = parseInt(data.params.id)

const q = {
where: {
id: userId
}
}

if (sessionUser.isAdmin) {
// allow access
} else if (sessionUser.isOrgAdmin) {
// allow access only to same org users
q.where.organizationSlug = sessionUser.organizationSlug
} else {
// everybody else can only delete self
if (userId !== sessionUser.id) {
// id is required so looking for null value shouldn't find any record
q.where.id = null
}
}

try {
const user = await api.models.user.findOne({ where: { id: data.params.id } })
const user = await api.models.user.findOne(q)
if (!user) {
data.connection.rawConnection.responseHttpCode = 404
return next(new Error('Няма такъв потребител'))
Expand All @@ -627,7 +649,12 @@ exports.userDelete = upgradeAction('ah17', {
await user.destroy()

data.response.success = true
next()

if (userId === sessionUser.id) {
api.session.destroy(data.connection, next)
} else {
next()
}
} catch (e) {
next(e)
}
Expand Down
Loading

0 comments on commit a220391

Please sign in to comment.