Home Explore Help
Register Sign In
OpenSource
/
open-webui
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix: disable admin self user delete

Timothy J. Baek 1 year ago
parent
b61bb77950
commit
ad1cb5fc25
1 changed files with 11 additions and 5 deletions
Split View Show Diff Stats
  1. 11 5
      backend/apps/web/routers/users.py

+ 11 - 5
backend/apps/web/routers/users.py
View File 

@@ -87,14 +87,20 @@ async def delete_user_by_id(user_id: str, cred=Depends(bearer_scheme)):
 
 
     if user:
 
         if user.role == "admin":
 
-            result = Users.delete_user_by_id(user_id)
 
-
 
-            if result:
 
-                return True
 
+            if user.id != user_id:
 
+                result = Users.delete_user_by_id(user_id)
 
+
 
+                if result:
 
+                    return True
 
+                else:
 
+                    raise HTTPException(
 
+                        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
 
+                        detail=ERROR_MESSAGES.DELETE_USER_ERROR,
 
+                    )
 
             else:
 
                 raise HTTPException(
 
                     status_code=status.HTTP_403_FORBIDDEN,
 
-                    detail=ERROR_MESSAGES.DELETE_USER_ERROR,
 
+                    detail=ERROR_MESSAGES.ACTION_PROHIBITED,
 
                 )
 
         else:
 
             raise HTTPException(