Fix delete account as instance admin

txty-io · Oct 24, 2023 · e344dd1 · e344dd1
1 parent 3acd074
commit e344dd1
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 10 deletions.
diff --git a/app/controllers/api/v1/instance_users_controller.rb b/app/controllers/api/v1/instance_users_controller.rb
@@ -20,7 +20,12 @@ def index
   def destroy
     authorize :instance_user, :destroy?
 
-    user = User.find_by(params[:id])
+    user = User.find_by(params[:user_id])
+
+    if user.is_superadmin
+      render json: { errors: [{ code: 'SUPERADMIN_USER_CANT_BE_DELETED' }] }, status: :forbidden
+      return
+    end
 
     if user.delete_account
       render json: { success: true }

diff --git a/app/javascript/components/api/v1/InstanceUsersAPI.ts b/app/javascript/components/api/v1/InstanceUsersAPI.ts
@@ -40,6 +40,12 @@ const InstanceUsersAPI = {
         })
             .then(APIUtils.handleErrors)
             .catch(APIUtils.handleErrors);
+    },
+
+    deleteAccount: async (options: { userId: string }): Promise<{ success: boolean }> => {
+        return API.deleteRequest(`instance/users/${options.userId}`, true)
+            .then(APIUtils.handleErrors)
+            .catch(APIUtils.handleErrors);
     }
 };
 

diff --git a/app/javascript/components/ui/InstanceUsersTable.tsx b/app/javascript/components/ui/InstanceUsersTable.tsx
@@ -72,7 +72,7 @@ export function InstanceUsersTable(props: { tableReloader?: number; style?: Reac
         })();
     }, [props.tableReloader]);
 
-    const onDeleteAccount = async () => {
+    const onDeleteAccount = async (userId: string) => {
         setDeleteAccountLoading(true);
 
         Modal.confirm({
@@ -88,7 +88,7 @@ export function InstanceUsersTable(props: { tableReloader?: number; style?: Reac
             autoFocusButton: "cancel",
             onOk: async () => {
                 try {
-                    await UsersAPI.deleteAccount();
+                    await InstanceUsersAPI.deleteAccount({ userId });
                     message.success("Successfully deleted account.");
                     await reload();
                 } catch (error) {
@@ -148,14 +148,21 @@ export function InstanceUsersTable(props: { tableReloader?: number; style?: Reac
                                 {user.attributes.deactivated ? "Activate" : "Deactivate"}
                             </Button>
                         </Tooltip>
-                        <Button
-                            onClick={onDeleteAccount}
-                            danger
-                            style={{ marginLeft: 12 }}
-                            loading={deleteAccountLoading}
+                        <Tooltip
+                            title={user.attributes.is_superadmin ? "Instance admins can't be deleted." : undefined}
                         >
-                            Delete account
-                        </Button>
+                            <Button
+                                onClick={async () => {
+                                    await onDeleteAccount(user.id);
+                                }}
+                                danger
+                                disabled={user.attributes.is_superadmin}
+                                style={{ marginLeft: 12 }}
+                                loading={deleteAccountLoading}
+                            >
+                                Delete account
+                            </Button>
+                        </Tooltip>
                     </>
                 )
             };