From 93731c3f3e16854570449d41220eb145bd4ed0d9 Mon Sep 17 00:00:00 2001
From: armisss4 <armisss4@gmail.com>
Date: Fri, 30 Dec 2022 04:09:27 +0200
Subject: [PATCH] User control patch

Changed available actions done by an admin to itself: admin can no longer remove itself from users list, admin can no longer change its user type to manager.
---
 handler/routes.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/handler/routes.go b/handler/routes.go
index 7db2a9e..89dc341 100644
--- a/handler/routes.go
+++ b/handler/routes.go
@@ -215,7 +215,10 @@ func UpdateUser(db store.IStore) echo.HandlerFunc {
 			}
 			user.PasswordHash = hash
 		}
-		user.Admin = admin
+
+		if previousUsername != currentUser(c) {
+			user.Admin = admin
+		}
 
 		if err := db.DeleteUser(previousUsername); err != nil {
 			return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, err.Error()})
@@ -289,6 +292,10 @@ func RemoveUser(db store.IStore) echo.HandlerFunc {
 		}
 
 		username := data["username"].(string)
+
+		if username == currentUser(c) {
+			return c.JSON(http.StatusForbidden, jsonHTTPResponse{false, "User cannot delete itself"})
+		}
 		// delete user from database
 
 		if err := db.DeleteUser(username); err != nil {
@@ -297,10 +304,7 @@ func RemoveUser(db store.IStore) echo.HandlerFunc {
 		}
 
 		log.Infof("Removed user: %s", username)
-		if username == currentUser(c) {
-			log.Infof("You removed yourself, killing session")
-			clearSession(c)
-		}
+
 		return c.JSON(http.StatusOK, jsonHTTPResponse{true, "User removed"})
 	}
 }