Merge pull request #7045 from Budibase/prevent-self-deletion

Prevent self deletion

packages/builder/src/pages/builder/portal/manage/users/[userId].svelte

@@ -237,18 +237,21 @@
             </div>
           </div>
         </div>
-        <div>
+        {#if userId !== $auth.user._id}
-          <ActionMenu align="right">
+          <div>
-            <span slot="control">
+            <ActionMenu align="right">
-              <Icon hoverable name="More" />
+              <span slot="control">
-            </span>
+                <Icon hoverable name="More" />
-            <MenuItem on:click={resetPasswordModal.show} icon="Refresh"
+              </span>
-              >Force Password Reset</MenuItem
+              <MenuItem on:click={resetPasswordModal.show} icon="Refresh">
-            >
+                Force password reset
-            <MenuItem on:click={deleteModal.show} icon="Delete">Delete</MenuItem
+              </MenuItem>
-            >
+              <MenuItem on:click={deleteModal.show} icon="Delete">
-          </ActionMenu>
+                Delete
-        </div>
+              </MenuItem>
+            </ActionMenu>
+          </div>
+        {/if}
       </div>
     </Layout>
     <Layout gap="S" noPadding>

packages/builder/src/pages/builder/portal/manage/users/index.svelte

@@ -28,6 +28,7 @@
   import ImportUsersModal from "./_components/ImportUsersModal.svelte"
   import { createPaginationStore } from "helpers/pagination"
   import { Constants } from "@budibase/frontend-core"
+  import { get } from "svelte/store"
 
   const accessTypes = [
     {
@@ -198,6 +199,10 @@
   const deleteRows = async () => {
     try {
       let ids = selectedRows.map(user => user._id)
+      if (ids.includes(get(auth).user._id)) {
+        notifications.error("You cannot delete yourself")
+        return
+      }
       await users.bulkDelete(ids)
       notifications.success(`Successfully deleted ${selectedRows.length} rows`)
       selectedRows = []

packages/worker/src/api/controllers/global/users.ts

@@ -3,17 +3,18 @@ import { checkInviteCode } from "../../../utilities/redis"
 import { sendEmail } from "../../../utilities/email"
 import { users } from "../../../sdk"
 import env from "../../../environment"
-import { User, CloudAccount } from "@budibase/types"
+import { CloudAccount, User } from "@budibase/types"
 import {
-  events,
-  errors,
   accounts,
-  users as usersCore,
-  tenancy,
   cache,
+  errors,
+  events,
+  tenancy,
+  users as usersCore,
 } from "@budibase/backend-core"
 import { checkAnyUserExists } from "../../../utilities/users"
 import { groups as groupUtils } from "@budibase/pro"
+
 const MAX_USERS_UPLOAD_LIMIT = 1000
 
 export const save = async (ctx: any) => {
@@ -117,8 +118,7 @@ export const adminUser = async (ctx: any) => {
 export const countByApp = async (ctx: any) => {
   const appId = ctx.params.appId
   try {
-    const response = await users.countUsersByApp(appId)
+    ctx.body = await users.countUsersByApp(appId)
-    ctx.body = response
   } catch (err: any) {
     ctx.throw(err.status || 400, err)
   }
@@ -126,6 +126,9 @@ export const countByApp = async (ctx: any) => {
 
 export const destroy = async (ctx: any) => {
   const id = ctx.params.id
+  if (id === ctx.user._id) {
+    ctx.throw(400, "Unable to delete self.")
+  }
 
   await users.destroy(id, ctx.user)
 
@@ -136,6 +139,10 @@ export const destroy = async (ctx: any) => {
 
 export const bulkDelete = async (ctx: any) => {
   const { userIds } = ctx.request.body
+  if (userIds?.indexOf(ctx.user._id) !== -1) {
+    ctx.throw(400, "Unable to delete self.")
+  }
+
   try {
     let usersResponse = await users.bulkDelete(userIds)