From f9d05902fea122a995cb66cadaeb420df0d504b6 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Sat, 10 Nov 2018 14:42:34 +0100 Subject: [PATCH] lib/pleroma/web/admin_api/admin_api_controller.ex: An admin cannot un-admin themselves --- .../web/admin_api/admin_api_controller.ex | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/lib/pleroma/web/admin_api/admin_api_controller.ex b/lib/pleroma/web/admin_api/admin_api_controller.ex index cb9839324..c1df2d570 100644 --- a/lib/pleroma/web/admin_api/admin_api_controller.ex +++ b/lib/pleroma/web/admin_api/admin_api_controller.ex @@ -68,19 +68,31 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do |> json(%{error: "No such right"}) end - def right_delete(conn, %{"right" => right, "nickname" => nickname}) + def right_delete( + %{assigns: %{user: %User{:nickname => admin_nickname}}} = conn, + %{ + "right" => right, + "nickname" => nickname + } + ) when right in ["moderator", "admin"] do - user = User.get_by_nickname(nickname) + if admin_nickname == nickname do + conn + |> post_status(403) + |> json(%{error: "You can't revoke your own admin status."}) + else + user = User.get_by_nickname(nickname) - info = - user.info - |> Map.put("is_" <> right, false) + info = + user.info + |> Map.put("is_" <> right, false) - cng = User.info_changeset(user, %{info: info}) - {:ok, user} = User.update_and_set_cache(cng) + cng = User.info_changeset(user, %{info: info}) + {:ok, user} = User.update_and_set_cache(cng) - conn - |> json(user.info) + conn + |> json(user.info) + end end def right_delete(conn, _) do -- 2.45.2