fix: don't allow to remove root user

errors/errors.go

@@ -17,4 +17,5 @@ var (
 	ErrPermissionDenied     = errors.New("permission denied")
 	ErrInvalidRequestParams = errors.New("invalid request params")
 	ErrSourceIsParent       = errors.New("source is parent")
+	ErrRootUserDeletion     = errors.New("user with id 1 can't be deleted")
 )

frontend/src/utils/vue.js

@@ -26,14 +26,14 @@ Vue.prototype.$showSuccess = (message) => {
   })).show()
 }
 
-Vue.prototype.$showError = (error) => {
+Vue.prototype.$showError = (error, displayReport = true) => {
   let btns = [
     Noty.button(i18n.t('buttons.close'), '', function () {
       n.close()
     })
   ]
 
-  if (!disableExternal) {
+  if (!disableExternal && displayReport) {
     btns.unshift(Noty.button(i18n.t('buttons.reportIssue'), '', function () {
       window.open('https://github.com/filebrowser/filebrowser/issues/new/choose')
     }))

frontend/src/views/settings/User.vue

@@ -115,7 +115,7 @@ export default {
         this.$router.push({ path: '/settings/users' })
         this.$showSuccess(this.$t('settings.userDeleted'))
       } catch (e) {
-        this.$showError(e)
+         (e.message === "403") ? this.$showError(this.$t("errors.forbidden"), false) : this.$showError(e)
       }
     },
     async save (event) {

http/users.go

@@ -99,8 +99,8 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 
 var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 	err := d.store.Users.Delete(d.raw.(uint))
-	if err == errors.ErrNotExist {
-		return http.StatusNotFound, err
+	if err != nil {
+		return errToStatus(err), err
 	}
 
 	return http.StatusOK, nil

http/utils.go

@@ -40,6 +40,8 @@ func errToStatus(err error) int {
 		return http.StatusForbidden
 	case errors.Is(err, libErrors.ErrInvalidRequestParams):
 		return http.StatusBadRequest
+	case errors.Is(err, libErrors.ErrRootUserDeletion):
+		return http.StatusForbidden
 	default:
 		return http.StatusInternalServerError
 	}

users/storage.go

@@ -92,17 +92,25 @@ func (s *Storage) Save(user *User) error {
 // Delete allows you to delete a user by its name or username. The provided
 // id must be a string for username lookup or a uint for id lookup. If id
 // is neither, a ErrInvalidDataType will be returned.
-func (s *Storage) Delete(id interface{}) (err error) {
+func (s *Storage) Delete(id interface{}) error {
 	switch id := id.(type) {
 	case string:
-		err = s.back.DeleteByUsername(id)
+		user, err := s.back.GetBy(id)
+		if err != nil {
+			return err
+		}
+		if user.ID == 1 {
+			return errors.ErrRootUserDeletion
+		}
+		return s.back.DeleteByUsername(id)
 	case uint:
-		err = s.back.DeleteByID(id)
+		if id == 1 {
+			return errors.ErrRootUserDeletion
+		}
+		return s.back.DeleteByID(id)
 	default:
-		err = errors.ErrInvalidDataType
+		return errors.ErrInvalidDataType
 	}
-
-	return
 }
 
 // LastUpdate gets the timestamp for the last update of an user.