fix: don't allow to remove root user

2021-01-11 22:33:36 +01:00 · 2021-01-11 22:33:36 +01:00 · 019ce80fc5
parent 8cea2f75b3
commit 019ce80fc5
6 changed files with 22 additions and 11 deletions
--- a/errors/errors.go
+++ b/errors/errors.go
@ -17,4 +17,5 @@ var (
 	ErrPermissionDenied     = errors.New("permission denied")
 	ErrInvalidRequestParams = errors.New("invalid request params")
 	ErrSourceIsParent       = errors.New("source is parent")
+	ErrRootUserDeletion     = errors.New("user with id 1 can't be deleted")
 )
--- a/frontend/src/utils/vue.js
+++ b/frontend/src/utils/vue.js
@ -26,14 +26,14 @@ Vue.prototype.$showSuccess = (message) => {
  })).show()
 }

-Vue.prototype.$showError = (error) => {
+Vue.prototype.$showError = (error, displayReport = true) => {
  let btns = [
    Noty.button(i18n.t('buttons.close'), '', function () {
      n.close()
    })
  ]

-  if (!disableExternal) {
+  if (!disableExternal && displayReport) {
    btns.unshift(Noty.button(i18n.t('buttons.reportIssue'), '', function () {
      window.open('https://github.com/filebrowser/filebrowser/issues/new/choose')
    }))
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@ -115,7 +115,7 @@ export default {
        this.$router.push({ path: '/settings/users' })
        this.$showSuccess(this.$t('settings.userDeleted'))
      } catch (e) {
-        this.$showError(e)
+         (e.message === "403") ? this.$showError(this.$t("errors.forbidden"), false) : this.$showError(e)
      }
    },
    async save (event) {
--- a/http/users.go
+++ b/http/users.go
@ -99,8 +99,8 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request

 var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 	err := d.store.Users.Delete(d.raw.(uint))
-	if err == errors.ErrNotExist {
-		return http.StatusNotFound, err
+	if err != nil {
+		return errToStatus(err), err
 	}

 	return http.StatusOK, nil
--- a/http/utils.go
+++ b/http/utils.go
@ -40,6 +40,8 @@ func errToStatus(err error) int {
 		return http.StatusForbidden
 	case errors.Is(err, libErrors.ErrInvalidRequestParams):
 		return http.StatusBadRequest
+	case errors.Is(err, libErrors.ErrRootUserDeletion):
+		return http.StatusForbidden
 	default:
 		return http.StatusInternalServerError
 	}
--- a/users/storage.go
+++ b/users/storage.go
@ -92,17 +92,25 @@ func (s *Storage) Save(user *User) error {
 // Delete allows you to delete a user by its name or username. The provided
 // id must be a string for username lookup or a uint for id lookup. If id
 // is neither, a ErrInvalidDataType will be returned.
-func (s *Storage) Delete(id interface{}) (err error) {
+func (s *Storage) Delete(id interface{}) error {
 	switch id := id.(type) {
 	case string:
-		err = s.back.DeleteByUsername(id)
+		user, err := s.back.GetBy(id)
+		if err != nil {
+			return err
+		}
+		if user.ID == 1 {
+			return errors.ErrRootUserDeletion
+		}
+		return s.back.DeleteByUsername(id)
 	case uint:
-		err = s.back.DeleteByID(id)
+		if id == 1 {
+			return errors.ErrRootUserDeletion
+		}
+		return s.back.DeleteByID(id)
 	default:
-		err = errors.ErrInvalidDataType
+		return errors.ErrInvalidDataType
 	}
-
-	return
 }

 // LastUpdate gets the timestamp for the last update of an user.