Merge pull request #2886 from jumpserver/dev_users

[Update] 限制用户通过API删除自己

apps/users/api/user.py

@@ -69,7 +69,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
         check current user has permission to handle instance
         (update, destroy, bulk_update, bulk destroy)
         """
-        return not self.request.user.is_superuser and instance.is_superuser
+        if not self.request.user.is_superuser and instance.is_superuser:
+            return True
+        if self.request.user == instance:
+            return True
+        return False
 
     def _bulk_deny_permission(self, instances):
         deny_instances = [i for i in instances if self._deny_permission(i)]