[Update] 限制用户通过API删除自己

pull/2886/head
BaiJiangJie 5 years ago
parent ece8f082fb
commit e415ef8354

@ -69,7 +69,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
check current user has permission to handle instance check current user has permission to handle instance
(update, destroy, bulk_update, bulk destroy) (update, destroy, bulk_update, bulk destroy)
""" """
return not self.request.user.is_superuser and instance.is_superuser if not self.request.user.is_superuser and instance.is_superuser:
return True
if self.request.user == instance:
return True
return False
def _bulk_deny_permission(self, instances): def _bulk_deny_permission(self, instances):
deny_instances = [i for i in instances if self._deny_permission(i)] deny_instances = [i for i in instances if self._deny_permission(i)]

Loading…
Cancel
Save