Merge pull request #2886 from jumpserver/dev_users

[Update] 限制用户通过API删除自己

Merge pull request #2886 from jumpserver/dev_users
[Update] 限制用户通过API删除自己
423a487b · BaiJiangJie · GitHub · ece8f082 · e415ef83 · 423a487b
Unverified Commit 423a487b authored Jul 05, 2019 by BaiJiangJie Committed by GitHub Jul 05, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

user.py apps/users/api/user.py +5 -1

No files found.
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -69,7 +69,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
        check current user has permission to handle instance
        (update, destroy, bulk_update, bulk destroy)
        """
-        return not self.request.user.is_superuser and instance.is_superuser
+        if not self.request.user.is_superuser and instance.is_superuser:
+            return True
+        if self.request.user == instance:
+            return True
+        return False

    def _bulk_deny_permission(self, instances):
        deny_instances = [i for i in instances if self._deny_permission(i)]