[Update] 限制用户通过API删除自己

e415ef83 · BaiJiangJie · ece8f082 · e415ef83
Commit e415ef83 authored Jul 05, 2019 by BaiJiangJie
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

user.py apps/users/api/user.py +5 -1

No files found.
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -69,7 +69,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
        check current user has permission to handle instance
        (update, destroy, bulk_update, bulk destroy)
        """
-        return not self.request.user.is_superuser and instance.is_superuser
+        if not self.request.user.is_superuser and instance.is_superuser:
+            return True
+        if self.request.user == instance:
+            return True
+        return False
    def _bulk_deny_permission(self, instances):
        deny_instances = [i for i in instances if self._deny_permission(i)]