users can remove themselves

2025-10-02 11:26:47 +02:00 · 2025-10-02 11:26:47 +02:00 · b6a29b1842
commit b6a29b1842
parent 842ad3ff44
3 changed files with 31 additions and 5 deletions
--- a/frontend/src/views/User.vue
+++ b/frontend/src/views/User.vue
@ -5,6 +5,7 @@ import { type User, primaryUser } from '@/composable/auth.ts'
 import { deleteUser, addUser, changePassword } from '@/composable/settings'

 import UserInfo from '@/components/UserInfo.vue'
+import router from '@/router'

 const new_user_name = ref('')
 const new_user_passwd = ref('')
@ -50,6 +51,20 @@ const onChangePassword = async () => {
        <h3>User Profile</h3>
        <p><a class="font-bold">Name:</a> {{ primaryUser.currentUser.value.user }}</p>
        <p><a class="font-bold">Role:</a> {{ primaryUser.currentUser.value.role }}</p>
+
+        <div>
+          <button
+            @click="
+              () =>
+                deleteUser(primaryUser.getSessionFromJWT()).then(() => {
+                  primaryUser.removeToken()
+                  router.push('login')
+                })
+            "
+          >
+            Delete Profile
+          </button>
+        </div>
      </div>

      <div class="boxed w-80">
--- a/simple_chat_api/endpoints/auth.py
+++ b/simple_chat_api/endpoints/auth.py
@ -127,9 +127,16 @@ def change_password(user):
        return dumps({"error": str(e)})

@app.route("/delete/<deletion_target>", method=["POST"])
-@admin_guard()
-def delete_user(_, deletion_target: str):
+@user_guard()
+def delete_user(user, deletion_target: str):
    response.content_type = 'application/json'
+    is_admin = admin_guard()(lambda _: True)() == True
+    # Note: we could just use user.role == "admin" but we 
+    # want to follow potential requirement changes in the decorator
+    if user.name != deletion_target and not is_admin:
+        response.status = 401
+        return dumps({"error": "Not permited"})
+
    try:
        request.db_connector.delete_user(deletion_target)
        response.status = 200
--- a/simple_chat_api/tests/auth_entpoints.py
+++ b/simple_chat_api/tests/auth_entpoints.py
@ -160,7 +160,7 @@ class TestAuthEndpoints(unittest.TestCase):
                else:
                    self.assertEqual(response.status_code, 400, f"Non-admin user {user} should not create users; {response.text}")

-    def test_5_delete_user(self):
+    def test_6_delete_user(self):
        if self.userSessions == {}:
            self.skipTest("No user sessions available. Run test_get_token first.")
        
@ -175,10 +175,14 @@ class TestAuthEndpoints(unittest.TestCase):
                    response = session.post(f"{API_URL}/user/delete/nonexistent")
                    self.assertEqual(response.status_code, 400, f"Deleting non-existent user should fail; {response.text}")
                else:
-                    response = session.post(f"{API_URL}/user/delete/max")
+                    response = session.post(f"{API_URL}/user/delete/ina")
                    self.assertEqual(response.status_code, 401, f"Non-admin user {user} should not delete users; {response.text}")
+                    response = session.post(f"{API_URL}/user/delete/{user}")
+                    self.assertEqual(response.status_code, 200, f"Non-admin user {user} should be able to delete self; {response.text}")

-    def test_6_change_password(self):
+
+
+    def test_5_change_password(self):
        if self.userSessions == {}:
            self.skipTest("No user sessions available. Run test_get_token first.")