From b6a29b1842a4436cf30b12e06cc940d85c4f3b52 Mon Sep 17 00:00:00 2001 From: Kyattsukuro Date: Thu, 2 Oct 2025 11:26:47 +0200 Subject: [PATCH] users can remove themselves --- frontend/src/views/User.vue | 15 +++++++++++++++ simple_chat_api/endpoints/auth.py | 11 +++++++++-- simple_chat_api/tests/auth_entpoints.py | 10 +++++++--- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/frontend/src/views/User.vue b/frontend/src/views/User.vue index 8542bab..26deda8 100644 --- a/frontend/src/views/User.vue +++ b/frontend/src/views/User.vue @@ -5,6 +5,7 @@ import { type User, primaryUser } from '@/composable/auth.ts' import { deleteUser, addUser, changePassword } from '@/composable/settings' import UserInfo from '@/components/UserInfo.vue' +import router from '@/router' const new_user_name = ref('') const new_user_passwd = ref('') @@ -50,6 +51,20 @@ const onChangePassword = async () => {

User Profile

Name: {{ primaryUser.currentUser.value.user }}

Role: {{ primaryUser.currentUser.value.role }}

+ +
+ +
diff --git a/simple_chat_api/endpoints/auth.py b/simple_chat_api/endpoints/auth.py index a712446..d511efa 100644 --- a/simple_chat_api/endpoints/auth.py +++ b/simple_chat_api/endpoints/auth.py @@ -127,9 +127,16 @@ def change_password(user): return dumps({"error": str(e)}) @app.route("/delete/", method=["POST"]) -@admin_guard() -def delete_user(_, deletion_target: str): +@user_guard() +def delete_user(user, deletion_target: str): response.content_type = 'application/json' + is_admin = admin_guard()(lambda _: True)() == True + # Note: we could just use user.role == "admin" but we + # want to follow potential requirement changes in the decorator + if user.name != deletion_target and not is_admin: + response.status = 401 + return dumps({"error": "Not permited"}) + try: request.db_connector.delete_user(deletion_target) response.status = 200 diff --git a/simple_chat_api/tests/auth_entpoints.py b/simple_chat_api/tests/auth_entpoints.py index 8585241..d0c2a49 100644 --- a/simple_chat_api/tests/auth_entpoints.py +++ b/simple_chat_api/tests/auth_entpoints.py @@ -160,7 +160,7 @@ class TestAuthEndpoints(unittest.TestCase): else: self.assertEqual(response.status_code, 400, f"Non-admin user {user} should not create users; {response.text}") - def test_5_delete_user(self): + def test_6_delete_user(self): if self.userSessions == {}: self.skipTest("No user sessions available. Run test_get_token first.") @@ -175,10 +175,14 @@ class TestAuthEndpoints(unittest.TestCase): response = session.post(f"{API_URL}/user/delete/nonexistent") self.assertEqual(response.status_code, 400, f"Deleting non-existent user should fail; {response.text}") else: - response = session.post(f"{API_URL}/user/delete/max") + response = session.post(f"{API_URL}/user/delete/ina") self.assertEqual(response.status_code, 401, f"Non-admin user {user} should not delete users; {response.text}") + response = session.post(f"{API_URL}/user/delete/{user}") + self.assertEqual(response.status_code, 200, f"Non-admin user {user} should be able to delete self; {response.text}") - def test_6_change_password(self): + + + def test_5_change_password(self): if self.userSessions == {}: self.skipTest("No user sessions available. Run test_get_token first.")