users can remove themselves

frontend/src/views/User.vue

@@ -5,6 +5,7 @@ import { type User, primaryUser } from '@/composable/auth.ts'
 import { deleteUser, addUser, changePassword } from '@/composable/settings'
 
 import UserInfo from '@/components/UserInfo.vue'
+import router from '@/router'
 
 const new_user_name = ref('')
 const new_user_passwd = ref('')
@@ -50,6 +51,20 @@ const onChangePassword = async () => {
         <h3>User Profile</h3>
         <p><a class="font-bold">Name:</a> {{ primaryUser.currentUser.value.user }}</p>
         <p><a class="font-bold">Role:</a> {{ primaryUser.currentUser.value.role }}</p>
+
+        <div>
+          <button
+            @click="
+              () =>
+                deleteUser(primaryUser.getSessionFromJWT()).then(() => {
+                  primaryUser.removeToken()
+                  router.push('login')
+                })
+            "
+          >
+            Delete Profile
+          </button>
+        </div>
       </div>
 
       <div class="boxed w-80">

simple_chat_api/endpoints/auth.py

@@ -127,9 +127,16 @@ def change_password(user):
         return dumps({"error": str(e)})
 
 @app.route("/delete/<deletion_target>", method=["POST"])
-@admin_guard()
+@user_guard()
-def delete_user(_, deletion_target: str):
+def delete_user(user, deletion_target: str):
     response.content_type = 'application/json'
+    is_admin = admin_guard()(lambda _: True)() == True
+    # Note: we could just use user.role == "admin" but we 
+    # want to follow potential requirement changes in the decorator
+    if user.name != deletion_target and not is_admin:
+        response.status = 401
+        return dumps({"error": "Not permited"})
+
     try:
         request.db_connector.delete_user(deletion_target)
         response.status = 200

simple_chat_api/tests/auth_entpoints.py

@@ -160,7 +160,7 @@ class TestAuthEndpoints(unittest.TestCase):
                 else:
                     self.assertEqual(response.status_code, 400, f"Non-admin user {user} should not create users; {response.text}")
 
-    def test_5_delete_user(self):
+    def test_6_delete_user(self):
         if self.userSessions == {}:
             self.skipTest("No user sessions available. Run test_get_token first.")
         
@@ -175,10 +175,14 @@ class TestAuthEndpoints(unittest.TestCase):
                     response = session.post(f"{API_URL}/user/delete/nonexistent")
                     self.assertEqual(response.status_code, 400, f"Deleting non-existent user should fail; {response.text}")
                 else:
-                    response = session.post(f"{API_URL}/user/delete/max")
+                    response = session.post(f"{API_URL}/user/delete/ina")
                     self.assertEqual(response.status_code, 401, f"Non-admin user {user} should not delete users; {response.text}")
+                    response = session.post(f"{API_URL}/user/delete/{user}")
+                    self.assertEqual(response.status_code, 200, f"Non-admin user {user} should be able to delete self; {response.text}")
 
-    def test_6_change_password(self):
+
+
+    def test_5_change_password(self):
         if self.userSessions == {}:
             self.skipTest("No user sessions available. Run test_get_token first.")