From d1630e57228b0aa268120ef272dc081b482945ec Mon Sep 17 00:00:00 2001
From: SAGAR PATEL <sagar.a.patel@slscorp.com>
Date: Tue, 7 Jun 2022 16:23:23 +0530
Subject: [PATCH] User should not be able to delete its own user record. (#13)

Signed-off-by: SAGAR PATEL <sagar.a.patel@slscorp.com>
---
 chirpstack/src/api/tenant.rs |  9 +++++++++
 chirpstack/src/api/user.rs   | 19 ++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/chirpstack/src/api/tenant.rs b/chirpstack/src/api/tenant.rs
index e25cbd8d..8bce45e4 100644
--- a/chirpstack/src/api/tenant.rs
+++ b/chirpstack/src/api/tenant.rs
@@ -334,6 +334,15 @@ impl TenantService for Tenant {
             )
             .await?;
 
+        let auth_id = request.extensions().get::<AuthID>().unwrap();
+        if let AuthID::User(id) = auth_id {
+            if id == &user_id {
+                return Err(Status::invalid_argument(
+                    "you can not delete yourself from the user",
+                ));
+            }
+        }
+
         tenant::delete_user(&tenant_id, &user_id)
             .await
             .map_err(|e| e.status())?;
diff --git a/chirpstack/src/api/user.rs b/chirpstack/src/api/user.rs
index 5170116c..8231872d 100644
--- a/chirpstack/src/api/user.rs
+++ b/chirpstack/src/api/user.rs
@@ -7,7 +7,7 @@ use uuid::Uuid;
 use chirpstack_api::api;
 use chirpstack_api::api::user_service_server::UserService;
 
-use super::auth::validator;
+use super::auth::{validator, AuthID};
 use super::error::ToStatus;
 use super::helpers;
 use crate::storage::{tenant, user};
@@ -158,6 +158,15 @@ impl UserService for User {
             )
             .await?;
 
+        let auth_id = request.extensions().get::<AuthID>().unwrap();
+        if let AuthID::User(id) = auth_id {
+            if id == &user_id {
+                return Err(Status::invalid_argument(
+                    "you can not delete yourself from the user",
+                ));
+            }
+        }
+
         user::delete(&user_id).await.map_err(|e| e.status())?;
 
         Ok(Response::new(()))
@@ -359,5 +368,13 @@ pub mod test {
         del_req.extensions_mut().insert(AuthID::User(u.id.clone()));
         let del_resp = service.delete(del_req).await;
         assert!(del_resp.is_err());
+
+        let del_req = api::DeleteUserRequest {
+            id: u.id.to_string(),
+        };
+        let mut del_req = Request::new(del_req);
+        del_req.extensions_mut().insert(AuthID::User(u.id.clone()));
+        let del_resp = service.delete(del_req).await;
+        assert!(del_resp.is_err());
     }
 }