User should not be able to delete its own user record. (#13)

Signed-off-by: SAGAR PATEL <sagar.a.patel@slscorp.com>

chirpstack/src/api/tenant.rs

@@ -334,6 +334,15 @@ impl TenantService for Tenant {
             )
             .await?;
 
+        let auth_id = request.extensions().get::<AuthID>().unwrap();
+        if let AuthID::User(id) = auth_id {
+            if id == &user_id {
+                return Err(Status::invalid_argument(
+                    "you can not delete yourself from the user",
+                ));
+            }
+        }
+
         tenant::delete_user(&tenant_id, &user_id)
             .await
             .map_err(|e| e.status())?;

chirpstack/src/api/user.rs

@@ -7,7 +7,7 @@ use uuid::Uuid;
 use chirpstack_api::api;
 use chirpstack_api::api::user_service_server::UserService;
 
-use super::auth::validator;
+use super::auth::{validator, AuthID};
 use super::error::ToStatus;
 use super::helpers;
 use crate::storage::{tenant, user};
@@ -158,6 +158,15 @@ impl UserService for User {
             )
             .await?;
 
+        let auth_id = request.extensions().get::<AuthID>().unwrap();
+        if let AuthID::User(id) = auth_id {
+            if id == &user_id {
+                return Err(Status::invalid_argument(
+                    "you can not delete yourself from the user",
+                ));
+            }
+        }
+
         user::delete(&user_id).await.map_err(|e| e.status())?;
 
         Ok(Response::new(()))
@@ -359,5 +368,13 @@ pub mod test {
         del_req.extensions_mut().insert(AuthID::User(u.id.clone()));
         let del_resp = service.delete(del_req).await;
         assert!(del_resp.is_err());
+
+        let del_req = api::DeleteUserRequest {
+            id: u.id.to_string(),
+        };
+        let mut del_req = Request::new(del_req);
+        del_req.extensions_mut().insert(AuthID::User(u.id.clone()));
+        let del_resp = service.delete(del_req).await;
+        assert!(del_resp.is_err());
     }
 }