From 388d26fa05ac0dda1f7b224125fa2cc9d52cb60b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Tue, 24 Oct 2023 13:32:44 +0200 Subject: [PATCH] Forbid a user to delete himself on the admin page --- src/Controller/UserController.php | 8 +++++++- templates/admin/_delete_form.html.twig | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php index d5190b97..97675d11 100644 --- a/src/Controller/UserController.php +++ b/src/Controller/UserController.php @@ -169,8 +169,14 @@ class UserController extends BaseAdminController #[Route(path: '/{id}', name: 'user_delete', methods: ['DELETE'], requirements: ['id' => '\d+'])] public function delete(Request $request, User $entity, StructuralElementRecursionHelper $recursionHelper): RedirectResponse { + //Disallow deleting the anonymous user if (User::ID_ANONYMOUS === $entity->getID()) { - throw new InvalidArgumentException('You can not delete the anonymous user! It is needed for permission checking without a logged in user'); + throw new \LogicException('You can not delete the anonymous user! It is needed for permission checking without a logged in user'); + } + + //Disallow deleting the current logged-in user + if ($entity === $this->getUser()) { + throw new \LogicException('You can not delete your own user account!'); } return $this->_delete($request, $entity, $recursionHelper); diff --git a/templates/admin/_delete_form.html.twig b/templates/admin/_delete_form.html.twig index 762b91b6..fd653256 100644 --- a/templates/admin/_delete_form.html.twig +++ b/templates/admin/_delete_form.html.twig @@ -6,7 +6,7 @@
- {% set delete_disabled = (not is_granted("delete", entity)) or (entity.group is defined and entity.id == 1) %} + {% set delete_disabled = (not is_granted("delete", entity)) or (entity.group is defined and entity.id == 1) or entity == app.user %}