From ad1cb5fc256b9ff1f3a2f008484a765fd8c139d4 Mon Sep 17 00:00:00 2001
From: "Timothy J. Baek" <timothyjrbeck@gmail.com>
Date: Thu, 28 Dec 2023 23:07:46 -0800
Subject: [PATCH] fix: disable admin self user delete

---
 backend/apps/web/routers/users.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/backend/apps/web/routers/users.py b/backend/apps/web/routers/users.py
index 0206b7d7e..2b1168284 100644
--- a/backend/apps/web/routers/users.py
+++ b/backend/apps/web/routers/users.py
@@ -87,14 +87,20 @@ async def delete_user_by_id(user_id: str, cred=Depends(bearer_scheme)):
 
     if user:
         if user.role == "admin":
-            result = Users.delete_user_by_id(user_id)
+            if user.id != user_id:
+                result = Users.delete_user_by_id(user_id)
 
-            if result:
-                return True
+                if result:
+                    return True
+                else:
+                    raise HTTPException(
+                        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                        detail=ERROR_MESSAGES.DELETE_USER_ERROR,
+                    )
             else:
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,
-                    detail=ERROR_MESSAGES.DELETE_USER_ERROR,
+                    detail=ERROR_MESSAGES.ACTION_PROHIBITED,
                 )
         else:
             raise HTTPException(