From 32c55446cbab0d02d9c429da7168b6cc1de39f9c Mon Sep 17 00:00:00 2001 From: Richard Cox Date: Thu, 18 Mar 2021 18:03:10 +0000 Subject: [PATCH] Ensure current user cannot deactivate or delete themselves - the api does not allow the signed in user to deactivate/delete themselves - ensure that we don't show these options by checking user isn't the signed in one - ideally this should be done via the api by removing the 'remove' link for the signed in user --- models/management.cattle.io.user.js | 12 +++++++++++- plugins/steve/resource-instance.js | 4 ++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/models/management.cattle.io.user.js b/models/management.cattle.io.user.js index 528cc933a0..1949c78436 100644 --- a/models/management.cattle.io.user.js +++ b/models/management.cattle.io.user.js @@ -11,6 +11,12 @@ export default { return false; }, + isCurrentUser() { + const currentPrincipal = this.$rootGetters['auth/principalId']; + + return !!this.principalIds.find(p => p === currentPrincipal); + }, + nameDisplay() { return this.displayName || this.username || this.id; }, @@ -136,10 +142,14 @@ export default { const stateOk = state ? this.state === 'inactive' : this.state === 'active'; const permissionOk = this.hasLink('update'); // Not canUpdate, only gate on api not whether editable pages should be visible - return stateOk && permissionOk; + return stateOk && permissionOk && !this.isCurrentUser; }; }, + canDelete() { + return this._canDelete && !this.isCurrentUser; + }, + _availableActions() { return [ { diff --git a/plugins/steve/resource-instance.js b/plugins/steve/resource-instance.js index e928e2db1a..39121991ae 100644 --- a/plugins/steve/resource-instance.js +++ b/plugins/steve/resource-instance.js @@ -702,6 +702,10 @@ export default { // ------------------------------------------------------------------ canDelete() { + return this._canDelete; + }, + + _canDelete() { return this.hasLink('remove') && this.$rootGetters['type-map/optionsFor'](this.type).isRemovable; },