From bb57ebf60251aa0f1462c3e36f0522c01846c324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Goran=20Meki=C4=87?= <meka@tilda.center>
Date: Thu, 3 Jul 2025 01:25:11 +0200
Subject: [PATCH] Only admin can edit/delete other users

---
 freenit/__init__.py      |  2 +-
 freenit/api/user/ldap.py | 14 ++++++++++++--
 freenit/api/user/sql.py  | 18 +++++++++++++++---
 tests/test_user.py       |  4 ++--
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/freenit/__init__.py b/freenit/__init__.py
index 50d85c8..08aad71 100644
--- a/freenit/__init__.py
+++ b/freenit/__init__.py
@@ -1 +1 @@
-__version__ = "0.3.18"
+__version__ = "0.3.19"
diff --git a/freenit/api/user/ldap.py b/freenit/api/user/ldap.py
index e9b5e56..23e473e 100644
--- a/freenit/api/user/ldap.py
+++ b/freenit/api/user/ldap.py
@@ -37,7 +37,13 @@ async def get(id, _: User = Depends(user_perms)) -> UserSafe:
         return user
 
     @staticmethod
-    async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSafe:
+    async def patch(
+        id, data: UserOptional, cur_user: User = Depends(user_perms)
+    ) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can edit other user's details"
+            )
         user = await User.get_by_uid(id)
         update = {
             field: getattr(data, field)
@@ -48,7 +54,11 @@ async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSa
         return user
 
     @staticmethod
-    async def delete(id, _: User = Depends(user_perms)) -> UserSafe:
+    async def delete(id, cur_user: User = Depends(user_perms)) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can delete other users"
+            )
         try:
             user = await User.get_by_uid(id)
             await user.destroy()
diff --git a/freenit/api/user/sql.py b/freenit/api/user/sql.py
index a172e70..a5422b6 100644
--- a/freenit/api/user/sql.py
+++ b/freenit/api/user/sql.py
@@ -43,7 +43,13 @@ async def get(id, _: User = Depends(user_perms)) -> UserSafe:
         return user
 
     @staticmethod
-    async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSafe:
+    async def patch(
+        id, data: UserOptional, cur_user: User = Depends(user_perms)
+    ) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can edit other user's details"
+            )
         if data.password:
             data.password = encrypt(data.password)
         try:
@@ -54,7 +60,11 @@ async def patch(id, data: UserOptional, _: User = Depends(user_perms)) -> UserSa
         return user
 
     @staticmethod
-    async def delete(id, _: User = Depends(user_perms)) -> UserSafe:
+    async def delete(id, cur_user: User = Depends(user_perms)) -> UserSafe:
+        if not cur_user.admin:
+            raise HTTPException(
+                status_code=403, detail="Only admin users can delete other users"
+            )
         try:
             user = await User.objects.get(pk=id)
         except ormar.exceptions.NoMatch:
@@ -73,7 +83,9 @@ async def get(user: User = Depends(profile_perms)) -> UserSafe:
 
     @staticmethod
     @description("Edit my profile")
-    async def patch(data: UserOptional, user: User = Depends(profile_perms)) -> UserSafe:
+    async def patch(
+        data: UserOptional, user: User = Depends(profile_perms)
+    ) -> UserSafe:
         if data.password:
             data.password = encrypt(data.password)
         await user.patch(data)
diff --git a/tests/test_user.py b/tests/test_user.py
index d4a9989..dc80438 100644
--- a/tests/test_user.py
+++ b/tests/test_user.py
@@ -39,7 +39,7 @@ async def test_get_user_by_id(self, client):
         assert response.status_code == 200
 
     async def test_delete_user(self, client):
-        admin = factories.User()
+        admin = factories.User(admin=True)
         await admin.save()
         client.login(user=admin)
         user = factories.User()
@@ -48,7 +48,7 @@ async def test_delete_user(self, client):
         assert response.status_code == 200
 
     async def test_edit_user(self, client):
-        admin = factories.User()
+        admin = factories.User(admin=True)
         await admin.save()
         client.login(user=admin)
         data = {