Don't allow admins to delete themselves (#1759)

* Don't allow admins to accidentally delete themselves
2025-12-18 06:24:23 +01:00 · 2020-12-10 13:21:26 -05:00
parent 9374c2a0a8
commit eabf43f980
1 changed files with 7 additions and 0 deletions
--- a/CTFd/api/v1/users.py
+++ b/CTFd/api/v1/users.py
@@ -250,6 +250,13 @@ class UserPublic(Resource):
        responses={200: ("Success", "APISimpleSuccessResponse")},
    )
    def delete(self, user_id):
+        # Admins should not be able to delete themselves
+        if user_id == session["id"]:
+            return (
+                {"success": False, "errors": {"id": "You cannot delete yourself"}},
+                400,
+            )
+
        Notifications.query.filter_by(user_id=user_id).delete()
        Awards.query.filter_by(user_id=user_id).delete()
        Unlocks.query.filter_by(user_id=user_id).delete()