From eabf43f9809546a5c30865e51694a02f72d11b8b Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Thu, 10 Dec 2020 13:21:26 -0500
Subject: [PATCH] Don't allow admins to delete themselves (#1759)

* Don't allow admins to accidentally delete themselves
---
 CTFd/api/v1/users.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CTFd/api/v1/users.py b/CTFd/api/v1/users.py
index 09b564be..deace1c1 100644
--- a/CTFd/api/v1/users.py
+++ b/CTFd/api/v1/users.py
@@ -250,6 +250,13 @@ class UserPublic(Resource):
         responses={200: ("Success", "APISimpleSuccessResponse")},
     )
     def delete(self, user_id):
+        # Admins should not be able to delete themselves
+        if user_id == session["id"]:
+            return (
+                {"success": False, "errors": {"id": "You cannot delete yourself"}},
+                400,
+            )
+
         Notifications.query.filter_by(user_id=user_id).delete()
         Awards.query.filter_by(user_id=user_id).delete()
         Unlocks.query.filter_by(user_id=user_id).delete()