fix: allow deleting the user's own account (#5820)

errors/errors.go

@@ -21,7 +21,7 @@ var (
 	ErrPermissionDenied         = errors.New("permission denied")
 	ErrInvalidRequestParams     = errors.New("invalid request params")
 	ErrSourceIsParent           = errors.New("source is parent")
-	ErrRootUserDeletion         = errors.New("user with id 1 can't be deleted")
+	ErrRootUserDeletion         = errors.New("the sole admin can't be deleted")
 	ErrCurrentPasswordIncorrect = errors.New("the current password is incorrect")
 )
 

frontend/src/views/settings/User.vue

@@ -59,6 +59,7 @@ import { useRoute, useRouter } from "vue-router";
 import { useI18n } from "vue-i18n";
 import { StatusError } from "@/api/utils";
 import { authMethod } from "@/utils/constants";
+import { logout } from "@/utils/auth";
 
 const error = ref<StatusError>();
 const originalUser = ref<IUser>();
@@ -144,7 +145,11 @@ const deleteUser = async (currentPassword: string) => {
   }
   try {
     await api.remove(user.value.id, currentPassword);
-    router.push({ path: "/settings/users" });
+    if (user.value.id == authStore.user?.id) {
+      logout();
+    } else {
+      router.push({ path: "/settings/users" });
+    }
     $showSuccess(t("settings.userDeleted"));
   } catch (err) {
     if (err instanceof StatusError) {

storage/bolt/users.go

@@ -6,6 +6,7 @@ import (
 	"reflect"
 
 	"github.com/asdine/storm/v3"
+	bolt "go.etcd.io/bbolt"
 
 	fberrors "github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/users"
@@ -93,3 +94,29 @@ func (st usersBackend) DeleteByUsername(username string) error {
 
 	return st.db.DeleteStruct(user)
 }
+
+func (st usersBackend) CountAdmins() (int, error) {
+	count := 0
+
+	err := st.db.Bolt.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(reflect.TypeOf(users.User{}).Name()))
+		if bucket == nil {
+			return nil
+		}
+
+		c := bucket.Cursor()
+		for _, v := c.First(); v != nil; _, v = c.Next() {
+			var u users.User
+			if err := st.db.Codec().Unmarshal(v, &u); err != nil {
+				return err
+			}
+			if u.Perm.Admin {
+				count++
+			}
+		}
+
+		return nil
+	})
+
+	return count, err
+}

users/storage.go

@@ -15,6 +15,7 @@ type StorageBackend interface {
 	Update(u *User, fields ...string) error
 	DeleteByID(uint) error
 	DeleteByUsername(string) error
+	CountAdmins() (int, error)
 }
 
 type Store interface {
@@ -108,14 +109,20 @@ func (s *Storage) Delete(id interface{}) error {
 		if err != nil {
 			return err
 		}
-		if user.ID == 1 {
+		if s.IsUniqueAdmin(user) {
 			return fberrors.ErrRootUserDeletion
 		}
+
 		return s.back.DeleteByUsername(id)
 	case uint:
-		if id == 1 {
+		user, err := s.back.GetBy(id)
+		if err != nil {
+			return err
+		}
+		if s.IsUniqueAdmin(user) {
 			return fberrors.ErrRootUserDeletion
 		}
+
 		return s.back.DeleteByID(id)
 	default:
 		return fberrors.ErrInvalidDataType
@@ -131,3 +138,15 @@ func (s *Storage) LastUpdate(id uint) int64 {
 	}
 	return 0
 }
+
+func (s *Storage) IsUniqueAdmin(user *User) bool {
+	if !user.Perm.Admin {
+		return false
+	}
+
+	count, err := s.back.CountAdmins()
+	if err != nil {
+		return true
+	}
+	return count <= 1
+}