smaa/octopus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat: add self-modification protection for user roles

Browse Source 
Protect owners from accidentally locking themselves out by:
- Adding RoleService.can_modify_user_role() to centralize validation logic
- Blocking edit/delete operations on own role in views
- Hiding edit/delete buttons for own role in template

This prevents owners from:
- Changing their own role to a lower privilege level
- Deactivating themselves
- Deleting their own access

Standard admin pattern used by GitHub, WordPress, Django Admin.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Andrey Smakotin
2025-12-01 23:06:54 +03:00
parent ffc3b0c42d
commit f2c1f7e02d
3 changed files with 46 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
myproject/user_roles/templates/user_roles/user_role_list.html
View File

@@ -67,12 +67,18 @@
{% endif %}
</td>
<td>
<a href="{% url 'user_roles:edit' user_role.pk %}" class="btn btn-sm btn-outline-primary">
<i class="bi bi-pencil"></i> Изменить
</a>
<a href="{% url 'user_roles:delete' user_role.pk %}" class="btn btn-sm btn-outline-danger">
<i class="bi bi-trash"></i> Удалить
</a>
{% if user_role.user != request.user %}
<a href="{% url 'user_roles:edit' user_role.pk %}" class="btn btn-sm btn-outline-primary">
<i class="bi bi-pencil"></i> Изменить
</a>
<a href="{% url 'user_roles:delete' user_role.pk %}" class="btn btn-sm btn-outline-danger">
<i class="bi bi-trash"></i> Удалить
</a>
{% else %}
<span class="text-muted small">
<i class="bi bi-lock"></i> Ваша роль
</span>
{% endif %}
</td>
</tr>
{% endfor %}