smaa/octopus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat: add self-modification protection for user roles

Browse Source 
Protect owners from accidentally locking themselves out by:
- Adding RoleService.can_modify_user_role() to centralize validation logic
- Blocking edit/delete operations on own role in views
- Hiding edit/delete buttons for own role in template

This prevents owners from:
- Changing their own role to a lower privilege level
- Deactivating themselves
- Deleting their own access

Standard admin pattern used by GitHub, WordPress, Django Admin.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Andrey Smakotin
2025-12-01 23:06:54 +03:00
parent ffc3b0c42d
commit f2c1f7e02d
3 changed files with 46 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
myproject/user_roles/views.py
View File

@@ -64,6 +64,12 @@ def user_role_edit(request, pk):
"""Изменение роли пользователя"""
user_role = get_object_or_404(UserRole, pk=pk)
# Защита от самоблокировки
can_modify, error_message = RoleService.can_modify_user_role(request.user, user_role)
if not can_modify:
messages.error(request, error_message)
return redirect('user_roles:list')
if request.method == 'POST':
role_code = request.POST.get('role')
is_active = request.POST.get('is_active') == 'on'
@@ -98,6 +104,12 @@ def user_role_delete(request, pk):
"""Удаление роли пользователя (отключение доступа)"""
user_role = get_object_or_404(UserRole, pk=pk)
# Защита от самоблокировки
can_modify, error_message = RoleService.can_modify_user_role(request.user, user_role)
if not can_modify:
messages.error(request, error_message)
return redirect('user_roles:list')
if request.method == 'POST':
email = user_role.user.email
user_role.delete()