MDL-23774 deleting of admins is a restricted operation, also external…

… lib should not delete the account that is calling it; user pictures are not a problem any more
moodle · Aug 12, 2010 · b73a28b · b73a28b
1 parent 6f4b954
commit b73a28b
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/user/externallib.php b/user/externallib.php
@@ -198,7 +198,7 @@ public static function delete_users_parameters() {
     }
 
     public static function delete_users($userids) {
-        global $CFG, $DB;
+        global $CFG, $DB, $USER;
         require_once($CFG->dirroot."/user/lib.php");
 
         // Ensure the current user is allowed to run this function
@@ -209,10 +209,13 @@ public static function delete_users($userids) {
         $params = self::validate_parameters(self::delete_users_parameters(), array('userids'=>$userids));
 
         $transaction = $DB->start_delegated_transaction();
-        // TODO: this is problematic because the DB rollback does not handle rollbacking of deleted user images!
 
         foreach ($params['userids'] as $userid) {
             $user = $DB->get_record('user', array('id'=>$userid, 'deleted'=>0), '*', MUST_EXIST);
+            // must not allow deleting of admins or self!!!
+            if (is_siteadmin($user) or $USER->id == $user->id) {
+                throw new moodle_exception('nopermissions', 'error');
+            }
             user_delete_user($user);
         }