From a4c62f68604ab421cc1653e6e6ca2cbf61cb86b9 Mon Sep 17 00:00:00 2001
From: Evan Harris <eharris@puremagic.com>
Date: Sat, 15 Jun 2019 02:55:40 -0500
Subject: [PATCH] Disallow deleting your own user or removing admin role

---
 .../org/airsonic/player/command/UserSettingsCommand.java | 9 +++++++++
 .../player/controller/UserSettingsController.java        | 1 +
 .../src/main/webapp/WEB-INF/jsp/userSettings.jsp         | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java b/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
index 7b70be6a..2344b78d 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
@@ -46,6 +46,7 @@ public class UserSettingsCommand {
 
     private List<User> users;
     private boolean isAdmin;
+    private boolean isCurrentUser;
     private boolean isPasswordChange;
     private boolean isNewUser;
     private boolean isDeleteUser;
@@ -166,6 +167,14 @@ public class UserSettingsCommand {
         isAdmin = admin;
     }
 
+    public boolean isCurrentUser() {
+        return isCurrentUser;
+    }
+
+    public void setCurrentUser(boolean currentUser) {
+        isCurrentUser = currentUser;
+    }
+
     public boolean isPasswordChange() {
         return isPasswordChange;
     }
diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
index b64a623b..073126ea 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
@@ -87,6 +87,7 @@ public class UserSettingsController {
                 UserSettings userSettings = settingsService.getUserSettings(user.getUsername());
                 command.setTranscodeSchemeName(userSettings.getTranscodeScheme().name());
                 command.setAllowedMusicFolderIds(Util.toIntArray(getAllowedMusicFolderIds(user)));
+                command.setCurrentUser(securityService.getCurrentUser(request).getUsername().equals(user.getUsername()));
             } else {
                 command.setNewUser(true);
                 command.setStreamRole(true);
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
index 539a5983..b03210d2 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
@@ -63,7 +63,7 @@
 
 <form:form method="post" action="userSettings.view" modelAttribute="command">
         <table style="${command.admin ? 'display:none' : ''}">
-            <tr>
+            <tr style="${command.currentUser ? 'display:none' : ''}">
                 <td><form:checkbox path="adminRole" id="admin" cssClass="checkbox"/></td>
                 <td><label for="admin"><fmt:message key="usersettings.admin"/></label></td>
             </tr>
@@ -136,7 +136,7 @@
         </tr>
     </table>
 
-    <c:if test="${not command.newUser and not command.admin}">
+    <c:if test="${not command.newUser and not command.admin and not command.currentUser}">
         <table class="indent">
             <tr>
                 <td><form:checkbox path="deleteUser" id="delete" cssClass="checkbox"/></td>