From a4c62f68604ab421cc1653e6e6ca2cbf61cb86b9 Mon Sep 17 00:00:00 2001
From: Evan Harris <eharris@puremagic.com>
Date: Sat, 15 Jun 2019 02:55:40 -0500
Subject: [PATCH 1/2] Disallow deleting your own user or removing admin role

---
 .../org/airsonic/player/command/UserSettingsCommand.java | 9 +++++++++
 .../player/controller/UserSettingsController.java        | 1 +
 .../src/main/webapp/WEB-INF/jsp/userSettings.jsp         | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java b/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
index 7b70be6a..2344b78d 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/command/UserSettingsCommand.java
@@ -46,6 +46,7 @@ public class UserSettingsCommand {
 
     private List<User> users;
     private boolean isAdmin;
+    private boolean isCurrentUser;
     private boolean isPasswordChange;
     private boolean isNewUser;
     private boolean isDeleteUser;
@@ -166,6 +167,14 @@ public class UserSettingsCommand {
         isAdmin = admin;
     }
 
+    public boolean isCurrentUser() {
+        return isCurrentUser;
+    }
+
+    public void setCurrentUser(boolean currentUser) {
+        isCurrentUser = currentUser;
+    }
+
     public boolean isPasswordChange() {
         return isPasswordChange;
     }
diff --git a/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java b/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
index b64a623b..073126ea 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/controller/UserSettingsController.java
@@ -87,6 +87,7 @@ public class UserSettingsController {
                 UserSettings userSettings = settingsService.getUserSettings(user.getUsername());
                 command.setTranscodeSchemeName(userSettings.getTranscodeScheme().name());
                 command.setAllowedMusicFolderIds(Util.toIntArray(getAllowedMusicFolderIds(user)));
+                command.setCurrentUser(securityService.getCurrentUser(request).getUsername().equals(user.getUsername()));
             } else {
                 command.setNewUser(true);
                 command.setStreamRole(true);
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
index 539a5983..b03210d2 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
@@ -63,7 +63,7 @@
 
 <form:form method="post" action="userSettings.view" modelAttribute="command">
         <table style="${command.admin ? 'display:none' : ''}">
-            <tr>
+            <tr style="${command.currentUser ? 'display:none' : ''}">
                 <td><form:checkbox path="adminRole" id="admin" cssClass="checkbox"/></td>
                 <td><label for="admin"><fmt:message key="usersettings.admin"/></label></td>
             </tr>
@@ -136,7 +136,7 @@
         </tr>
     </table>
 
-    <c:if test="${not command.newUser and not command.admin}">
+    <c:if test="${not command.newUser and not command.admin and not command.currentUser}">
         <table class="indent">
             <tr>
                 <td><form:checkbox path="deleteUser" id="delete" cssClass="checkbox"/></td>

From 983d688cce44fed128a832fedb9b8cf113cb6bd8 Mon Sep 17 00:00:00 2001
From: Evan Harris <eharris@puremagic.com>
Date: Wed, 26 Jun 2019 23:56:02 -0500
Subject: [PATCH 2/2] Added validation to reject things disallowed on the
 current user

---
 .../player/validator/UserSettingsValidator.java    | 14 ++++++++++++++
 .../src/main/webapp/WEB-INF/jsp/userSettings.jsp   |  2 ++
 2 files changed, 16 insertions(+)

diff --git a/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java b/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java
index e3d912f6..e44f2bb0 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java
@@ -29,6 +29,8 @@ import org.springframework.stereotype.Component;
 import org.springframework.validation.Errors;
 import org.springframework.validation.Validator;
 
+import javax.servlet.http.HttpServletRequest;
+
 /**
  * Validator for {@link UserSettingsController}.
  *
@@ -41,6 +43,8 @@ public class UserSettingsValidator implements Validator {
     private SecurityService securityService;
     @Autowired
     private SettingsService settingsService;
+    @Autowired
+    private HttpServletRequest request;
 
     /**
      * {@inheritDoc}
@@ -85,6 +89,16 @@ public class UserSettingsValidator implements Validator {
             errors.rejectValue("password", "usersettings.passwordnotsupportedforldap");
         }
 
+        if (securityService.getCurrentUser(request).getUsername().equals(username)) {
+            // These errors don't need translation since the option isn't exposed to the user
+            if (command.isDeleteUser()) {
+                errors.rejectValue("deleteUser", null, "Cannot delete the current user");
+            }
+            if (! command.isAdminRole()) {
+                errors.rejectValue("adminRole", null, "Cannot remove admin from the current user");
+            }
+        }
+
     }
 
 }
\ No newline at end of file
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
index b03210d2..75771d98 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
@@ -66,6 +66,7 @@
             <tr style="${command.currentUser ? 'display:none' : ''}">
                 <td><form:checkbox path="adminRole" id="admin" cssClass="checkbox"/></td>
                 <td><label for="admin"><fmt:message key="usersettings.admin"/></label></td>
+                <td class="warning"><form:errors path="adminRole"/></td>
             </tr>
             <tr>
                 <td><form:checkbox path="settingsRole" id="settings" cssClass="checkbox"/></td>
@@ -141,6 +142,7 @@
             <tr>
                 <td><form:checkbox path="deleteUser" id="delete" cssClass="checkbox"/></td>
                 <td><label for="delete"><fmt:message key="usersettings.delete"/></label></td>
+                <td class="warning"><form:errors path="deleteUser"/></td>
             </tr>
         </table>
     </c:if>