From 5dd34fb07362caf6c90c4379d967c44d343146f6 Mon Sep 17 00:00:00 2001
From: leandrofars <leandrofars@gmail.com>
Date: Tue, 30 Apr 2024 17:45:05 -0300
Subject: [PATCH] feat(api): allow user to delete his own account

---
 .../services/controller/internal/api/user.go  | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/backend/services/controller/internal/api/user.go b/backend/services/controller/internal/api/user.go
index bb32b37..a3707a6 100644
--- a/backend/services/controller/internal/api/user.go
+++ b/backend/services/controller/internal/api/user.go
@@ -105,21 +105,21 @@ func (a *Api) deleteUser(w http.ResponseWriter, r *http.Request) {
 
 	//Check if user which is requesting deletion has the necessary privileges
 	rUser, err := a.db.FindUser(email)
-	if rUser.Level != AdminUser {
-		w.WriteHeader(http.StatusForbidden)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
 	userEmail := mux.Vars(r)["user"]
-	if userEmail == email {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
 
-	if err := a.db.DeleteUser(userEmail); err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(err)
-		return
+	if rUser.Email == userEmail || (rUser.Level == AdminUser && rUser.Email != userEmail) { //Admin can delete any user, but can't delete himself
+		if err := a.db.DeleteUser(userEmail); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(err)
+			return
+		}
+	} else {
+		w.WriteHeader(http.StatusForbidden)
 	}
 }