From d8e6a8cd5b0dcf28fc510c9b83c12401108520f2 Mon Sep 17 00:00:00 2001
From: Davide Alberani <da@erlug.linux.it>
Date: Sun, 12 Feb 2017 21:45:42 +0100
Subject: [PATCH] fixes #31: ability to delete users (for admins)

---
 ibt2.py       |  9 ++++++++-
 monco.py      |  4 ++--
 src/Users.vue | 11 +++++++++--
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/ibt2.py b/ibt2.py
index e7259ec..aea533f 100755
--- a/ibt2.py
+++ b/ibt2.py
@@ -479,7 +479,14 @@ class UsersHandler(BaseHandler):
         if id_ is None:
             return self.build_error(status=404, message='unable to access the resource')
         if not self.has_permission(id_):
-            return
+            return self.build_error(status=401, message='insufficient permissions: must be admin')
+        if id_ == self.current_user:
+            return self.build_error(status=401, message='unable to delete the current user; ask an admin')
+        doc = self.db.getOne(self.collection, {'_id': id_})
+        if not doc:
+            return self.build_error(status=404, message='unable to access the resource')
+        if doc.get('username') == 'admin':
+            return self.build_error(status=401, message='unable to delete the admin user')
         howMany = self.db.delete(self.collection, id_)
         if id_ in self._users_cache:
             del self._users_cache[id_]
diff --git a/monco.py b/monco.py
index 2ee8076..e8e7b58 100644
--- a/monco.py
+++ b/monco.py
@@ -296,8 +296,8 @@ class Monco(object):
         :param force: force the deletion of all documents, when `_id_or_query` is empty
         :type force: bool
 
-        :returns: how many documents were removed
-        :rtype: int
+        :returns: dictionary with the number or removed documents
+        :rtype: dict
         """
         if not _id_or_query and not force:
             return
diff --git a/src/Users.vue b/src/Users.vue
index 87b1979..ebab621 100644
--- a/src/Users.vue
+++ b/src/Users.vue
@@ -10,6 +10,7 @@
                         <md-table-row>
                             <md-table-head>Username</md-table-head>
                             <md-table-head>Email</md-table-head>
+                            <md-table-head v-if="loggedInUser.isAdmin">Delete</md-table-head>
                         </md-table-row>
                     </md-table-header>
                     <md-table-body>
@@ -22,6 +23,11 @@
                             <md-table-cell>
                                 {{user.email}}
                             </md-table-cell>
+                            <md-table-cell v-if="loggedInUser.isAdmin">
+                                <md-button class="md-icon-button" @click="deleteUser(user._id)">
+                                    <md-icon>delete</md-icon>
+                                </md-button>
+                            </md-table-cell>
                         </md-table-row>
                     </md-table-body>
                 </md-table>
@@ -71,11 +77,12 @@ export default {
         },
 
         deleteUser(userId) {
-            this.usersUrl.update({id: userId}).then((response) => {
+            this.usersUrl.delete({id: userId}).then((response) => {
                 return response.json();
             }, (response) => {
-                this.$refs.dialogObj.show({text: 'unable to delete the user'});
+                this.$refs.dialogObj.show({text: 'unable to delete the user: ' + response.body.message});
             }).then((data) => {
+                this.getUsers();
             });
         }
     },