diff --git a/dal/views.py b/dal/views.py index e03a634..4c76c13 100644 --- a/dal/views.py +++ b/dal/views.py @@ -379,24 +379,27 @@ class DeleteAccount(View): # Does the user exist? username = request.POST.get('username') - if not check_user_exists(username): - return render(request, 'error.html', { 'urlname': urlname, 'service': service, 'error': 'Unknown user.' } ) - - # Do user and password match? - password = request.POST.get('password') - pwd = r'%s' % password - check = authenticate(request, username=username, password=pwd) - if check is None: - return render(request, 'error.html', { 'urlname': urlname, 'service': service, 'error': 'Wrong password for user.' } ) - - # Try to delete the user - with get_pool().next() as rpc: - result = rpc.deleteuser.delete_user(username) - # User deleted - if result == True: - logout(request) - return render(request, 'deleteduser.html', { 'user': username } ) - # User not deleted, got some kind of error + ldap_manager = LdapManager() + user_exists, user_details = ldap_manager.check_user_exists(username) + if user_exists and request.user.username == username: + # Do user and password match? + password = request.POST.get('password') + pwd = r'%s' % password + check = authenticate(request, username=username, password=pwd) + if check is None: + return render(request, 'error.html', + {'urlname': urlname, 'service': service, + 'error': 'Wrong password for user.'}) + result = ldap_manager.delete_user(username) + # User deleted + if result: + logout(request) + return render(request, 'deleteduser.html', {'user': username}) + # User not deleted, got some kind of error + else: + return render(request, 'error.html', + {'urlname': urlname, 'service': service, + 'error': result}) else: return render(request, 'error.html', { 'urlname': urlname, 'service': service, 'error': result } )