Merge branch 'develop' of git.digitaltelepresence.com:digital-telepresence/dtp-base into develop

app/controllers/admin/user.js

@@ -100,10 +100,14 @@ class UserAdminController extends SiteController {
       user: userService,
     } = this.dtp.services;
     try {
+      
       const user = await userService.getLocalUserAccount(req.body.userId);
       if (!user) {
         throw new SiteError(404, 'User not found');
       }
+      if (req.user && req.user._id.equals(user._id)) {
+        throw new SiteError(400, "You can't archive yourself");
+      }
       res.locals.job = await userService.archiveLocalUser(user);
       loganService.sendRequestEvent(module.exports, req, {
         level: 'info',
@@ -138,6 +142,11 @@ class UserAdminController extends SiteController {
       this.log.debug('local user update', { action: req.body.action });
       switch (req.body.action) {
         case 'update':
+          if (req.user._id.equals(res.locals.userAccount._id)) {
+             if (req.user.flags.isAdmin && !(userDefinition.isAdmin === 'on')) {
+               throw new SiteError(400, "You can't remove your own admin privileges");
+             }
+          }
           await userService.updateLocalForAdmin(res.locals.userAccount, req.body);
           loganService.sendRequestEvent(module.exports, req, {
             level: 'info',
@@ -153,6 +162,9 @@ class UserAdminController extends SiteController {
           break;
 
         case 'ban':
+          if (req.user._id.equals(res.locals.userAccount._id)) {
+             throw new SiteError(400, "You can't ban yourself");
+          }
           await userService.ban(res.locals.userAccount);
           loganService.sendRequestEvent(module.exports, req, {
             level: 'info',