lucas-a-martins opened a new pull request, #8691: URL: https://github.com/apache/cloudstack/pull/8691
### Description Currently, ACS allows users to delete themselves by calling the `deleteUser` API via CLI. Fixing this behavior has been previously suggested in this [comment](https://github.com/apache/cloudstack/pull/7242#issuecomment-1433260909), as it leaves room for errors if users don't pay enough attention (e.g., when using the console's autocomplete feature), since the parameter passed is the user's `UUID` and it's not easily identifiable to whom this `UUID` belongs. Furthermore, there's already a feature to prevent a user from deleting themselves via the UI; however, slower environments create a small window where it's possible for the user to click the button before it's disabled, allowing deletion even through the UI (see this [comment](https://github.com/apache/cloudstack/pull/7242#issuecomment-1444300925)). This pull request addresses this issue by adding a validation that checks the caller's `UUID` and compares it with the `UUID` of the user they are trying to delete. If they are the same, an exception is thrown. ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Bug fix (non-breaking change which fixes an issue) - [x] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) - [ ] build/CI ### Feature/Enhancement Scale or Bug Severity #### Feature/Enhancement Scale - [ ] Major - [x] Minor #### Bug Severity - [ ] BLOCKER - [ ] Critical - [ ] Major - [ ] Minor - [ ] Trivial ### Screenshots (if appropriate):  ### How Has This Been Tested? I tested by creating a new user (Temp) and attempted to delete it using the same user via CloudMonkey. An exception was thrown, and the user was not deleted. Next, I attempted to delete the user via the UI by rapidly clicking the delete icon before being disabled. Once again, an exception was thrown without deleting the user as shown in the screenshot above. ```(Temp) 🐱 > delete user id=02392623-cd84-4695-ba49-ec187742b2cd 🙈 Error: (HTTP 431, error code 4350) The caller is requesting to delete itself. As a security measure, ACS will not allow this operation. To delete user Temp (ID: 02392623-cd84-4695-ba49-ec187742b2cd, Domain: d57f818f-efe2-44e4-810c-820f048c3129), request to another user with permission to execute the operation. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
