From 6834b5e00f31d9f7524d8a2977d2cb939a754b53 Mon Sep 17 00:00:00 2001
From: Vlad Stan <stan.v.vlad@gmail.com>
Date: Tue, 1 Apr 2025 14:01:02 +0300
Subject: [PATCH] feat: do not allow regular admins to edit super user (#3077)

---
 lnbits/core/views/user_api.py | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/lnbits/core/views/user_api.py b/lnbits/core/views/user_api.py
index bb367cac..f74ecd04 100644
--- a/lnbits/core/views/user_api.py
+++ b/lnbits/core/views/user_api.py
@@ -110,10 +110,18 @@ async def api_create_user(data: CreateUser) -> CreateUser:
 
 
 @users_router.put("/user/{user_id}", name="Update user")
-async def api_update_user(user_id: str, data: CreateUser) -> CreateUser:
+async def api_update_user(
+    user_id: str, data: CreateUser, user: User = Depends(check_admin)
+) -> CreateUser:
     if user_id != data.id:
         raise HTTPException(HTTPStatus.BAD_REQUEST, "User Id missmatch.")
 
+    if user_id == settings.super_user and user.id != settings.super_user:
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail="Action only allowed for super user.",
+        )
+
     if data.password or data.password_repeat:
         raise HTTPException(
             HTTPStatus.BAD_REQUEST, "Use 'reset password' functionality."
@@ -255,13 +263,22 @@ async def api_users_undelete_user_wallet(user_id: str, wallet: str) -> SimpleSta
     summary="First time it is called it does a soft delete (only sets a flag)."
     "The second time it is called will delete the entry from the DB",
 )
-async def api_users_delete_user_wallet(user_id: str, wallet: str) -> SimpleStatus:
+async def api_users_delete_user_wallet(
+    user_id: str, wallet: str, user: User = Depends(check_admin)
+) -> SimpleStatus:
     wal = await get_wallet(wallet)
     if not wal:
         raise HTTPException(
             status_code=HTTPStatus.NOT_FOUND,
             detail="Wallet does not exist.",
         )
+
+    if user_id == settings.super_user and user.id != settings.super_user:
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail="Action only allowed for super user.",
+        )
+
     if wal.deleted:
         await force_delete_wallet(wallet)
     await delete_wallet(user_id=user_id, wallet_id=wallet)