From 1661e45e04f397b0b4b16ae130f92bac7a48936b Mon Sep 17 00:00:00 2001
From: Marcin-Ramotowski <marcin00.mr@gmail.com>
Date: Sat, 15 Mar 2025 16:31:30 +0000
Subject: [PATCH] Only admin can remove other users accounts

---
 api/user_views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/user_views.py b/api/user_views.py
index 6be00ca..08572ee 100644
--- a/api/user_views.py
+++ b/api/user_views.py
@@ -60,10 +60,14 @@ def edit_user(user_id):
 @user_bp.route('/users/<int:user_id>', methods=['DELETE'])
 @jwt_required()
 def remove_user(user_id):
+    logged_user_id = int(get_jwt_identity())
+    logged_user_role = User.query.get(logged_user_id).role
+    if logged_user_role != "Administrator" and logged_user_id != user_id:
+        return jsonify({'error': f'You can not remove other user accounts.'}), 403
     user_to_delete = User.query.get_or_404(user_id)
     db.session.delete(user_to_delete)
     db.session.commit()
-    return jsonify({})
+    return jsonify({"msg": "User removed successfully."})
 
 @user_bp.route('/login', methods=['POST'])
 def user_login():