Fix: Do not allow user self deletion via admin section

protected/humhub/docs/CHANGELOG.md

@@ -31,6 +31,7 @@ HumHub Change Log
 - Fix: Permalink better handling of deleted content
 - Fix: Activity exception on integrity check
 - Fix: Ensure profile field "internal name" contains at least one character
+- Fix: Do not allow user self deletion via admin section
 
 
 1.3.1  (August 7, 2018)

protected/humhub/modules/admin/controllers/UserController.php

@@ -137,7 +137,7 @@ class UserController extends Controller
             ],
         ];
 
-        if(Yii::$app->user->isAdmin() || !$user->isSystemAdmin()) {
+        if (Yii::$app->user->isAdmin() || !$user->isSystemAdmin()) {
             $definition['elements']['User']['elements']['status'] = [
                 'type' => 'dropdownlist',
                 'class' => 'form-control',
@@ -162,12 +162,14 @@ class UserController extends Controller
 
         ];
 
-        if(Yii::$app->user->isAdmin() || !$user->isSystemAdmin()) {
-            $definition['buttons']['delete'] = [
-                'type' => 'submit',
-                'label' => Yii::t('AdminModule.controllers_UserController', 'Delete'),
-                'class' => 'btn btn-danger',
-            ];
+        if (Yii::$app->user->isAdmin() || !$user->isSystemAdmin()) {
+            if (!$user->isCurrentUser()) {
+                $definition['buttons']['delete'] = [
+                    'type' => 'submit',
+                    'label' => Yii::t('AdminModule.controllers_UserController', 'Delete'),
+                    'class' => 'btn btn-danger',
+                ];
+            }
         }
 
         $form = new HForm($definition);
@@ -213,7 +215,7 @@ class UserController extends Controller
 
         $this->checkGroupAccess($user);
 
-        if (Yii::$app->user->id === $id) {
+        if ($user->isCurrentUser()) {
             throw new HttpException(400, Yii::t('AdminModule.user', 'You cannot delete yourself!'));
         }
 
@@ -227,11 +229,11 @@ class UserController extends Controller
 
     public function checkGroupAccess(User $user = null)
     {
-        if(!$user) {
+        if (!$user) {
             throw new HttpException(404, Yii::t('AdminModule.controllers_GroupController', 'Group not found!'));
         }
 
-        if($user->isSystemAdmin() && !Yii::$app->user->isAdmin()) {
+        if ($user->isSystemAdmin() && !Yii::$app->user->isAdmin()) {
             throw new HttpException(403);
         }
     }

protected/humhub/modules/admin/grid/UserActionColumn.php

@@ -26,6 +26,8 @@ class UserActionColumn extends ActionColumn
      */
     protected function renderDataCellContent($model, $key, $index)
     {
+        /** @var User $model */
+
         $actions = [];
         if ($model->status == User::STATUS_SOFT_DELETED) {
             $actions[Yii::t('AdminModule.user', 'Permanently delete')] = ['delete'];
@@ -39,7 +41,9 @@ class UserActionColumn extends ActionColumn
                 } elseif ($model->status == User::STATUS_ENABLED) {
                     $actions[Yii::t('AdminModule.user', 'Disable')] = ['disable', 'linkOptions' => ['data-method' => 'post', 'data-confirm' => Yii::t('AdminModule.user', 'Are you really sure that you want to disable this user?')]];
                 }
-                $actions[Yii::t('base', 'Delete')] = ['delete'];
+                if (!$model->isCurrentUser()) {
+                    $actions[Yii::t('base', 'Delete')] = ['delete'];
+                }
             }