diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php index 4cb1063b44..741adb8091 100644 --- a/app/Http/Controllers/Api/UsersController.php +++ b/app/Http/Controllers/Api/UsersController.php @@ -632,21 +632,26 @@ class UsersController extends Controller $this->authorize('delete', $user); - if ($user->delete()) { + if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) { + if ($user->delete()) { - // Remove the user's avatar if they have one - if (Storage::disk('public')->exists('avatars/' . $user->avatar)) { - try { - Storage::disk('public')->delete('avatars/' . $user->avatar); - } catch (\Exception $e) { - Log::debug($e); - } + // Remove the user's avatar if they have one + // @todo This should be done on purge, not here +// if (Storage::disk('public')->exists('avatars/' . $user->avatar)) { +// try { +// Storage::disk('public')->delete('avatars/' . $user->avatar); +// } catch (\Exception $e) { +// Log::debug($e); +// } +// } + + return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/users/message.success.delete'))); } - return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/users/message.success.delete'))); + return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.error.delete'))); } - return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.error.delete'))); + return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.cannot_delete'))); } diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php index aa42415065..a934599001 100755 --- a/app/Http/Controllers/Users/UsersController.php +++ b/app/Http/Controllers/Users/UsersController.php @@ -351,10 +351,13 @@ class UsersController extends Controller if ($user = User::find($id)) { $this->authorize('delete', $user); + if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) { - if ($user->delete()) { - return redirect()->route('users.index')->with('success', trans('admin/users/message.success.delete')); + if ($user->delete()) { + return redirect()->route('users.index')->with('success', trans('admin/users/message.success.delete')); + } } + return redirect()->route('users.index')->with('error', trans('admin/users/message.cannot_delete')); } return redirect()->route('users.index')->with('error', trans('admin/users/message.user_not_found')); diff --git a/resources/lang/en-US/admin/users/message.php b/resources/lang/en-US/admin/users/message.php index 2132e1001c..556d00fe01 100644 --- a/resources/lang/en-US/admin/users/message.php +++ b/resources/lang/en-US/admin/users/message.php @@ -6,7 +6,8 @@ return array( 'declined' => 'You have successfully declined this item.', 'bulk_manager_warn' => 'Your users have been successfully updated, however your manager entry was not saved because the manager you selected was also in the user list to be edited, and users may not be their own manager. Please select your users again, excluding the manager.', 'user_exists' => 'User already exists!', - 'user_not_found' => 'User does not exist or you do not have permission view them.', + 'cannot_delete' => 'User does not exist or you do not have permission to delete them.', + 'user_not_found' => 'User does not exist or you do not have permission to view them.', 'user_login_required' => 'The login field is required', 'user_has_no_assets_assigned' => 'No assets currently assigned to user.', 'user_password_required' => 'The password is required.',