Forbid to delete the anonymous user.

2026-03-10 17:29:34 +01:00 · 2019-09-19 13:49:10 +02:00
parent 006cd9c7e5
commit a8612d9609
2 changed files with 5 additions and 1 deletions
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@@ -89,6 +89,9 @@ class UserController extends AdminPages\BaseAdminController
     */
    public function delete(Request $request, User $entity, StructuralElementRecursionHelper $recursionHelper)
    {
+        if ($entity->getID() == User::ID_ANONYMOUS) {
+            throw new \InvalidArgumentException('You can not delete the anonymous user! It is needed for permission checking without a logged in user');
+        }
        return $this->_delete($request, $entity, $recursionHelper);
    }

--- a/templates/AdminPages/_delete_form.html.twig
+++ b/templates/AdminPages/_delete_form.html.twig
@@ -6,7 +6,8 @@
    <div class="form-group">
        <div class=""></div>
        <div class="col offset-3 pl-2">
-            <button class="btn btn-danger" {% if not is_granted("delete", entity) %}disabled{% endif %}">{% trans %}entity.delete{% endtrans %}</button>
+            {% set delete_disabled = (not is_granted("delete", entity)) or (entity.group is defined and entity.id == 1) %}
+            <button class="btn btn-danger" {% if delete_disabled %}disabled{% endif %}>{% trans %}entity.delete{% endtrans %}</button>
            {% if entity.parent is defined  %}
            <div class="ml-2 custom-control custom-checkbox custom-control-inline">
                <input type="checkbox" class="custom-control-input" id="recursive" name="delete_recursive">