From 55fd31f5759e22930b6fb6e28d5cdcd384274a2e Mon Sep 17 00:00:00 2001
From: Yang Luo <hsluoyz@qq.com>
Date: Thu, 4 May 2023 22:07:19 +0800
Subject: [PATCH] Disable built-in/admin's unexpected change

---
 controllers/user.go     | 15 +++++++++++++++
 web/src/UserEditPage.js |  6 ++++++
 web/src/UserListPage.js |  2 +-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/controllers/user.go b/controllers/user.go
index 92cc4431..ac3bad88 100644
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -158,6 +158,11 @@ func (c *ApiController) UpdateUser() {
 		return
 	}
 
+	if oldUser.Owner == "built-in" && oldUser.Name == "admin" && (user.Owner != "built-in" || user.Name != "admin") {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
@@ -229,6 +234,11 @@ func (c *ApiController) DeleteUser() {
 		return
 	}
 
+	if user.Owner == "built-in" && user.Name == "admin" {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.DeleteUser(&user))
 	c.ServeJSON()
 }
@@ -286,6 +296,11 @@ func (c *ApiController) SetPassword() {
 	newPassword := c.Ctx.Request.Form.Get("newPassword")
 	code := c.Ctx.Request.Form.Get("code")
 
+	//if userOwner == "built-in" && userName == "admin" {
+	//	c.ResponseError(c.T("auth:Unauthorized operation"))
+	//	return
+	//}
+
 	if strings.Contains(newPassword, " ") {
 		c.ResponseError(c.T("user:New password cannot contain blank space."))
 		return
diff --git a/web/src/UserEditPage.js b/web/src/UserEditPage.js
index 19f00874..20619a2f 100644
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@@ -180,6 +180,12 @@ class UserEditPage extends React.Component {
       disabled = true;
     }
 
+    if (accountItem.name === "Organization" || accountItem.name === "Name") {
+      if (this.state.user.owner === "built-in" && this.state.user.name === "admin") {
+        disabled = true;
+      }
+    }
+
     if (accountItem.name === "Organization") {
       return (
         <Row style={{marginTop: "10px"}} >
diff --git a/web/src/UserListPage.js b/web/src/UserListPage.js
index aee2e407..df7d0a20 100644
--- a/web/src/UserListPage.js
+++ b/web/src/UserListPage.js
@@ -339,7 +339,7 @@ class UserListPage extends BaseListPage {
         width: "190px",
         fixed: (Setting.isMobile()) ? "false" : "right",
         render: (text, record, index) => {
-          const disabled = (record.owner === this.props.account.owner && record.name === this.props.account.name);
+          const disabled = (record.owner === this.props.account.owner && record.name === this.props.account.name) || (record.owner === "built-in" && record.name === "admin");
           return (
             <div>
               <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => {