From 5788fb93c1a882c655ec9bfee98de19a03bef5a5 Mon Sep 17 00:00:00 2001
From: Pig Fang <g-plane@hotmail.com>
Date: Thu, 2 Aug 2018 10:21:25 +0800
Subject: [PATCH] Disallow to delete administrator

---
 app/Http/Controllers/UserController.php |  5 +++++
 tests/UserControllerTest.php            | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index bcf932e2..4eb8ff9b 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -167,9 +167,14 @@ class UserController extends Controller
                     'password' => 'required|min:6|max:32'
                 ]);
 
+                if ($user->isAdmin())
+                    return json(trans('user.profile.delete.admin'), 1);
+
                 if (! $user->verifyPassword($request->input('password')))
                     return json(trans('user.profile.delete.wrong-password'), 1);
+
                 Auth::logout();
+
                 if ($user->delete()) {
                     session()->flush();
 
diff --git a/tests/UserControllerTest.php b/tests/UserControllerTest.php
index 9a47a300..1fab32ad 100644
--- a/tests/UserControllerTest.php
+++ b/tests/UserControllerTest.php
@@ -382,6 +382,16 @@ class UserControllerTest extends TestCase
             'msg' => trans('user.profile.delete.success')
         ]);
         $this->assertNull(User::find($user->uid));
+
+        // Administrator cannot be deleted
+        $this->actAs('admin')
+            ->postJson('/user/profile', [
+            'action' => 'delete',
+            'password' => '87654321'
+        ])->assertJson([
+            'errno' => 1,
+            'msg' => trans('user.profile.delete.admin')
+        ]);
     }
 
     public function testSetAvatar()