fix: dashboard users api, cannot delete self

apps/emqx_dashboard/src/emqx_dashboard.appup.src

@@ -1,7 +1,13 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"5.0.0",[{load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]}]},
+  [{"5.0.0", [
+    {load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]},
+    {load_module,emqx_dashboard_token,brutal_purge,soft_purge,[]}
+   ]},
    {<<".*">>,[]}],
-  [{"5.0.0",[{load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]}]},
+  [{"5.0.0", [
+    {load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]},
+    {load_module,emqx_dashboard_token,brutal_purge,soft_purge,[]}
+   ]},
    {<<".*">>,[]}]}.

apps/emqx_dashboard/src/emqx_dashboard_api.erl

@@ -272,20 +272,57 @@ user(put, #{bindings := #{username := Username}, body := Params}) ->
         {error, Reason} ->
             {404, ?USER_NOT_FOUND, Reason}
     end;
-user(delete, #{bindings := #{username := Username}}) ->
+user(delete, #{bindings := #{username := Username}, headers := Headers}) ->
     case Username == emqx_dashboard_admin:default_username() of
         true ->
             ?SLOG(info, #{msg => "Dashboard delete admin user failed", username => Username}),
             Message = list_to_binary(io_lib:format("Cannot delete user ~p", [Username])),
             {400, ?NOT_ALLOWED, Message};
+        false ->
+            case is_self_auth(Username, Headers) of
+                true ->
+                    {400, ?NOT_ALLOWED, <<"Cannot delete self">>};
                 false ->
                     case emqx_dashboard_admin:remove_user(Username) of
                         {error, Reason} ->
                             {404, ?USER_NOT_FOUND, Reason};
                         {ok, _} ->
-                    ?SLOG(info, #{msg => "Dashboard delete admin user", username => Username}),
+                            ?SLOG(info, #{
+                                msg => "Dashboard delete admin user", username => Username
+                            }),
                             {204}
                     end
+            end
+    end.
+
+is_self_auth(Username, #{<<"authorization">> := Token}) ->
+    is_self_auth(Username, Token);
+is_self_auth(Username, #{<<"Authorization">> := Token}) ->
+    is_self_auth(Username, Token);
+is_self_auth(Username, <<"basic ", Token/binary>>) ->
+    is_self_auth_basic(Username, Token);
+is_self_auth(Username, <<"Basic ", Token/binary>>) ->
+    is_self_auth_basic(Username, Token);
+is_self_auth(Username, <<"bearer ", Token/binary>>) ->
+    is_self_auth_token(Username, Token);
+is_self_auth(Username, <<"Bearer ", Token/binary>>) ->
+    is_self_auth_token(Username, Token).
+
+is_self_auth_basic(Username, Token) ->
+    UP = base64:decode(Token),
+    case binary:match(UP, Username) of
+        {0, N} ->
+            binary:part(UP, {N, 1}) == <<":">>;
+        _ ->
+            false
+    end.
+
+is_self_auth_token(Username, Token) ->
+    case emqx_dashboard_token:owner(Token) of
+        {ok, Owner} ->
+            Owner == Username;
+        {error, _NotFound} ->
+            false
     end.
 
 change_pwd(put, #{bindings := #{username := Username}, body := Params}) ->

apps/emqx_dashboard/src/emqx_dashboard_token.erl

@@ -22,6 +22,7 @@
     sign/2,
     verify/1,
     lookup/1,
+    owner/1,
     destroy/1,
     destroy_by_username/1
 ]).
@@ -161,6 +162,14 @@ lookup_by_username(Username) ->
     {atomic, List} = mria:ro_transaction(?DASHBOARD_SHARD, Fun),
     List.
 
+-spec owner(Token :: binary()) -> {ok, Username :: binary} | {error, not_found}.
+owner(Token) ->
+    Fun = fun() -> mnesia:read(?TAB, Token) end,
+    case mria:ro_transaction(?DASHBOARD_SHARD, Fun) of
+        {atomic, [#?ADMIN_JWT{username = Username}]} -> {ok, Username};
+        {atomic, []} -> {error, not_found}
+    end.
+
 jwk(Username, Password, Salt) ->
     Key = crypto:hash(md5, <<Salt/binary, Username/binary, Password/binary>>),
     #{