def delete_user(self, id, deleter_username): """ Processing query for deleting user. @param `id` - removing user ID. @param `deleter_username` - username of the person who tries to delete user with provided `id`. This will be used to check deleter's permissions. Please make sure you are using authenticated_userid() to get deleter_username. """ # Determining deleter uid and group info = User.get_user_info_by_name(deleter_username) if not info[0] or not info[1]['username']: # if updater_username does not exists in DB (this is almost impossible) raise SystemError('Wrong deleter username provided') deleter_info = info[1] # Step 2: collecting info about editing user info = User.get_user_info_by_id(id) if not info[0] or not info[1]['username']: # if editing_username does not exists in DB (but this IS possible :) return False, 'Wrong deleting id provided' deleting_user_info = info[1] if deleter_info['username'] == deleting_user_info['username']: return False, "You can't delete yourself" deleter_group = deleter_info['group'] deleted_user_group = deleting_user_info['group'] if deleter_group not in ['group:admins', 'group:moderators']: return False, 'You don\'t have permissions to delete users' if deleted_user_group in ['group:admins', 'group:moderators']: if deleter_group != 'group:admins': return False, 'You don\'t have permissions to delete admins or moderators' return User.remove_user(id)