only admin and owner can delete app (#810)

3 years ago · c13a90ee69
parent 5a7b51f809
commit c13a90ee69
1 changed files with 4 additions and 0 deletions
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@ -294,6 +294,10 @@ class AppApi(Resource):
    def delete(self, app_id):
        """Delete app"""
        app_id = str(app_id)
+
+        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+            raise Forbidden()
+        
        app = _get_app(app_id, current_user.current_tenant_id)

        db.session.delete(app)