Code cleanup and some fixes

api/user/delete.php

@@ -3,32 +3,36 @@ require_once("../_auth.php");
 require_once("../_utils.php");
 require_once("./index.php");
 
-function User_Delete($id){
-  global $db;
-  $s = $db->prepare("delete from users where id = $id");
-  $s->bind_param("s",$id);
-  return $s->execute() !== false;
+
+
+// Delete existing account
+function User_Delete ($id) {
+	global $db;
+	$s = $db->prepare("delete from users where id = $id");
+	$s->bind_param("s", $id);
+	return $s->execute() !== false;
 }
 
+
+
 if (ThisFileIsRequested(__FILE__)) {
 	require_once("../_json.php");
 	
-if (isset($_REQUEST["id"])) {
+	if (isset($_REQUEST["id"]) && $LOGGED_IN) {
 		if (!ctype_digit($_REQUEST["id"]))
 			ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
-     if(!User_HasRole("admin")){
-	    ReturnJSONError($Err_DP_NotEnoughRole,"You need to be admin to delete other accounts");
-	  }
 		$UserID = intval($_REQUEST["id"]);
+	} elseif (!isset($_REQUEST["id"]) && $LOGGED_IN) {
+		$UserID = $_SESSION["userid"];
 	} else {
-		if ($LOGGED_IN)
-			$UserID = $_SESSION["userid"];
-		else
-			ReturnJSONError($Err_RDP_InvalidID, "id must be specified or valid session must be provided");
-	}
-	  $result = User_Delete($UserID);
-	  session_unset();
-	  session_destroy();
-    ReturnJSONData(["success" => $result]);
+		ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");
 	}
+
+	if (!User_HasRole($_SESSION["userid"], "admin") && $_SESSION["userid"] !== $UserID)
+		ReturnJSONError($Err_DP_NotEnoughRole, "you need to be admin to delete other accounts");
+
+	$result = User_Delete($UserID);
+	EndSession();
+	ReturnJSONData(["success" => $result]);
+}
 ?>