From c13a90ee691649b8722cf8a95bf7ec99fb25063f Mon Sep 17 00:00:00 2001
From: conghaoyuan <conghaoyuan@gmail.com>
Date: Sat, 12 Aug 2023 14:18:21 +0800
Subject: [PATCH] only admin and owner can delete app (#810)

---
 api/controllers/console/app/app.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/controllers/console/app/app.py b/api/controllers/console/app/app.py
index d0bbbe8bf..cb7738e17 100644
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -294,6 +294,10 @@ class AppApi(Resource):
     def delete(self, app_id):
         """Delete app"""
         app_id = str(app_id)
+
+        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+            raise Forbidden()
+        
         app = _get_app(app_id, current_user.current_tenant_id)
 
         db.session.delete(app)