Admin can delete their own account from the Users admin panel without restriction #39728
Description
Description:
An admin can delete their own account from the Admin > Users panel. There is no restriction preventing self-deletion from this interface, which immediately breaks the active session and can leave the workspace without an admin if no other admin exists.
Steps to reproduce:
- Log in as an admin
- Go to Admin > Users
- Find your own user in the list
- Click the three-dot actions menu
- Click Delete — no restriction, account is deleted immediately
Expected behavior:
The Delete option should not be available for the currently logged-in admin's own account in the Users panel.
Actual behavior:
Delete option is shown and functional. Clicking it deletes the admin's own account, immediately breaking the session. Browser console shows:
You must be logged in to do this.
Server Setup Information:
- Version of Rocket.Chat Server: 8.3.0-develop
- License Type: Community
- Number of Users: 2
- Operating System: Linux
- Deployment Method: Development environment
- Number of Running Instances: 1
- DB Replicaset Oplog: Enabled
- NodeJS Version: 22.16.0
- MongoDB Version: 7.2
Client Setup Information
- Desktop App or Browser Version: Chrome 145
- Operating System: Linux
Additional context
The delete action is handled in useDeleteUserAction.tsx. There is currently no check comparing the target user's ID against the currently logged-in user's ID before showing the delete option.