Disable changing one's own permissions.

r2/r2/controllers/api.py

@@ -644,7 +644,8 @@ class ApiController(RedditController, OAuth2ResourceController):
 
         if type in ("moderator", "moderator_invite"):
             if not c.user_is_admin:
-                if type == "moderator" and not c.site.can_demod(c.user, target):
+                if type == "moderator" and (
+                    c.user == target or not c.site.can_demod(c.user, target)):
                     abort(403, 'forbidden')
                 if (type == "moderator_invite"
                     and not c.site.is_unlimited_moderator(c.user)):

r2/r2/lib/pages/pages.py

@@ -3019,7 +3019,7 @@ class ModList(UserList):
         elif c.user_is_admin:
             return True
         elif row_type == self.type:
-            return c.site.can_demod(c.user, user)
+            return c.user != user and c.site.can_demod(c.user, user)
         elif row_type == self.invite_type:
             return c.site.is_unlimited_moderator(c.user)
         else:
@@ -3028,7 +3028,7 @@ class ModList(UserList):
     def user_row(self, row_type, user, editable=True):
         perms = ModeratorPermissions(
             user, row_type, self.perms_by_type[row_type].get(user._id),
-            editable=editable and self.moderator_editable(user, row_type))
+            editable=editable)
         return UserTableItem(user, row_type, self.cells, self.container_name,
                              editable, self.remove_action, rel=perms)
 

r2/r2/templates/usertableitem.html

@@ -58,7 +58,9 @@
                                     id = thing.user._fullname,
                                     container = thing.container_name))}
     %else:
-      <span class="gray">${_("can't remove")}</span>
+      %if c.user != thing.user:
+        <span class="gray">${_("can't remove")}</span>
+      %endif
     %endif
   %elif thing.name == "note":
     <form action="/post/friendnote" id="friendnote-${thing.rel._fullname}"