Rework disallowing self bans by using the user ACL instead.

tildes/tildes/models/user/user.py

@@ -213,6 +213,7 @@ class User(DatabaseModel):
         if self.is_deleted:
             acl.append((Deny, Everyone, "ban"))
 
+        acl.append((Deny, self.user_id, "ban"))
         acl.append((Allow, "*:user.ban", "ban"))
 
         # view_removed_posts:

tildes/tildes/templates/user.jinja2

@@ -189,7 +189,7 @@
   <a href="/user/{{ user.username }}/new_message" class="btn btn-primary">Send a private message</a>
 {% endif %}
 
-{% if request.user != user and request.has_permission("ban", user) %}
+{% if request.has_permission("ban", user) %}
   <div class="divider"></div>
   {% if user.is_banned %}
     <button class="btn"

tildes/tildes/views/api/web/user.py

@@ -10,7 +10,6 @@ from typing import Optional
 from marshmallow import ValidationError
 from marshmallow.fields import String
 from pyramid.httpexceptions import (
-    HTTPBadRequest,
     HTTPForbidden,
     HTTPUnauthorized,
     HTTPUnprocessableEntity,
@@ -407,9 +406,6 @@ def put_user_ban(request: Request) -> Response:
     """Ban a user."""
     user = request.context
 
-    if request.user == user:
-        raise HTTPBadRequest("You cannot ban yourself")
-
     user.is_banned = True
 
     # delete all of the user's outstanding invite codes