teams: editor/viewer team admin cant remove the last admin.

2024-12-29 10:21:41 -06:00 · 2019-03-13 10:11:53 +01:00 · 2019-03-13 10:11:53 +01:00 · c420af16b1
commit c420af16b1
parent 246e128048
4 changed files with 33 additions and 6 deletions
--- a/pkg/api/team_members.go
+++ b/pkg/api/team_members.go
@ -67,6 +67,10 @@ func UpdateTeamMember(c *m.ReqContext, cmd m.UpdateTeamMemberCommand) Response {
 		return Error(403, "Not allowed to update team member", err)
 	}

+	if c.OrgRole != m.ROLE_ADMIN {
+		cmd.ProtectLastAdmin = true
+	}
+
 	cmd.TeamId = teamId
 	cmd.UserId = c.ParamsInt64(":userId")
 	cmd.OrgId = orgId
@ -91,7 +95,7 @@ func (hs *HTTPServer) RemoveTeamMember(c *m.ReqContext) Response {
 	}

 	protectLastAdmin := false
-	if c.OrgRole == m.ROLE_EDITOR {
+	if c.OrgRole != m.ROLE_ADMIN {
 		protectLastAdmin = true
 	}

--- a/pkg/models/team_member.go
+++ b/pkg/models/team_member.go
@ -35,10 +35,11 @@ type AddTeamMemberCommand struct {
 }

 type UpdateTeamMemberCommand struct {
-	UserId     int64          `json:"-"`
-	OrgId      int64          `json:"-"`
-	TeamId     int64          `json:"-"`
-	Permission PermissionType `json:"permission"`
+	UserId           int64          `json:"-"`
+	OrgId            int64          `json:"-"`
+	TeamId           int64          `json:"-"`
+	Permission       PermissionType `json:"permission"`
+	ProtectLastAdmin bool           `json:"-"`
 }

 type RemoveTeamMemberCommand struct {
--- a/pkg/services/sqlstore/team.go
+++ b/pkg/services/sqlstore/team.go
@ -271,6 +271,18 @@ func UpdateTeamMember(cmd *m.UpdateTeamMemberCommand) error {
 			return m.ErrTeamMemberNotFound
 		}

+		if cmd.ProtectLastAdmin {
+			lastAdmin, err := isLastAdmin(sess, cmd.OrgId, cmd.TeamId, cmd.UserId)
+			if err != nil {
+				return err
+			}
+
+			if lastAdmin {
+				return m.ErrLastTeamAdmin
+			}
+
+		}
+
 		if cmd.Permission != m.PERMISSION_ADMIN {
 			cmd.Permission = 0
 		}
--- a/pkg/services/sqlstore/team_test.go
+++ b/pkg/services/sqlstore/team_test.go
@ -190,11 +190,21 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				})

 				Convey("A user should be able to remove an admin if there are other admins", func() {
-					err = AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
+					AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
 					err = RemoveTeamMember(&m.RemoveTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], ProtectLastAdmin: true})
 					So(err, ShouldEqual, nil)
 				})

+				Convey("A user should not be able to remove the admin permission for the last admin", func() {
+					err = UpdateTeamMember(&m.UpdateTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], Permission: 0, ProtectLastAdmin: true})
+					So(err, ShouldEqual, m.ErrLastTeamAdmin)
+				})
+
+				Convey("A user should be able to remove the admin permission if there are other admins", func() {
+					AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
+					err = UpdateTeamMember(&m.UpdateTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], Permission: 0, ProtectLastAdmin: true})
+					So(err, ShouldEqual, nil)
+				})
 			})

 			Convey("Should be able to remove a group with users and permissions", func() {