Login: Remove single admin team restriction (#54534)

* Remove single member team restriction * Add label when permissions list is empty * Fix unit tests * Add co-author. Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-09-02 18:16:39 +02:00 · 2022-09-02 18:16:39 +02:00 · d2bb72fb3c
commit d2bb72fb3c
parent 4bba3223a0
4 changed files with 20 additions and 49 deletions
--- a/pkg/services/sqlstore/team.go
+++ b/pkg/services/sqlstore/team.go
@ -433,12 +433,6 @@ func updateTeamMember(sess *DBSession, orgID, teamID, userID int64, permission m

 	if permission != models.PERMISSION_ADMIN {
 		permission = 0 // make sure we don't get invalid permission levels in store
-
-		// protect the last team admin
-		_, err := isLastAdmin(sess, orgID, teamID, userID)
-		if err != nil {
-			return err
-		}
 	}

 	member.Permission = permission
@ -464,11 +458,6 @@ func removeTeamMember(sess *DBSession, cmd *models.RemoveTeamMemberCommand) erro
 		return err
 	}

-	_, err := isLastAdmin(sess, cmd.OrgId, cmd.TeamId, cmd.UserId)
-	if err != nil {
-		return err
-	}
-
 	var rawSQL = "DELETE FROM team_member WHERE org_id=? and team_id=? and user_id=?"
 	res, err := sess.Exec(rawSQL, cmd.OrgId, cmd.TeamId, cmd.UserId)
 	if err != nil {
@ -482,29 +471,6 @@ func removeTeamMember(sess *DBSession, cmd *models.RemoveTeamMemberCommand) erro
 	return err
 }

-func isLastAdmin(sess *DBSession, orgId int64, teamId int64, userId int64) (bool, error) {
-	rawSQL := "SELECT user_id FROM team_member WHERE org_id=? and team_id=? and permission=?"
-	userIds := []*int64{}
-	err := sess.SQL(rawSQL, orgId, teamId, models.PERMISSION_ADMIN).Find(&userIds)
-	if err != nil {
-		return false, err
-	}
-
-	isAdmin := false
-	for _, adminId := range userIds {
-		if userId == *adminId {
-			isAdmin = true
-			break
-		}
-	}
-
-	if isAdmin && len(userIds) == 1 {
-		return true, models.ErrLastTeamAdmin
-	}
-
-	return false, err
-}
-
 // GetUserTeamMemberships return a list of memberships to teams granted to a user
 // If external is specified, only memberships provided by an external auth provider will be listed
 // This function doesn't perform any accesscontrol filtering.
--- a/pkg/services/sqlstore/team_test.go
+++ b/pkg/services/sqlstore/team_test.go
@ -251,25 +251,18 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
 				require.Equal(t, len(q2.Result), 0)
 			})

-			t.Run("Should never remove the last admin of a team", func(t *testing.T) {
+			t.Run("Should have empty teams", func(t *testing.T) {
 				err = sqlStore.AddTeamMember(userIds[0], testOrgID, team1.Id, false, models.PERMISSION_ADMIN)
 				require.NoError(t, err)

-				t.Run("A user should not be able to remove the last admin", func(t *testing.T) {
-					err = sqlStore.RemoveTeamMember(context.Background(), &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[0]})
-					require.Equal(t, err, models.ErrLastTeamAdmin)
-				})
-
-				t.Run("A user should be able to remove an admin if there are other admins", func(t *testing.T) {
-					err = sqlStore.AddTeamMember(userIds[1], testOrgID, team1.Id, false, models.PERMISSION_ADMIN)
-					require.NoError(t, err)
-					err = sqlStore.RemoveTeamMember(context.Background(), &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[1]})
-					require.NoError(t, err)
-				})
-
-				t.Run("A user should not be able to remove the admin permission for the last admin", func(t *testing.T) {
+				t.Run("A user should be able to remove the admin permission for the last admin", func(t *testing.T) {
 					err = sqlStore.UpdateTeamMember(context.Background(), &models.UpdateTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[0], Permission: 0})
-					require.Error(t, err, models.ErrLastTeamAdmin)
+					require.NoError(t, err)
+				})
+
+				t.Run("A user should be able to remove the last member", func(t *testing.T) {
+					err = sqlStore.RemoveTeamMember(context.Background(), &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[0]})
+					require.NoError(t, err)
 				})

 				t.Run("A user should be able to remove the admin permission if there are other admins", func(t *testing.T) {
--- a/public/app/core/components/AccessControl/Permissions.tsx
+++ b/public/app/core/components/AccessControl/Permissions.tsx
@ -26,6 +26,7 @@ type Type = 'users' | 'teams' | 'builtInRoles';
 export type Props = {
  title?: string;
  buttonLabel?: string;
+  emptyLabel?: string;
  addPermissionTitle?: string;
  resource: string;
  resourceId: ResourceId;
@ -35,6 +36,7 @@ export type Props = {
 export const Permissions = ({
  title = 'Permissions',
  buttonLabel = 'Add a permission',
+  emptyLabel = 'There are no permissions',
  resource,
  resourceId,
  canSetPermissions,
@ -145,6 +147,15 @@ export const Permissions = ({
            onCancel={() => setIsAdding(false)}
          />
        </SlideDown>
+        {items.length === 0 && (
+          <table className="filter-table gf-form-group">
+            <tbody>
+              <tr>
+                <th>{emptyLabel}</th>
+              </tr>
+            </tbody>
+          </table>
+        )}
        <PermissionList
          title="Role"
          items={builtInRoles}
--- a/public/app/features/teams/TeamPermissions.tsx
+++ b/public/app/features/teams/TeamPermissions.tsx
@ -21,6 +21,7 @@ const TeamPermissions = (props: TeamPermissionsProps) => {
      title=""
      addPermissionTitle="Add member"
      buttonLabel="Add member"
+      emptyLabel="There are no members in this team or you do not have the permissions to list the current members."
      resource="teams"
      resourceId={props.team.id}
      canSetPermissions={canSetPermissions}