MM-30005: Require manage_system to patch system_admin role. (#16096)

* MM-30005: Require manage_system to patch system_admin role.

* MM-30005: Updates logic to include other new system roles.

* MM-30005: Removes unused translation.

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

api4/role.go

@@ -110,8 +110,16 @@ func patchRole(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 	auditRec.AddMeta("role", oldRole)
 
-	if oldRole.Name == model.SYSTEM_ADMIN_ROLE_ID {
-		c.Err = model.NewAppError("Api4.PatchRoles", "api.roles.patch_roles.admin_role.error", nil, "", http.StatusNotImplemented)
+	// manage_system permission is required to patch system_admin
+	requiredPermission := model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_PERMISSIONS
+	specialProtectedSystemRoles := append(model.NewSystemRoleIDs, model.SYSTEM_ADMIN_ROLE_ID)
+	for _, roleID := range specialProtectedSystemRoles {
+		if oldRole.Name == roleID {
+			requiredPermission = model.PERMISSION_MANAGE_SYSTEM
+		}
+	}
+	if !c.App.SessionHasPermissionTo(*c.App.Session(), requiredPermission) {
+		c.SetPermissionError(requiredPermission)
 		return
 	}
 

i18n/en.json

@@ -1954,10 +1954,6 @@
     "id": "api.restricted_system_admin",
     "translation": "This action is forbidden to a restricted system admin."
   },
-  {
-    "id": "api.roles.patch_roles.admin_role.error",
-    "translation": "System Admin role cannot be edited or changed"
-  },
   {
     "id": "api.roles.patch_roles.license.error",
     "translation": "Your license does not support advanced permissions."