Prevent lone-admin from locking themselves out the system (#376)

resolves #367
2025-04-17 18:18:11 +00:00 · 2023-11-14 14:43:40 -08:00 · 2023-11-14 14:43:40 -08:00 · 085745c5e4
commit 085745c5e4
parent dd33767059
3 changed files with 45 additions and 1 deletions
--- a/server/endpoints/admin.js
+++ b/server/endpoints/admin.js
@ -55,6 +55,28 @@ function adminEndpoints(app) {
      try {
        const { id } = request.params;
        const updates = reqBody(request);
+        const user = await User.get({ id: Number(id) });
+
+        // Check to make sure with this update that includes a role change to
+        // something other than admin that we still have at least one admin left.
+        if (
+          updates.hasOwnProperty("role") && // has admin prop to change
+          updates.role !== "admin" && // and we are changing to non-admin
+          user.role === "admin" // and they currently are an admin
+        ) {
+          const adminCount = await User.count({ role: "admin" });
+          if (adminCount - 1 <= 0) {
+            response
+              .status(200)
+              .json({
+                success: false,
+                error:
+                  "No system admins will remain if you do this. Update failed.",
+              });
+            return;
+          }
+        }
+
        const { success, error } = await User.update(id, updates);
        response.status(200).json({ success, error });
      } catch (e) {
--- a/server/endpoints/api/admin/index.js
+++ b/server/endpoints/api/admin/index.js
@ -197,6 +197,28 @@ function apiAdminEndpoints(app) {

      const { id } = request.params;
      const updates = reqBody(request);
+      const user = await User.get({ id: Number(id) });
+
+      // Check to make sure with this update that includes a role change to
+      // something other than admin that we still have at least one admin left.
+      if (
+        updates.hasOwnProperty("role") && // has admin prop to change
+        updates.role !== "admin" && // and we are changing to non-admin
+        user.role === "admin" // and they currently are an admin
+      ) {
+        const adminCount = await User.count({ role: "admin" });
+        if (adminCount - 1 <= 0) {
+          response
+            .status(200)
+            .json({
+              success: false,
+              error:
+                "No system admins will remain if you do this. Update failed.",
+            });
+          return;
+        }
+      }
+
      const { success, error } = await User.update(id, updates);
      response.status(200).json({ success, error });
    } catch (e) {
--- a/server/models/user.js
+++ b/server/models/user.js
@ -21,7 +21,7 @@ const User = {

  update: async function (userId, updates = {}) {
    try {
-      const updatedUser = await prisma.users.update({
+      await prisma.users.update({
        where: { id: parseInt(userId) },
        data: updates,
      });