Merge pull request #107 from strapi/chore/disallow-disabling-last-super-admin

Chore/disallow disabling last super admin
2025-12-15 17:22:57 +00:00 · 2020-07-08 17:20:06 +02:00 · 2020-07-08 17:20:06 +02:00 · f2d449a965
commit f2d449a965
parent eb181bb9b2 9ec714fb2f
3 changed files with 45 additions and 18 deletions
--- a/packages/strapi-admin/domain/user.js
+++ b/packages/strapi-admin/domain/user.js
@ -1,5 +1,7 @@
 'use strict';

+const { SUPER_ADMIN_CODE } = require('../services/constants');
+
 /**
 * Create a new user model by merging default and specified attributes
 * @param attributes A partial user object
@ -13,6 +15,11 @@ function createUser(attributes) {
  };
 }

+const hasSuperAdminRole = user => {
+  return user.roles.filter(role => role.code === SUPER_ADMIN_CODE).length > 0;
+};
+
 module.exports = {
  createUser,
+  hasSuperAdminRole,
 };
--- a/packages/strapi-admin/services/tests/user.test.js
+++ b/packages/strapi-admin/services/tests/user.test.js
@ -132,12 +132,13 @@ describe('User', () => {
      const id = 1;
      const input = { email: 'test@strapi.io', password: '123' };

+      const findOne = jest.fn((_, user) => Promise.resolve(user));
      const update = jest.fn((_, user) => Promise.resolve(user));
      const hashPassword = jest.fn(() => Promise.resolve(hash));

      global.strapi = {
        query() {
-          return { update };
+          return { update, findOne };
        },
        admin: {
          services: {
@ -160,11 +161,13 @@ describe('User', () => {
      const user = {
        email: 'test@strapi.io',
      };
+
+      const findOne = jest.fn(() => Promise.resolve(user));
      const update = jest.fn(() => Promise.resolve(user));

      global.strapi = {
        query() {
-          return { update };
+          return { update, findOne };
        },
      };
      const id = 1;
--- a/packages/strapi-admin/services/user.js
+++ b/packages/strapi-admin/services/user.js
@ -1,8 +1,8 @@
 'use strict';

 const _ = require('lodash');
-const { stringIncludes, stringEquals } = require('strapi-utils');
-const { createUser } = require('../domain/user');
+const { stringIncludes } = require('strapi-utils');
+const { createUser, hasSuperAdminRole } = require('../domain/user');
 const { SUPER_ADMIN_CODE } = require('./constants');

 const sanitizeUserRoles = role => _.pick(role, ['id', 'name', 'description', 'code']);
@ -51,20 +51,26 @@ const create = async attributes => {
 const updateById = async (id, attributes) => {
  // Check at least one super admin remains
  if (_.has(attributes, 'roles')) {
+    const lastAdminUser = await isLastSuperAdminUser(id);
    const superAdminRole = await strapi.admin.services.role.getSuperAdminWithUsersCount();
-    const nbOfSuperAdminUsers = _.get(superAdminRole, 'usersCount');
-    const mayRemoveSuperAdmins = !stringIncludes(attributes.roles, superAdminRole.id);
+    const willRemoveSuperAdminRole = !stringIncludes(attributes.roles, superAdminRole.id);

-    if (nbOfSuperAdminUsers === 1 && mayRemoveSuperAdmins) {
-      const userWithAdminRole = await strapi
-        .query('user', 'admin')
-        .findOne({ roles: [superAdminRole.id] });
-      if (stringEquals(userWithAdminRole.id, id)) {
-        throw strapi.errors.badRequest(
-          'ValidationError',
-          'You must have at least one user with super admin role.'
-        );
-      }
+    if (lastAdminUser && willRemoveSuperAdminRole) {
+      throw strapi.errors.badRequest(
+        'ValidationError',
+        'You must have at least one user with super admin role.'
+      );
+    }
+  }
+
+  // cannot disable last super admin
+  if (attributes.isActive === false) {
+    const lastAdminUser = await isLastSuperAdminUser(id);
+    if (lastAdminUser) {
+      throw strapi.errors.badRequest(
+        'ValidationError',
+        'You must have at least one active user with super admin role.'
+      );
    }
  }

@ -84,6 +90,17 @@ const updateById = async (id, attributes) => {
  return strapi.query('user', 'admin').update({ id }, attributes);
 };

+/**
+ * Check if a user is the last super admin
+ * @param {int|string} userId user's id to look for
+ */
+const isLastSuperAdminUser = async userId => {
+  const user = await findOne({ id: userId }, ['roles']);
+  const superAdminRole = await strapi.admin.services.role.getSuperAdminWithUsersCount();
+
+  return superAdminRole.usersCount === 1 && hasSuperAdminRole(user);
+};
+
 /**
 * Check if a user with specific attributes exists in the database
 * @param attributes A partial user object
@ -133,8 +150,8 @@ const register = async ({ registrationToken, userInfo }) => {
 /**
 * Find one user
 */
-const findOne = async params => {
-  return strapi.query('user', 'admin').findOne(params);
+const findOne = async (params, populate) => {
+  return strapi.query('user', 'admin').findOne(params, populate);
 };

 /** Find many users (paginated)