Return an error message when an admin try to delete the only admin account #192
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…count of the application
…oup from the only admin account of the application
|
Indeed, once groups will be user-defined, we'll need to add fields_to_check = ["name"] |
eric-intuitem
requested changes
Apr 3, 2024
|
Done |
|
Remove builtin and user_groups__builtin, and make the languageTag: languageTag synthax like it was before |
monsieurswag
force-pushed
the
CA-329-An-admin-can-remove-his-admin-permissions-and-even-delete-his-account
branch
from
7d3d7e4 to
8051e52
Compare
eric-intuitem
deleted the
CA-329-An-admin-can-remove-his-admin-permissions-and-even-delete-his-account
branch
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I removed import { fail } from 'assert'; in "frontend/src/routes/(app)/users/[id=uuid]/edit/+page.server.ts", it seems like it was an error surely from someone who auto-imported the wrong fail function in a previous commit.
According to this Mixin definition the "name" field isn't unique which means there may multiple UserGroup object with the same name :
I am not sure having 2 user groups with the exact same name should be authorized by the application, is this normal ?
If some evil user could create a user group with the same name as the admin group and bypass some permission checks.
To address this potential issue in my code i always added builtin=True when fetching the admin group since builtin objects are meant to be immutable.