[permissions] forbid deletion of last admin user (#10504)

A user should not be able to delete their account if they are the last admin of a workspace. It means that if a user wants to sign out of twenty, they should delete their workspace, not their account
2025-02-27 12:44:51 +01:00
parent fb38828943
commit 17dbb634ca
8 changed files with 158 additions and 65 deletions
--- a/packages/twenty-server/src/engine/metadata-modules/user-role/user-role.service.ts
+++ b/packages/twenty-server/src/engine/metadata-modules/user-role/user-role.service.ts
@ -137,6 +137,35 @@ export class UserRoleService {
    return workspaceMembers;
  }

+  public async validateUserWorkspaceIsNotUniqueAdminOrThrow({
+    userWorkspaceId,
+    workspaceId,
+  }: {
+    userWorkspaceId: string;
+    workspaceId: string;
+  }) {
+    const roleOfUserWorkspace = await this.getRolesByUserWorkspaces({
+      userWorkspaceIds: [userWorkspaceId],
+      workspaceId,
+    }).then((roles) => roles.get(userWorkspaceId)?.[0]);
+
+    if (!isDefined(roleOfUserWorkspace)) {
+      throw new PermissionsException(
+        PermissionsExceptionMessage.NO_ROLE_FOUND_FOR_USER_WORKSPACE,
+        PermissionsExceptionCode.NO_ROLE_FOUND_FOR_USER_WORKSPACE,
+      );
+    }
+
+    if (roleOfUserWorkspace.label === ADMIN_ROLE_LABEL) {
+      const adminRole = roleOfUserWorkspace;
+
+      await this.validateMoreThanOneWorkspaceMemberHasAdminRoleOrThrow({
+        adminRoleId: adminRole.id,
+        workspaceId,
+      });
+    }
+  }
+
  private async validateAssignRoleInput({
    userWorkspaceId,
    workspaceId,
@ -187,8 +216,21 @@ export class UserRoleService {
      return;
    }

+    await this.validateMoreThanOneWorkspaceMemberHasAdminRoleOrThrow({
+      workspaceId,
+      adminRoleId: currentRole.id,
+    });
+  }
+
+  private async validateMoreThanOneWorkspaceMemberHasAdminRoleOrThrow({
+    adminRoleId,
+    workspaceId,
+  }: {
+    adminRoleId: string;
+    workspaceId: string;
+  }) {
    const workspaceMembersWithAdminRole =
-      await this.getWorkspaceMembersAssignedToRole(currentRole.id, workspaceId);
+      await this.getWorkspaceMembersAssignedToRole(adminRoleId, workspaceId);

    if (workspaceMembersWithAdminRole.length === 1) {
      throw new PermissionsException(