teams: editor/viewer team admin cant remove the last admin.

c420af16 · Leonard Gram · 246e1280 · c420af16 · c420af16 · c420af16
Commit c420af16 authored Mar 13, 2019 by Leonard Gram
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 2 deletions

pkg/api/team_members.go
+5 -1

pkg/models/team_member.go
+1 -0

pkg/services/sqlstore/team.go
+12 -0

pkg/services/sqlstore/team_test.go
+11 -1

No files found.
--- a/pkg/api/team_members.go
+++ b/pkg/api/team_members.go
@@ -67,6 +67,10 @@ func UpdateTeamMember(c *m.ReqContext, cmd m.UpdateTeamMemberCommand) Response {
 		return Error(403, "Not allowed to update team member", err)
 	}
+	if c.OrgRole != m.ROLE_ADMIN {
+		cmd.ProtectLastAdmin = true
+	}
 	cmd.TeamId = teamId
 	cmd.UserId = c.ParamsInt64(":userId")
 	cmd.OrgId = orgId
@@ -91,7 +95,7 @@ func (hs *HTTPServer) RemoveTeamMember(c *m.ReqContext) Response {
 	}
 	protectLastAdmin := false
-	if c.OrgRole == m.ROLE_EDITOR {
+	if c.OrgRole != m.ROLE_ADMIN {
 		protectLastAdmin = true
 	}

--- a/pkg/models/team_member.go
+++ b/pkg/models/team_member.go
@@ -39,6 +39,7 @@ type UpdateTeamMemberCommand struct {
 	OrgId            int64          `json:"-"`
 	TeamId           int64          `json:"-"`
 	Permission       PermissionType `json:"permission"`
+	ProtectLastAdmin bool           `json:"-"`
 }
 type RemoveTeamMemberCommand struct {

--- a/pkg/services/sqlstore/team.go
+++ b/pkg/services/sqlstore/team.go
@@ -271,6 +271,18 @@ func UpdateTeamMember(cmd *m.UpdateTeamMemberCommand) error {
 			return m.ErrTeamMemberNotFound
 		}
+		if cmd.ProtectLastAdmin {
+			lastAdmin, err := isLastAdmin(sess, cmd.OrgId, cmd.TeamId, cmd.UserId)
+			if err != nil {
+				return err
+			}
+			if lastAdmin {
+				return m.ErrLastTeamAdmin
+			}
+		}
 		if cmd.Permission != m.PERMISSION_ADMIN {
 			cmd.Permission = 0
 		}

--- a/pkg/services/sqlstore/team_test.go
+++ b/pkg/services/sqlstore/team_test.go
@@ -190,11 +190,21 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				})
 				Convey("A user should be able to remove an admin if there are other admins", func() {
-					err = AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
+					AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
 					err = RemoveTeamMember(&m.RemoveTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], ProtectLastAdmin: true})
 					So(err, ShouldEqual, nil)
 				})
+				Convey("A user should not be able to remove the admin permission for the last admin", func() {
+					err = UpdateTeamMember(&m.UpdateTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], Permission: 0, ProtectLastAdmin: true})
+					So(err, ShouldEqual, m.ErrLastTeamAdmin)
+				})
+				Convey("A user should be able to remove the admin permission if there are other admins", func() {
+					AddTeamMember(&m.AddTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[1], Permission: m.PERMISSION_ADMIN})
+					err = UpdateTeamMember(&m.UpdateTeamMemberCommand{OrgId: testOrgId, TeamId: group1.Result.Id, UserId: userIds[0], Permission: 0, ProtectLastAdmin: true})
+					So(err, ShouldEqual, nil)
+				})
 			})
 			Convey("Should be able to remove a group with users and permissions", func() {