[FIX] Avoid last admin deactivate itself (#22949)

RocketChat · Oct 18, 2021 · 65cc04e · 65cc04e
1 parent 877be6f
commit 65cc04e
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/app/lib/server/functions/setUserActiveStatus.js b/app/lib/server/functions/setUserActiveStatus.js
@@ -40,8 +40,18 @@ export function setUserActiveStatus(userId, active, confirmRelinquish = false) {
 		return false;
 	}
 
+
 	// Users without username can't do anything, so there is no need to check for owned rooms
 	if (user.username != null && !active) {
+		const userAdmin = Users.findOneAdmin(userId.count);
+		const adminsCount = Users.findActiveUsersInRoles(['admin']).count();
+		if (userAdmin && adminsCount === 1) {
+			throw new Meteor.Error('error-action-not-allowed', 'Leaving the app without an active admin is not allowed', {
+				method: 'removeUserFromRole',
+				action: 'Remove_last_admin',
+			});
+		}
+
 		const subscribedRooms = getSubscribedRoomsForUserWithDetails(userId);
 		// give omnichannel rooms a special treatment :)
 		const chatSubscribedRooms = subscribedRooms.filter(({ t }) => t !== 'l');

diff --git a/app/models/server/models/Users.js b/app/models/server/models/Users.js
@@ -569,6 +569,17 @@ export class Users extends Base {
 		return this.find(query, options);
 	}
 
+	findActiveUsersInRoles(roles, scope, options) {
+		roles = [].concat(roles);
+
+		const query = {
+			roles: { $in: roles },
+			active: true,
+		};
+
+		return this.find(query, options);
+	}
+
 	findOneByAppId(appId, options) {
 		const query = { appId };