Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not allow removing the last admin role of a project #3715

Merged
merged 2 commits into from
Jun 26, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 24 additions & 5 deletions internal/controlplane/handlers_authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -362,9 +362,8 @@ func (s *Server) inviteUser(
}

// If there are no invitations for this email, great, we should create one

sponsorDisplay := currentUser.IdentitySubject
// Resolve the sponsor's identity and display name
sponsorDisplay := currentUser.IdentitySubject
identity, err := s.idClient.Resolve(ctx, currentUser.IdentitySubject)
if err != nil {
zerolog.Ctx(ctx).Error().Err(err).Msg("error resolving identity")
Expand Down Expand Up @@ -576,7 +575,7 @@ func (s *Server) removeInvite(
func (s *Server) removeRole(
ctx context.Context,
targetProject uuid.UUID,
role authz.Role,
roleToRemove authz.Role,
subject string,
) (*minder.RemoveRoleResponse, error) {
var err error
Expand All @@ -595,14 +594,34 @@ func (s *Server) removeRole(
return nil, status.Errorf(codes.Internal, "error getting user: %v", err)
}

// Validate in case there's only one admin for the project and the user is trying to remove themselves
if roleToRemove == authz.AuthzRoleAdmin {
// Get all role assignments for the project
as, err := s.authzClient.AssignmentsToProject(ctx, targetProject)
if err != nil {
return nil, status.Errorf(codes.Internal, "error getting role assignments: %v", err)
}
// Count the number of admin roles
adminRolesCnt := 0
for _, existing := range as {
if existing.Role == authz.AuthzRoleAdmin.String() {
adminRolesCnt++
}
}
// If there's only one admin role, return an error
if adminRolesCnt <= 1 {
return nil, util.UserVisibleError(codes.FailedPrecondition, "cannot remove the last admin from the project")
}
}

// Delete the role assignment
if err := s.authzClient.Delete(ctx, identity.String(), role, targetProject); err != nil {
if err := s.authzClient.Delete(ctx, identity.String(), roleToRemove, targetProject); err != nil {
return nil, status.Errorf(codes.Internal, "error writing role assignment: %v", err)
}
prj := targetProject.String()
return &minder.RemoveRoleResponse{
RoleAssignment: &minder.RoleAssignment{
Role: role.String(),
Role: roleToRemove.String(),
Subject: identity.Human(),
Project: &prj,
},
Expand Down