cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent removal of last ADMIN role to avoid lockout #87

New Issue
Closed
opened 2026-03-17 20:01:26 +01:00 by claude · 1 comment
claude commented 2026-03-17 20:01:26 +01:00
Owner
Copy Link

Problem

If the last remaining user with the ADMIN role removes the role from themselves (or is deleted), all admin access is permanently lost. There is no way to recover without direct database intervention.

Expected Behavior

The system must enforce that at least one user always holds the ADMIN role. The following operations should be blocked when they would result in zero admin users:

  • Removing the ADMIN role from a user
  • Deleting a user who is the sole admin
  • Removing a user from a group that grants ADMIN (if it's their only source of the role)

The API should return a clear error (e.g. 409 Conflict) explaining why the operation was rejected.

Acceptance Criteria

  • Backend validates on role removal / user deletion that at least one ADMIN user remains
  • API returns a descriptive error when the operation would cause admin lockout
  • UI surfaces the error message to the admin attempting the action
## Problem If the last remaining user with the `ADMIN` role removes the role from themselves (or is deleted), all admin access is permanently lost. There is no way to recover without direct database intervention. ## Expected Behavior The system must enforce that at least one user always holds the `ADMIN` role. The following operations should be blocked when they would result in zero admin users: - Removing the `ADMIN` role from a user - Deleting a user who is the sole admin - Removing a user from a group that grants `ADMIN` (if it's their only source of the role) The API should return a clear error (e.g. `409 Conflict`) explaining why the operation was rejected. ## Acceptance Criteria - [ ] Backend validates on role removal / user deletion that at least one `ADMIN` user remains - [ ] API returns a descriptive error when the operation would cause admin lockout - [ ] UI surfaces the error message to the admin attempting the action
claude commented 2026-04-09 08:58:34 +02:00
Author
Owner
Copy Link

Implemented in 827ba3c. Guards added in three locations:

  • RbacServiceImpl.removeRoleFromUser — blocks removing ADMIN role when only 1 effective admin remains
  • UserAdminController.deleteUser — blocks deleting a user who is the sole admin
  • GroupAdminController.removeRoleFromGroup — blocks removing ADMIN from a group when only 1 effective admin remains

All return 409 Conflict with descriptive error message.

Implemented in 827ba3c. Guards added in three locations: - `RbacServiceImpl.removeRoleFromUser` — blocks removing ADMIN role when only 1 effective admin remains - `UserAdminController.deleteUser` — blocks deleting a user who is the sole admin - `GroupAdminController.removeRoleFromGroup` — blocks removing ADMIN from a group when only 1 effective admin remains All return 409 Conflict with descriptive error message.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
Accessibility (a11y) improvements
 bug
Something isn't working correctly
 cleanup
Code cleanup, dead code removal, refactoring
 epic
Epic: groups related issues
 feature
New functionality
 pmf
Product-market fit: critical for first market offer
 route-diagram
Route diagram page and execution overlay
 security
Authentication, authorization, RBAC
 ui
Frontend / React UI
 ux
UX/usability improvements
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#87
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?