From 54b6f7d726e0bd9dbc573dec677f47586f21b630 Mon Sep 17 00:00:00 2001
From: Valentin Tolmer <valentin@tolmer.fr>
Date: Fri, 24 Sep 2021 22:40:33 +0200
Subject: [PATCH] graphql: Add guardrails to prevent deleting all the admins

---
 server/src/infra/graphql/mutation.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/server/src/infra/graphql/mutation.rs b/server/src/infra/graphql/mutation.rs
index c8cabb4..f9e71dd 100644
--- a/server/src/infra/graphql/mutation.rs
+++ b/server/src/infra/graphql/mutation.rs
@@ -110,6 +110,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
         if !context.validation_result.is_admin {
             return Err("Unauthorized group update".into());
         }
+        if group.id == 1 {
+            return Err("Cannot change admin group details".into());
+        }
         context
             .handler
             .update_group(UpdateGroupRequest {
@@ -143,6 +146,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
         if !context.validation_result.is_admin {
             return Err("Unauthorized group membership modification".into());
         }
+        if context.validation_result.user == user_id && group_id == 1 {
+            return Err("Cannot remove admin rights for current user".into());
+        }
         context
             .handler
             .remove_user_from_group(&user_id, GroupId(group_id))
@@ -154,6 +160,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
         if !context.validation_result.is_admin {
             return Err("Unauthorized user deletion".into());
         }
+        if context.validation_result.user == user_id {
+            return Err("Cannot delete current user".into());
+        }
         context.handler.delete_user(&user_id).await?;
         Ok(Success::new())
     }
@@ -162,6 +171,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
         if !context.validation_result.is_admin {
             return Err("Unauthorized group deletion".into());
         }
+        if group_id == 1 {
+            return Err("Cannot delete admin group".into());
+        }
         context.handler.delete_group(GroupId(group_id)).await?;
         Ok(Success::new())
     }