fix: Correctly guard against last admin deleting their account (#2069)

* fix: Correctly guard against last admin deleting their account * test
2021-04-24 20:52:46 -07:00
parent 3fbb3a2403
commit 2d22399bbc
5 changed files with 163 additions and 34 deletions
--- a/server/commands/userDestroyer.js
+++ b/server/commands/userDestroyer.js
@ -0,0 +1,67 @@
+// @flow
+import { ValidationError } from "../errors";
+import { Event, User } from "../models";
+import { Op, sequelize } from "../sequelize";
+
+export default async function userDestroyer({
+  user,
+  actor,
+  ip,
+}: {
+  user: User,
+  actor: User,
+  ip: string,
+}) {
+  const { teamId } = user;
+
+  const usersCount = await User.count({
+    where: {
+      teamId,
+    },
+  });
+
+  if (usersCount === 1) {
+    throw new ValidationError("Cannot delete last user on the team.");
+  }
+
+  if (user.isAdmin) {
+    const otherAdminsCount = await User.count({
+      where: {
+        isAdmin: true,
+        teamId,
+        id: { [Op.ne]: user.id },
+      },
+    });
+
+    if (otherAdminsCount === 0) {
+      throw new ValidationError(
+        "Cannot delete account as only admin. Please make another user admin and try again."
+      );
+    }
+  }
+
+  let transaction = await sequelize.transaction();
+  let response;
+
+  try {
+    response = await user.destroy({ transaction });
+    await Event.create(
+      {
+        name: "users.delete",
+        actorId: actor.id,
+        userId: user.id,
+        teamId,
+        data: { name: user.name },
+        ip,
+      },
+      { transaction }
+    );
+
+    await transaction.commit();
+  } catch (err) {
+    await transaction.rollback();
+    throw err;
+  }
+
+  return response;
+}
--- a/server/commands/userDestroyer.test.js
+++ b/server/commands/userDestroyer.test.js
@ -0,0 +1,83 @@
+// @flow
+import { buildUser, buildAdmin } from "../test/factories";
+import { flushdb } from "../test/support";
+import userDestroyer from "./userDestroyer";
+
+beforeEach(() => flushdb());
+
+describe("userDestroyer", () => {
+  const ip = "127.0.0.1";
+
+  it("should prevent last user from deleting account", async () => {
+    const user = await buildUser();
+
+    let error;
+
+    try {
+      await userDestroyer({
+        user,
+        actor: user,
+        ip,
+      });
+    } catch (err) {
+      error = err;
+    }
+    expect(error && error.message).toContain("Cannot delete last user");
+  });
+
+  it("should prevent last admin from deleting account", async () => {
+    const user = await buildAdmin();
+    await buildUser({ teamId: user.teamId });
+
+    let error;
+
+    try {
+      await userDestroyer({
+        user,
+        actor: user,
+        ip,
+      });
+    } catch (err) {
+      error = err;
+    }
+    expect(error && error.message).toContain("Cannot delete account");
+  });
+
+  it("should not prevent multiple admin from deleting account", async () => {
+    const actor = await buildAdmin();
+    const user = await buildAdmin({ teamId: actor.teamId });
+
+    let error;
+
+    try {
+      await userDestroyer({
+        user,
+        actor,
+        ip,
+      });
+    } catch (err) {
+      error = err;
+    }
+    expect(error).toBeFalsy();
+    expect(user.deletedAt).toBeTruthy();
+  });
+
+  it("should not prevent last non-admin from deleting account", async () => {
+    const user = await buildUser();
+    await buildUser({ teamId: user.teamId });
+
+    let error;
+
+    try {
+      await userDestroyer({
+        user,
+        actor: user,
+        ip,
+      });
+    } catch (err) {
+      error = err;
+    }
+    expect(error).toBeFalsy();
+    expect(user.deletedAt).toBeTruthy();
+  });
+});