prevent removing or modifying the last admin group, allow otherwise

DefGuard · Dec 16, 2024 · 01fdd32 · 01fdd32
1 parent 4dcc8d4
commit 01fdd32
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/src/handlers/group.rs b/src/handlers/group.rs
@@ -335,6 +335,23 @@ pub(crate) async fn modify_group(
         // TODO: update LDAP
     }
 
+    if group.is_admin != group_info.is_admin && !group_info.is_admin {
+        // prevent removing admin permissions from the last admin group
+        let admin_groups_count = Group::find_by_permission(&appstate.pool, Permission::IsAdmin)
+            .await?
+            .len();
+        if admin_groups_count == 1 {
+            error!(
+                "Can't remove admin permissions from the last admin group: {}",
+                name
+            );
+            return Ok(ApiResponse {
+                json: json!({}),
+                status: StatusCode::BAD_REQUEST,
+            });
+        }
+    }
+
     group
         .set_permission(&mut *transaction, Permission::IsAdmin, group_info.is_admin)
         .await?;
@@ -400,8 +417,11 @@ pub(crate) async fn delete_group(
     debug!("Deleting group {name}");
     // Administrative groups must not be removed.
     // Note: Group names are unique, so this condition should be sufficient.
-    let admin_groups = Group::find_by_permission(&appstate.pool, Permission::IsAdmin).await?;
-    if admin_groups.iter().any(|group| group.name == name) {
+    let admin_group_count = Group::find_by_permission(&appstate.pool, Permission::IsAdmin)
+        .await?
+        .len();
+    if admin_group_count == 1 {
+        error!("Cannot delete the last admin group: {name}");
         return Ok(ApiResponse {
             json: json!({}),
             status: StatusCode::BAD_REQUEST,

diff --git a/web/src/pages/groups/components/GroupsList/GroupsList.tsx b/web/src/pages/groups/components/GroupsList/GroupsList.tsx
@@ -42,8 +42,6 @@ export const GroupsList = ({ groups, search }: Props) => {
     );
   }, [groups, search]);
 
-  const renderRow = useCallback((data: ListData) => <CustomRow group={data} />, []);
-
   const listHeaders = useMemo((): ListHeader[] => {
     return [
       {
@@ -60,6 +58,17 @@ export const GroupsList = ({ groups, search }: Props) => {
     ];
   }, []);
 
+  const adminGroupCount = useCallback(() => {
+    return groups.filter((group) => group.is_admin).length;
+  }, [groups]);
+
+  const renderRow = useCallback(
+    (data: ListData) => (
+      <CustomRow group={data} disableDelete={adminGroupCount() === 1 && data.is_admin} />
+    ),
+    [],
+  );
+
   return (
     <VirtualizedList
       id="groups-list"
@@ -81,9 +90,10 @@ export const GroupsList = ({ groups, search }: Props) => {
 
 type RowProps = {
   group: GroupInfo;
+  disableDelete: boolean;
 };
 
-const CustomRow = ({ group }: RowProps) => {
+const CustomRow = ({ group, disableDelete }: RowProps) => {
   const openModal = useAddGroupModal((s) => s.open);
   const [isDeleteModalOpen, setDeleteModalOpen] = useState(false);
 
@@ -142,7 +152,7 @@ const CustomRow = ({ group }: RowProps) => {
               openModal(group);
             }}
           />
-          {group.name.toLowerCase() !== 'admin' && (
+          {!disableDelete && (
             <EditButtonOption
               styleVariant={EditButtonOptionStyleVariant.WARNING}
               text={LL.common.controls.delete()}