From fc83005ba0876ebea70f93de700adbd6e3095c96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?=
 <netroy@users.noreply.github.com>
Date: Wed, 22 May 2024 16:23:40 +0200
Subject: [PATCH] fix(core): Do not allow admins to delete the instance owner
 (#9489)

---
 packages/cli/src/controllers/users.controller.ts | 4 ++++
 packages/cli/test/integration/users.api.test.ts  | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/packages/cli/src/controllers/users.controller.ts b/packages/cli/src/controllers/users.controller.ts
index 19f929dd5c..b4bfad1f91 100644
--- a/packages/cli/src/controllers/users.controller.ts
+++ b/packages/cli/src/controllers/users.controller.ts
@@ -168,6 +168,10 @@ export class UsersController {
 			);
 		}
 
+		if (userToDelete.role === 'global:owner') {
+			throw new ForbiddenError('Instance owner cannot be deleted.');
+		}
+
 		const personalProjectToDelete = await this.projectRepository.getPersonalProjectForUserOrFail(
 			userToDelete.id,
 		);
diff --git a/packages/cli/test/integration/users.api.test.ts b/packages/cli/test/integration/users.api.test.ts
index f24e9aaab0..b164ae89a3 100644
--- a/packages/cli/test/integration/users.api.test.ts
+++ b/packages/cli/test/integration/users.api.test.ts
@@ -582,6 +582,15 @@ describe('DELETE /users/:id', () => {
 		expect(user).toBeDefined();
 	});
 
+	test('should fail to delete the instance owner', async () => {
+		const admin = await createAdmin();
+		const adminAgent = testServer.authAgentFor(admin);
+		await adminAgent.delete(`/users/${owner.id}`).expect(403);
+
+		const user = await getUserById(owner.id);
+		expect(user).toBeDefined();
+	});
+
 	test('should fail to delete a user that does not exist', async () => {
 		await ownerAgent.delete(`/users/${uuid()}`).query({ transferId: '' }).expect(404);
 	});