mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-24 20:24:05 -08:00
fix(core): Do not allow admins to delete the instance owner (#9489)
This commit is contained in:
parent
88b9a4070b
commit
fc83005ba0
|
@ -168,6 +168,10 @@ export class UsersController {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (userToDelete.role === 'global:owner') {
|
||||||
|
throw new ForbiddenError('Instance owner cannot be deleted.');
|
||||||
|
}
|
||||||
|
|
||||||
const personalProjectToDelete = await this.projectRepository.getPersonalProjectForUserOrFail(
|
const personalProjectToDelete = await this.projectRepository.getPersonalProjectForUserOrFail(
|
||||||
userToDelete.id,
|
userToDelete.id,
|
||||||
);
|
);
|
||||||
|
|
|
@ -582,6 +582,15 @@ describe('DELETE /users/:id', () => {
|
||||||
expect(user).toBeDefined();
|
expect(user).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
test('should fail to delete the instance owner', async () => {
|
||||||
|
const admin = await createAdmin();
|
||||||
|
const adminAgent = testServer.authAgentFor(admin);
|
||||||
|
await adminAgent.delete(`/users/${owner.id}`).expect(403);
|
||||||
|
|
||||||
|
const user = await getUserById(owner.id);
|
||||||
|
expect(user).toBeDefined();
|
||||||
|
});
|
||||||
|
|
||||||
test('should fail to delete a user that does not exist', async () => {
|
test('should fail to delete a user that does not exist', async () => {
|
||||||
await ownerAgent.delete(`/users/${uuid()}`).query({ transferId: '' }).expect(404);
|
await ownerAgent.delete(`/users/${uuid()}`).query({ transferId: '' }).expect(404);
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in a new issue