mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-24 04:04:06 -08:00
fix(core): Do not allow admins to delete the instance owner (#9489)
This commit is contained in:
parent
88b9a4070b
commit
fc83005ba0
|
@ -168,6 +168,10 @@ export class UsersController {
|
|||
);
|
||||
}
|
||||
|
||||
if (userToDelete.role === 'global:owner') {
|
||||
throw new ForbiddenError('Instance owner cannot be deleted.');
|
||||
}
|
||||
|
||||
const personalProjectToDelete = await this.projectRepository.getPersonalProjectForUserOrFail(
|
||||
userToDelete.id,
|
||||
);
|
||||
|
|
|
@ -582,6 +582,15 @@ describe('DELETE /users/:id', () => {
|
|||
expect(user).toBeDefined();
|
||||
});
|
||||
|
||||
test('should fail to delete the instance owner', async () => {
|
||||
const admin = await createAdmin();
|
||||
const adminAgent = testServer.authAgentFor(admin);
|
||||
await adminAgent.delete(`/users/${owner.id}`).expect(403);
|
||||
|
||||
const user = await getUserById(owner.id);
|
||||
expect(user).toBeDefined();
|
||||
});
|
||||
|
||||
test('should fail to delete a user that does not exist', async () => {
|
||||
await ownerAgent.delete(`/users/${uuid()}`).query({ transferId: '' }).expect(404);
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue