fix: Prevent deletion of built in roles

Unleash · Jan 14, 2022 · bfcad65 · bfcad65
1 parent c1826ca
commit bfcad65
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 4 deletions.
diff --git a/src/lib/services/access-service.ts b/src/lib/services/access-service.ts
@@ -427,6 +427,8 @@ export class AccessService {
     }
 
     async deleteRole(id: number): Promise<void> {
+        await this.validateRoleIsNotBuiltIn(id);
+
         const roleUsers = await this.getUsersForRole(id);
 
         if (roleUsers.length > 0) {
@@ -455,7 +457,7 @@ export class AccessService {
         const role = await this.store.get(roleId);
         if (role.type !== CUSTOM_ROLE_TYPE) {
             throw new InvalidOperationError(
-                'You can not change built in roles.',
+                'You cannot change built in roles.',
             );
         }
     }

diff --git a/src/test/e2e/services/access-service.e2e.test.ts b/src/test/e2e/services/access-service.e2e.test.ts
@@ -757,21 +757,68 @@ test('Should be allowed move feature toggle to project when the user has access'
     );
 });
 
-test('Should not be allowed to edit a built in role', async () => {
+test('Should not be allowed to edit a root role', async () => {
     expect.assertions(1);
 
     const editRole = await accessService.getRoleByName(RoleName.EDITOR);
     const roleUpdate = {
         id: editRole.id,
         name: 'NoLongerTheEditor',
-        description: 'Ha!',
+        description: '',
     };
 
     try {
         await accessService.updateRole(roleUpdate);
     } catch (e) {
         expect(e.toString()).toBe(
-            'InvalidOperationError: You can not change built in roles.',
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a root role', async () => {
+    expect.assertions(1);
+
+    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
+
+    try {
+        await accessService.deleteRole(editRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to edit a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+    const roleUpdate = {
+        id: ownerRole.id,
+        name: 'NoLongerTheEditor',
+        description: '',
+    };
+
+    try {
+        await accessService.updateRole(roleUpdate);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+
+    try {
+        await accessService.deleteRole(ownerRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
         );
     }
 });