Issue1350 superadmin-user can't redraw superadmin-right or set himsel…

…f inactive (#1351) Co-authored-by: Ralf Peschke <rpeschke@peschke-it.de>
OpenSlides · Jun 9, 2022 · 6b54dd7 · 6b54dd7
1 parent 80735ba
commit 6b54dd7
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/openslides_backend/action/actions/user/update.py b/openslides_backend/action/actions/user/update.py
@@ -1,6 +1,8 @@
 from typing import Any, Dict
 
 from ....models.models import User
+from ....permissions.management_levels import OrganizationManagementLevel
+from ....shared.exceptions import PermissionException
 from ....shared.patterns import fqid_from_collection_and_id
 from ...generics.update import UpdateAction
 from ...util.default_schema import DefaultSchema
@@ -56,9 +58,26 @@ def update_instance(self, instance: Dict[str, Any]) -> Dict[str, Any]:
             fqid_from_collection_and_id("user", instance["id"]),
             mapped_fields=[
                 "is_active",
+                "organization_management_level",
             ],
         )
-
+        if (
+            instance["id"] == self.user_id
+            and user["organization_management_level"]
+            == OrganizationManagementLevel.SUPERADMIN
+        ):
+            if (
+                "organization_management_level" in instance
+                and instance.get("organization_management_level")
+                != OrganizationManagementLevel.SUPERADMIN
+            ):
+                raise PermissionException(
+                    "A user is not allowed to withdraw his own 'superadmin'-Organization-Management-Level."
+                )
+            if "is_active" in instance and instance.get("is_active") is not True:
+                raise PermissionException(
+                    "A superadmin is not allowed to set himself inactive."
+                )
         if instance.get("is_active") and not user.get("is_active"):
             self.check_limit_of_user(1)
         return super().update_instance(instance)
diff --git a/tests/system/action/user/test_update.py b/tests/system/action/user/test_update.py
@@ -429,6 +429,53 @@ def test_perm_superadmin(self) -> None:
             },
         )
 
+    def test_perm_superadmin_withdraw_own_right(self) -> None:
+        """
+        SUPERADMIN may not withdraw his own OML right "superadmin",
+        see Issue1350
+        """
+        self.permission_setup()
+        self.set_organization_management_level(
+            OrganizationManagementLevel.SUPERADMIN, self.user_id
+        )
+
+        response = self.request(
+            "user.update",
+            {
+                "id": self.user_id,
+                # "organization_management_level": OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION,
+                "organization_management_level": None,
+            },
+        )
+        self.assert_status_code(response, 400)
+        self.assertIn(
+            "A user is not allowed to withdraw his own 'superadmin'-Organization-Management-Level.",
+            response.json["message"],
+        )
+
+    def test_perm_superadmin_self_setting_inactive(self) -> None:
+        """
+        SUPERADMIN may not set himself inactive,
+        see Issue1350
+        """
+        self.permission_setup()
+        self.set_organization_management_level(
+            OrganizationManagementLevel.SUPERADMIN, self.user_id
+        )
+
+        response = self.request(
+            "user.update",
+            {
+                "id": self.user_id,
+                "is_active": False,
+            },
+        )
+        self.assert_status_code(response, 400)
+        self.assertIn(
+            "A superadmin is not allowed to set himself inactive.",
+            response.json["message"],
+        )
+
     def test_perm_group_A_oml_manage_user(self) -> None:
         """May update group A fields on organsisation scope, because belongs to 2 meetings in 2 committees, requiring OML level permission"""
         self.permission_setup()