server,ui: prevent role change for default accounts

[shwstppr]

Description

Fixes #10931

Role for default accounts shouldn't be changed. Appropriate error should be returned by the server and UI should not present option for them.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.17%. Comparing base (5dfeb79) to head (56d80af).
⚠️ Report is 48 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               4.20   #11761   +/-   ##
=========================================
  Coverage     16.17%   16.17%           
- Complexity    13296    13299    +3     
=========================================
  Files          5656     5656           
  Lines        498223   498248   +25     
  Branches      60454    60460    +6     
=========================================
+ Hits          80577    80588   +11     
- Misses       408676   408688   +12     
- Partials       8970     8972    +2     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	17.02% <50.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15231

[Copilot]

Pull Request Overview

This PR prevents role changes for default accounts by adding server-side validation and UI restrictions. When users attempt to modify roles for default accounts, the server returns an appropriate error message and the UI hides the role selection option.

• Added server-side validation to prevent role changes for default accounts
• Modified UI to conditionally hide role selection for default accounts
• Added comprehensive test coverage for the new validation logic

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
ui/src/views/iam/EditAccount.vue	Conditionally hides role form field for default accounts and safely handles roleid parameter
server/src/main/java/com/cloud/user/AccountManagerImpl.java	Adds validation to prevent role changes for default accounts with early return optimization
server/src/test/java/com/cloud/user/AccountManagerImplTest.java	Adds test case to verify default account role change restriction

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15250

[DaanHoogland]

clgtm and makes sense

[pavanaravapalli]

code LGTM

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-14707)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 56701 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11761-t14707-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[RosiKyu]

@blueorangutan package

[blueorangutan]

@rosi-shapeblue a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15981

[RosiKyu]

Verification passed. Fix is working as expected.

• Default admin (isdefault=true) - role change is not allowed/available in UI
• Non-default admins (isdefault=false) - role change is allowed
• Tested via api as well: Role change silently ignored, admin remains Root Admin