fix: block removing last infra admin

infrahq · Apr 29, 2022 · ddf29a7 · ddf29a7
1 parent e3fd583
commit ddf29a7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/internal/access/grant.go b/internal/access/grant.go
@@ -66,5 +66,5 @@ func DeleteGrant(c *gin.Context, id uid.ID) error {
 		return err
 	}
 
-	return data.DeleteGrants(db, data.ByID(id), data.NotCreatedBy(models.CreatedBySystem))
+	return data.DeleteGrants(db, data.ByID(id))
 }
diff --git a/internal/server/handlers.go b/internal/server/handlers.go
@@ -471,6 +471,22 @@ func (a *API) CreateGrant(c *gin.Context, r *api.CreateGrantRequest) (*api.Grant
 }
 
 func (a *API) DeleteGrant(c *gin.Context, r *api.Resource) error {
+	grant, err := access.GetGrant(c, r.ID)
+	if err != nil {
+		return err
+	}
+
+	if grant.Resource == access.ResourceInfraAPI && grant.Privilege == models.InfraAdminRole {
+		infraAdminGrants, err := access.ListGrants(c, "", grant.Resource, grant.Privilege)
+		if err != nil {
+			return err
+		}
+
+		if len(infraAdminGrants) == 1 {
+			return fmt.Errorf("%w: cannot remove the last infra admin", internal.ErrForbidden)
+		}
+	}
+
 	return access.DeleteGrant(c, r.ID)
 }