Fix #10687: don't allow deletion of the last admin account

The last administrator account should be protected from deletion or demotion. It is still possible to delete the last administrator account from the database via way of a raw SQL query if an installation absolutely must not contain any admin accounts.
mantisbt · Aug 7, 2009 · 17ae3fc · 17ae3fc
1 parent 34d3633
commit 17ae3fc
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/account_delete.php b/account_delete.php
@@ -53,6 +53,13 @@
 	print_header_redirect( 'account_page.php' );
 }
 
+# check that we are not deleting the last administrator account
+$t_admin_threshold = config_get_global( 'admin_site_threshold' );
+if ( current_user_is_administrator() &&
+     user_count_level( $t_admin_threshold ) <= 1 ) {
+	trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR );
+}
+
 helper_ensure_confirmed( lang_get( 'confirm_delete_msg' ),
 						 lang_get( 'delete_account_button' ) );
 

diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -295,7 +295,7 @@ $MANTIS_ERROR[ERROR_LOST_PASSWORD_NOT_MATCHING_DATA] = 'The provided information
 $MANTIS_ERROR[ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID] = 'The confirmation URL is invalid or has already been used. Please signup again.';
 $MANTIS_ERROR[ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED] = 'Maximum number of in-progress requests reached. Please contact the system administrator.';
 $MANTIS_ERROR[ERROR_PROJECT_RECURSIVE_HIERARCHY] = 'That operation would create a loop in the subproject hierarchy.';
-$MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot change the access level of the only administrator in the system.';
+$MANTIS_ERROR[ERROR_USER_CHANGE_LAST_ADMIN] = 'You cannot remove or demote the last administrator account. To perform the action you requested, you first need to create another administrator account.';
 $MANTIS_ERROR[ERROR_PAGE_REDIRECTION] = 'Page redirection error, ensure that there are no spaces outside the PHP block (&lt;?php ?&gt;) in config_inc.php or custom_*.php files.';
 $MANTIS_ERROR[ERROR_TWITTER_NO_CURL_EXT] = 'Twitter integration requires PHP cURL extension which is not installed.';
 $MANTIS_ERROR[ERROR_TAG_NOT_FOUND] = 'Could not find a tag with that name.';

diff --git a/manage_user_delete.php b/manage_user_delete.php
@@ -34,6 +34,13 @@
 
 	$t_user = user_get_row( $f_user_id );
 
+	# check that we are not deleting the last administrator account
+	$t_admin_threshold = config_get_global( 'admin_site_threshold' );
+	if ( user_is_administrator( $f_user_id ) &&
+	     user_count_level( $t_admin_threshold ) <= 1 ) {
+		trigger_error( ERROR_USER_CHANGE_LAST_ADMIN, ERROR );
+	}
+
 	helper_ensure_confirmed( lang_get( 'delete_account_sure_msg' ) .
 		'<br/>' . lang_get( 'username' ) . ': ' . $t_user['username'],
 		lang_get( 'delete_account_button' ) );