[2010-04-08] Don't allow admins to detract themselves admin rights

[silverstripe-issues]

Acceptance Criteria

• As a logged in user with access to the "Security" section, I can remove myself from groups
• As a logged in user with access to the "Security" section, I can't remove myself from any group that would deny me further access to that section (groups with ADMIN permission)
• In the "Group" edit view, I can't unlink from an ADMIN group in the "Members" GridField (either by hiding the action, or through a validation error)
• In the "Member" edit view, I get a validation error when removing from an ADMIN group

Notes

• No need for confirmation dialogs (too complex)
• Users without ADMIN, but CMS_ACCESS_SecurityAdmin permissions are an edge case that we can ignore. It means there's likely other admins left in the system to restore access if needed.
• Long term, the ListboxField should enforce this rather than relying on validation (clearableValue: false see Use react-select for react-based dropdowns (SingleSelectField and MultiSelectField) silverstripe-admin#52 and https://github.com/JedWatson/react-select#multiselect-options)

Original Ticket

created by: suntrop
created at: 2010-04-08
original ticket: http://open.silverstripe.org/ticket/5370

---

Administrators can detract themselves admin rights.

If someone clicks (like I did) at the wrong point in the drop-down list your rights are gone (thanks to AJAX ;-) '''without any warning'''.

I think it would be good to warn the user or deny that kind of action.

See also: http://www.silverstripe.org/general-questions/show/282374?showPost=282378

[silverstripe-issues]

comment by: @chillu (ischommer)
created at: 2010-04-11

---

Good point. We'd also need to warn when removing CMS_ACCESS_SecurityAdmin or ROLE_ASSIGN permissions - it can get quite tricky to figure out which rights are necessary for a user to perform the current action without actually executing it.

[silverstripe-issues]

comment by: @sminnee (sminnee)
created at: 2012-06-29

---

This is still an issue in SS3, although it doesn't affect things until you press save, at least.

[silverstripe-issues]

comment by: @wilr (wrossiter)
created at: 2013-05-07

---

Worth migrating as it is defiantly something to fix from a UX view.

[kmayo-ss]

Looking at this now at this will probably check if the current user id is the same as the member id in Member::getCMSField and if it is will add the administrator group id to the setDisableditems method of the list box

[kmayo-ss]

Have looked at this and have created the following branch where when a admin tries to remove there admin permissions a warming advising they are removing their own admin is produced.

https://github.com/silverstripe-rebelalliance/sapphire/tree/dontRemoveAdmin

Have not raised a pull request yet as I know I will have to create a unit test for this and I have been experiencing issues with getting Behat tests to work

[kmayo-ss]

Started working on the Behat test for this but I am having problems getting Behat to work with alert boxes tried the following steps

And I dismiss the dialog
And I confirm the dialog

However a I get the following error so what I will need to find out is does Behat actually support alert boxes?

[WebDriver\Exception\UnexpectedAlertOpen]
Exception has been thrown in "afterStep" hook, defined in SilverStripe\BehatExtension\Context\BasicContext::appendErrorHandlerBeforeStep()

Modal dialog present: Warning you are removing ADMIN permissions from your own member profile
Build info: version: '2.39.0', revision: 'ff23eac', time: '2013-12-16 16:11:15'
System info: host: 'Kirks-MacBook-Pro.local', ip: '192.168.16.34', os.name: 'Mac OS X', os.arch: 'x86_64', os.version: '10.7.5', java.version: '1.6.0_65'
Session ID: cc742a1f-b915-2949-a9e0-01c57d4c2d63
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities [{platform=MAC, acceptSslCerts=true, javascriptEnabled=true, browserName=firefox, rotatable=false, locationContextEnabled=true, version=26.0, cssSelectorsEnabled=true, databaseEnabled=true, handlesAlerts=true, browserConnectionEnabled=true, nativeEvents=false, webStorageEnabled=true, applicationCacheEnabled=true, takesScreenshot=true}]

[srizzling]

Are you still having this issue? Because all you need is a tag "@modal" infront of the scenario I believe.

[kmayo-ss]

I did get around this by using the css selector and confirming the dialog, it did require a new function to be added to the silverstripe-behat-extension module so a pull request has been opened for this.

Scenario: I receive a warning when trying to remove my own admin permissions
When I click the "Users" CMS tab
And I click "ADMIN@example.org" in the "#Root_Users" element
And I click on the element with css selector ".search-choice-close", confirming the dialog