Prevent the initial admin user from being deleted

[luminous706]

It seems that anyone can add/delete any user, so if I share access to Tactical RMM to a colleague, he can remove my access then I would be locked out.

It would be great if the first user created from the setup script was the official admin user and was greyed out, unable to be removed. Similar to the root user on Linux. If I give access to somebody, I can be sure that I will never be locked out, as I'm the primary maintainer of the tool.

Is there a way to achieve that right now?

[wh1te909]

good request, we can add this in the next major release
for now you can test it out by just changing the code, try this out

edit /rmm/api/tacticalrmm/accounts/views.py and look for the class GetUpdateDeleteUser(APIView): class

in the delete method, change the code to the following, and then sudo systemctl restart rmm and then login as a secondary user and try to delete yourself

def delete(self, request, pk):
        root_user = User.objects.first()
        user = get_object_or_404(User, pk=pk)
        if user == root_user:
            return notify_error("The initial user cannot be deleted from the UI")

        get_object_or_404(User, pk=pk).delete()

        return Response("ok")

[luminous706]

Thanks for the quick response!

The code did not work but gave me a way to modify it enough to make me happy:

def delete(self, request, pk):
        user = get_object_or_404(User, pk=pk)

        if user.username == "myAdminUser":
            return notify_error("The initial user cannot be deleted from the UI")

        get_object_or_404(User, pk=pk).delete()

        return Response("ok")

For a more future-proof implementation, it should be whatever first user created from the setup script.

But since someone might create a silly initial name or one with a typo, maybe an even more stable implementation would be to create a user automatically, call it "rmmadmin", "tactical", or something else, and just prompt for a password from the user. That "rmmadmin" or "tactical" user can't be removed or disabled from the GUI, unless we have back-end access.

This could be a good way to introduce some permission levels while we wait for the full-featured release with users and groups (1 user that cannot be deleted, a super-user, to manage the other users if anything goes wrong).

Btw, can I ask if you have a Patreon or a way to support this project? My company is really impressed.

[wh1te909]

Did you delete the initial user from django admin or some other way? Cuz User.objects.first() will always get the oldest entry in the database which unless you have deleted it will be the user created during install.

But anyway what i'll do is add an optional setting in /rmm/api/tacticalrmm/tacticalrmm/local_settings.py called ROOT_USER or something. So you would have to add ROOT_USER = "myAdminUser" at the bottom of that file. Then the code will check to see if that variable is set in that file, and if so the functions will not delete or modify anything with that username. This file is the only file that won't be overwritten during upgrades, any other python code you change will be.

No Patreon but have added a sponsor button on the projects page :)

[wh1te909]

Added in release v0.2.17
Edit /rmm/api/tacticalrmm/tacticalrmm/local_settings.py
and add the following line to the bottom of the file, replace username with your own
ROOT_USER = "tactical"
then sudo systemctl restart rmm