From bdf0d386d5e7ca9575e67e2b27cd073d9afb9982 Mon Sep 17 00:00:00 2001
From: sighphyre <liquidwicked64@gmail.com>
Date: Thu, 13 Jan 2022 10:23:12 +0200
Subject: [PATCH] feat: Prevent editing of built in roles

---
 src/lib/services/access-service.ts            | 15 ++++++++++++++-
 .../e2e/services/access-service.e2e.test.ts   | 19 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/lib/services/access-service.ts b/src/lib/services/access-service.ts
index a09217e7cd..de08fbceef 100644
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@@ -26,6 +26,7 @@ import RoleInUseError from '../error/role-in-use-error';
 import { roleSchema } from '../schema/role-schema';
 import { CUSTOM_ROLE_TYPE } from '../util/constants';
 import { DEFAULT_PROJECT } from '../types/project';
+import InvalidOperationError from '../error/invalid-operation-error';
 
 export const ALL_PROJECTS = '*';
 export const ALL_ENVS = '*';
@@ -411,7 +412,7 @@ export class AccessService {
             id: role.id,
             name: role.name,
             description: role.description,
-            roleType: 'custom',
+            roleType: CUSTOM_ROLE_TYPE,
         };
         const rolePermissions = role.permissions;
         const newRole = await this.roleStore.update(baseRole);
@@ -450,11 +451,23 @@ export class AccessService {
         return Promise.resolve();
     }
 
+    async validateRoleIsNotBuiltIn(roleId: number): Promise<void> {
+        const role = await this.store.get(roleId);
+        if (role.type !== CUSTOM_ROLE_TYPE) {
+            throw new InvalidOperationError(
+                'You can not change built in roles.',
+            );
+        }
+    }
+
     async validateRole(
         role: IRoleCreation,
         existingId?: number,
     ): Promise<IRoleCreation> {
         const cleanedRole = await roleSchema.validateAsync(role);
+        if (existingId) {
+            await this.validateRoleIsNotBuiltIn(existingId);
+        }
         await this.validateRoleIsUnique(role.name, existingId);
         return cleanedRole;
     }
diff --git a/src/test/e2e/services/access-service.e2e.test.ts b/src/test/e2e/services/access-service.e2e.test.ts
index 020d54ef34..4d7c0401d0 100644
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@@ -756,3 +756,22 @@ test('Should be allowed move feature toggle to project when the user has access'
         projectOrigin.id,
     );
 });
+
+test('Should not be allowed to edit a built in role', async () => {
+    expect.assertions(1);
+
+    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
+    const roleUpdate = {
+        id: editRole.id,
+        name: 'NoLongerTheEditor',
+        description: 'Ha!',
+    };
+
+    try {
+        await accessService.updateRole(roleUpdate);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You can not change built in roles.',
+        );
+    }
+});