From bfcad65cdccecbba0f114858bf76e5a312a8996d Mon Sep 17 00:00:00 2001
From: sighphyre <liquidwicked64@gmail.com>
Date: Fri, 14 Jan 2022 10:30:34 +0200
Subject: [PATCH] fix: Prevent deletion of built in roles

---
 src/lib/services/access-service.ts            |  4 +-
 .../e2e/services/access-service.e2e.test.ts   | 53 +++++++++++++++++--
 2 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/src/lib/services/access-service.ts b/src/lib/services/access-service.ts
index de08fbceef..7be15b9677 100644
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@@ -427,6 +427,8 @@ export class AccessService {
     }
 
     async deleteRole(id: number): Promise<void> {
+        await this.validateRoleIsNotBuiltIn(id);
+
         const roleUsers = await this.getUsersForRole(id);
 
         if (roleUsers.length > 0) {
@@ -455,7 +457,7 @@ export class AccessService {
         const role = await this.store.get(roleId);
         if (role.type !== CUSTOM_ROLE_TYPE) {
             throw new InvalidOperationError(
-                'You can not change built in roles.',
+                'You cannot change built in roles.',
             );
         }
     }
diff --git a/src/test/e2e/services/access-service.e2e.test.ts b/src/test/e2e/services/access-service.e2e.test.ts
index 4d7c0401d0..a4936fc675 100644
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@@ -757,21 +757,68 @@ test('Should be allowed move feature toggle to project when the user has access'
     );
 });
 
-test('Should not be allowed to edit a built in role', async () => {
+test('Should not be allowed to edit a root role', async () => {
     expect.assertions(1);
 
     const editRole = await accessService.getRoleByName(RoleName.EDITOR);
     const roleUpdate = {
         id: editRole.id,
         name: 'NoLongerTheEditor',
-        description: 'Ha!',
+        description: '',
     };
 
     try {
         await accessService.updateRole(roleUpdate);
     } catch (e) {
         expect(e.toString()).toBe(
-            'InvalidOperationError: You can not change built in roles.',
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a root role', async () => {
+    expect.assertions(1);
+
+    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
+
+    try {
+        await accessService.deleteRole(editRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to edit a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+    const roleUpdate = {
+        id: ownerRole.id,
+        name: 'NoLongerTheEditor',
+        description: '',
+    };
+
+    try {
+        await accessService.updateRole(roleUpdate);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+
+    try {
+        await accessService.deleteRole(ownerRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
         );
     }
 });