Merge pull request #1266 from Unleash/feat/block-deletion-of-root-roles

fix: Prevent deletion of built in roles
2024-12-22 19:07:54 +01:00 · 2022-01-14 12:55:55 +02:00 · 2022-01-14 12:55:55 +02:00 · e164e3d835
commit e164e3d835
parent 1989c53fb0 bfcad65cdc
2 changed files with 53 additions and 4 deletions
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@ -427,6 +427,8 @@ export class AccessService {
    }

    async deleteRole(id: number): Promise<void> {
+        await this.validateRoleIsNotBuiltIn(id);
+
        const roleUsers = await this.getUsersForRole(id);

        if (roleUsers.length > 0) {
@ -455,7 +457,7 @@ export class AccessService {
        const role = await this.store.get(roleId);
        if (role.type !== CUSTOM_ROLE_TYPE) {
            throw new InvalidOperationError(
-                'You can not change built in roles.',
+                'You cannot change built in roles.',
            );
        }
    }
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@ -757,21 +757,68 @@ test('Should be allowed move feature toggle to project when the user has access'
    );
 });

-test('Should not be allowed to edit a built in role', async () => {
+test('Should not be allowed to edit a root role', async () => {
    expect.assertions(1);

    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
    const roleUpdate = {
        id: editRole.id,
        name: 'NoLongerTheEditor',
-        description: 'Ha!',
+        description: '',
    };

    try {
        await accessService.updateRole(roleUpdate);
    } catch (e) {
        expect(e.toString()).toBe(
-            'InvalidOperationError: You can not change built in roles.',
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a root role', async () => {
+    expect.assertions(1);
+
+    const editRole = await accessService.getRoleByName(RoleName.EDITOR);
+
+    try {
+        await accessService.deleteRole(editRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to edit a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+    const roleUpdate = {
+        id: ownerRole.id,
+        name: 'NoLongerTheEditor',
+        description: '',
+    };
+
+    try {
+        await accessService.updateRole(roleUpdate);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
+        );
+    }
+});
+
+test('Should not be allowed to delete a project role', async () => {
+    expect.assertions(1);
+
+    const ownerRole = await accessService.getRoleByName(RoleName.OWNER);
+
+    try {
+        await accessService.deleteRole(ownerRole.id);
+    } catch (e) {
+        expect(e.toString()).toBe(
+            'InvalidOperationError: You cannot change built in roles.',
        );
    }
 });