From 2d7ffbf378350872bc38970b4cf9105ee99038b1 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Tue, 27 Sep 2022 10:10:09 +0200 Subject: [PATCH] allow the removal of non-confirmed owners ensure user_to_edit and user_to_delete are actually confirmed users, before checking if they are the last owner of an organization. --- src/api/core/organizations.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs index 3934de88..dca4f393 100644 --- a/src/api/core/organizations.rs +++ b/src/api/core/organizations.rs @@ -999,8 +999,11 @@ async fn edit_user( err!("Only Owners can edit Owner users") } - if user_to_edit.atype == UserOrgType::Owner && new_type != UserOrgType::Owner { - // Removing owner permmission, check that there is at least one other confirmed owner + if user_to_edit.atype == UserOrgType::Owner + && new_type != UserOrgType::Owner + && user_to_edit.status == UserOrgStatus::Confirmed as i32 + { + // Removing owner permission, check that there is at least one other confirmed owner if UserOrganization::count_confirmed_by_org_and_type(&org_id, UserOrgType::Owner, &conn).await <= 1 { err!("Can't delete the last owner") } @@ -1097,7 +1100,7 @@ async fn _delete_user(org_id: &str, org_user_id: &str, headers: &AdminHeaders, c err!("Only Owners can delete Admins or Owners") } - if user_to_delete.atype == UserOrgType::Owner { + if user_to_delete.atype == UserOrgType::Owner && user_to_delete.status == UserOrgStatus::Confirmed as i32 { // Removing owner, check that there is at least one other confirmed owner if UserOrganization::count_confirmed_by_org_and_type(org_id, UserOrgType::Owner, conn).await <= 1 { err!("Can't delete the last owner")