Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check project owner is not removed #566

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

check project owner is not removed #566

wants to merge 5 commits into from

Conversation

rsiminel
Copy link
Contributor

@rsiminel rsiminel commented Dec 9, 2024

closes #498
@mboudet

Yup, all that was needed was a simple check that the user being deleted isn't the project owner (no need to check if it's the last member of the project because in that case they would be the project owner anyway).

@mboudet
Copy link
Member

mboudet commented Dec 10, 2024

(no need to check if it's the last member of the project because in that case they would be the project owner anyway).

Not so sure about that. Currently, there is no check on the user deletion route regarding projects, and the project 'owner' is stored on the project itself. -> If we delete a user who is a project owner, it's still going to be the owner. So if there is another member of the project, it's going to be the last member of the project, but not the owner.

So, what is needed is a check on the 'user delete route': if the user we are trying to delete is the owner of the project, OR the last user, we abort and send an error message.

There is already a check for websites and DBs here: https://github.com/genouest/genouestaccountmanager/blob/master/routes/users.js#L529 , might as well add a check for project ownership.

@rsiminel
Copy link
Contributor Author

rsiminel commented Dec 12, 2024
edited
Loading

If we delete a user who is a project owner, it's still going to be the owner. So if there is another member of the project, it's going to be the last member of the project, but not the owner.

So you're describing a case where the project owner's account was deleted before this PR?
Projet membership is stored on the user, so we'd have to look at every single user to see if one of them is in the same project.

Might I suggest 3 options:

  • We load every single User from the db every time we delete an account. I'm assuming this is sub-optimal.
  • We add a member_count attribute to the Project class.
  • We add a check that all project owners correspond to existing user accounts. I prefer this solution in a 'two birds, one stone' kind of way.

@mboudet
Copy link
Member

mboudet commented Dec 13, 2024
edited
Loading

Might I suggest 3 options:

* We load every single User from the db every time we delete an account. I'm assuming this is sub-optimal.

Not THAT suboptimal, honestly. We don't delete users often (and we already do it for the groups when deleting an user).
Plus we do this query anytime we go to the admin page for a project anyway. A proper mongo query filtered on project membership is fairly fast.

* We add a member_count attribute to the Project class.

Not really fond of this one

* We add a check that all project owners correspond to existing user accounts. I prefer this solution in a 'two birds, one stone' kind of way.

Where would this check be, and how would it run? (And how would it communicate the issue to the admin?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Removing a user who is a project owner should raise a warning / error
2 participants
@rsiminel @mboudet