From 948c4dbd7112b32c3aac2f6704269694fba1a24f Mon Sep 17 00:00:00 2001
From: Akhilesh Pandey <1akhil.pandey@gmail.com>
Date: Fri, 15 Sep 2023 00:26:10 +0530
Subject: [PATCH] feat: disallow last admin to remove self admin status

---
 internal/api/controller/user/update_admin.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/internal/api/controller/user/update_admin.go b/internal/api/controller/user/update_admin.go
index 131cae806..4f19be0c1 100644
--- a/internal/api/controller/user/update_admin.go
+++ b/internal/api/controller/user/update_admin.go
@@ -6,9 +6,11 @@ package user
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	apiauth "github.com/harness/gitness/internal/api/auth"
+	"github.com/harness/gitness/internal/api/usererror"
 	"github.com/harness/gitness/internal/auth"
 	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
@@ -31,6 +33,19 @@ func (c *Controller) UpdateAdmin(ctx context.Context, session *auth.Session,
 		return nil, err
 	}
 
+	// Fail if the user being updated is the only admin in DB.
+	if request.Admin == false && user.Admin == true {
+		admUsrCount, err := c.principalStore.CountUsers(ctx, &types.UserFilter{Admin: true})
+		if err != nil {
+			return nil, fmt.Errorf("failed to check admin user count: %w", err)
+		}
+
+		if admUsrCount == 1 {
+			return nil, usererror.BadRequest("cannot remove admin from the only admin user")
+		}
+
+		return user, nil
+	}
 	user.Admin = request.Admin
 	user.Updated = time.Now().UnixMilli()