From 2553505eb8775a8a90273b993fcdfbd194bd4bed Mon Sep 17 00:00:00 2001
From: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Date: Fri, 20 Jan 2023 07:24:59 -0500
Subject: [PATCH] Prevent admin group from being cleared by `PUT
 /membership/:group-id/clear` (#27786)

---
 src/metabase/api/permissions.clj       | 3 ++-
 test/metabase/api/permissions_test.clj | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/metabase/api/permissions.clj b/src/metabase/api/permissions.clj
index ea2e0b40ed9..8f5673aa97e 100644
--- a/src/metabase/api/permissions.clj
+++ b/src/metabase/api/permissions.clj
@@ -239,10 +239,11 @@
 
 #_{:clj-kondo/ignore [:deprecated-var]}
 (api/defendpoint-schema PUT "/membership/:group-id/clear"
-  "Remove all members from a `PermissionsGroup`."
+  "Remove all members from a `PermissionsGroup`. Returns a 400 (Bad Request) if the group ID is for the admin group."
   [group-id]
   (validation/check-manager-of-group group-id)
   (api/check-404 (db/exists? PermissionsGroup :id group-id))
+  (api/check-400 (not= group-id (u/the-id (perms-group/admin))))
   (db/delete! PermissionsGroupMembership :group_id group-id)
   api/generic-204-no-content)
 
diff --git a/test/metabase/api/permissions_test.clj b/test/metabase/api/permissions_test.clj
index 2bb4337e0a9..a3f9bf38396 100644
--- a/test/metabase/api/permissions_test.clj
+++ b/test/metabase/api/permissions_test.clj
@@ -297,7 +297,10 @@
         (is (= 1 (db/count PermissionsGroupMembership :group_id group-id)))
         (mt/user-http-request :crowberto :put 204 (format "permissions/membership/%d/clear" group-id))
         (is (true? (db/exists? PermissionsGroup :id group-id)))
-        (is (= 0 (db/count PermissionsGroupMembership :group_id group-id)))))))
+        (is (= 0 (db/count PermissionsGroupMembership :group_id group-id))))
+
+      (testing "The admin group cannot be cleared using this endpoint"
+        (mt/user-http-request :crowberto :put 400 (format "permissions/membership/%d/clear" (u/the-id (perms-group/admin))))))))
 
 (deftest delete-group-membership-test
   (testing "DELETE /api/permissions/membership/:id"
-- 
GitLab