Skip to content
Snippets Groups Projects
Unverified Commit 2553505e authored by Noah Moss's avatar Noah Moss Committed by GitHub
Browse files

Prevent admin group from being cleared by `PUT /membership/:group-id/clear` (#27786)

parent 887b34c5
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/metabase/api/permissions.clj
+ 2
1
View file @ 2553505e
......@@ -239,10 +239,11 @@
#_{:clj-kondo/ignore [:deprecated-var]}
(api/defendpoint-schema PUT "/membership/:group-id/clear"
"Remove all members from a `PermissionsGroup`."
"Remove all members from a `PermissionsGroup`. Returns a 400 (Bad Request) if the group ID is for the admin group."
[group-id]
(validation/check-manager-of-group group-id)
(api/check-404 (db/exists? PermissionsGroup :id group-id))
(api/check-400 (not= group-id (u/the-id (perms-group/admin))))
(db/delete! PermissionsGroupMembership :group_id group-id)
api/generic-204-no-content)
......
test/metabase/api/permissions_test.clj
+ 4
1
View file @ 2553505e
......@@ -297,7 +297,10 @@
(is (= 1 (db/count PermissionsGroupMembership :group_id group-id)))
(mt/user-http-request :crowberto :put 204 (format "permissions/membership/%d/clear" group-id))
(is (true? (db/exists? PermissionsGroup :id group-id)))
(is (= 0 (db/count PermissionsGroupMembership :group_id group-id)))))))
(is (= 0 (db/count PermissionsGroupMembership :group_id group-id))))
(testing "The admin group cannot be cleared using this endpoint"
(mt/user-http-request :crowberto :put 400 (format "permissions/membership/%d/clear" (u/the-id (perms-group/admin))))))))
(deftest delete-group-membership-test
(testing "DELETE /api/permissions/membership/:id"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment