[PM-19588] Ensure custom users cannot delete or remove admins. (#5590)

2025-06-30 07:36:14 -05:00 · 2025-04-03 11:35:09 -04:00
parent 33f5a19b99
commit 38ae5ff885
4 changed files with 67 additions and 1 deletions
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteManagedOrganizationUserAccountCommandTests.cs
@ -131,6 +131,38 @@ public class DeleteManagedOrganizationUserAccountCommandTests
            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<DateTime?>());
    }

+    [Theory]
+    [BitAutoData]
+    public async Task DeleteUserAsync_WhenCustomUserDeletesAdmin_ThrowsException(
+        SutProvider<DeleteManagedOrganizationUserAccountCommand> sutProvider, User user,
+        [OrganizationUser(OrganizationUserStatusType.Confirmed, OrganizationUserType.Admin)] OrganizationUser organizationUser,
+        Guid deletingUserId)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationCustom(organizationUser.OrganizationId)
+            .Returns(true);
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.DeleteUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUserId));
+
+        // Assert
+        Assert.Equal("Custom users can not delete admins.", exception.Message);
+        await sutProvider.GetDependency<IUserService>().Received(0).DeleteAsync(Arg.Any<User>());
+        await sutProvider.GetDependency<IEventService>().Received(0)
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<DateTime?>());
+    }
+
    [Theory]
    [BitAutoData]
    public async Task DeleteUserAsync_DeletingOwnerWhenNotOwner_ThrowsException(
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/RemoveOrganizationUserCommandTests.cs
@ -171,6 +171,28 @@ public class RemoveOrganizationUserCommandTests
        Assert.Contains(RemoveOrganizationUserCommand.RemoveOwnerByNonOwnerErrorMessage, exception.Message);
    }

+    [Theory, BitAutoData]
+    public async Task RemoveUser_WhenCustomUserRemovesAdmin_ThrowsException(
+    [OrganizationUser(type: OrganizationUserType.Admin)] OrganizationUser organizationUser,
+    [OrganizationUser(type: OrganizationUserType.Custom)] OrganizationUser deletingUser,
+    SutProvider<RemoveOrganizationUserCommand> sutProvider)
+    {
+        // Arrange
+        organizationUser.OrganizationId = deletingUser.OrganizationId;
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationCustom(organizationUser.OrganizationId)
+            .Returns(true);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.RemoveUserAsync(organizationUser.OrganizationId, organizationUser.Id, deletingUser.UserId));
+        Assert.Contains(RemoveOrganizationUserCommand.RemoveAdminByCustomUserErrorMessage, exception.Message);
+    }
+
    [Theory, BitAutoData]
    public async Task RemoveUser_WithDeletingUserId_RemovingLastOwner_ThrowsException(
        [OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser organizationUser,