template: add safety checks to prevent removal of all user admins (#585)

Copilot · ascott18 · web-flow · commit 36ef392d7f7c · 2025-08-10T21:26:37.000-07:00
---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: ascott18 &lt;5017521+ascott18@users.noreply.github.com&gt;
Co-authored-by: Andrew Scott &lt;andrew.scott@intellitect.com&gt;
diff --git a/templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/Models/Role.cs b/templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/Models/Role.cs
@@ -46,10 +46,52 @@ public override ItemResult BeforeSave(SaveKind kind, Role? oldItem, Role item)
             }
 #endif
 
+            // Prevent removing UserAdmin permission if it would leave no user admins
+            if (kind == SaveKind.Update && oldItem != null)
+            {
+                var oldHadUserAdmin = oldItem.Permissions?.Contains(Permission.UserAdmin) == true;
+                var newHasUserAdmin = item.Permissions?.Contains(Permission.UserAdmin) == true;
+                
+                if (oldHadUserAdmin && !newHasUserAdmin)
+                {
+                    var result = CheckWouldLeaveNoUserAdmins(item.Id);
+                    if (!result.WasSuccessful) return result;
+                }
+            }
+
             item.NormalizedName = roleManager.NormalizeKey(item.Name);
 
             return base.BeforeSave(kind, oldItem, item);
         }
+
+        public override ItemResult BeforeDelete(Role item)
+        {
+            // Prevent deleting role with UserAdmin permission if it would leave no user admins
+            if (item.Permissions?.Contains(Permission.UserAdmin) == true)
+            {
+                var result = CheckWouldLeaveNoUserAdmins(item.Id);
+                if (!result.WasSuccessful) return result;
+            }
+
+            return base.BeforeDelete(item);
+        }
+
+        private ItemResult CheckWouldLeaveNoUserAdmins(string roleIdToExclude)
+        {
+            // Count users who have UserAdmin permission through roles other than the one being modified/deleted
+            var adminUserCount = Db.Users
+                .Where(u => u.UserRoles!.Any(ur => 
+                    ur.RoleId != roleIdToExclude && 
+                    ur.Role!.Permissions!.Contains(Permission.UserAdmin)))
+                .Count();
+
+            if (adminUserCount == 0)
+            {
+                return "This action would leave the system with no user administrators. At least one user admin must remain.";
+            }
+
+            return true;
+        }
     }
 }
 
@@ -74,4 +116,4 @@ public class RoleClaim : IdentityRoleClaim<string>
     [ForeignKey(nameof(RoleId))]
     public Role? Role { get; set; }
 }
-#endif
+#endif
diff --git a/templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/Models/UserRole.cs b/templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/Models/UserRole.cs
@@ -57,9 +57,21 @@ public class Behaviors(
         SignInManager<User> signInManager
     ) : AppBehaviors<UserRole>(context)
     {
+        public override ItemResult BeforeDelete(UserRole item)
+        {
+            // Prevent removing the last user admin
+            if (item.Role?.Permissions?.Contains(Permission.UserAdmin) == true)
+            {
+                var result = CheckWouldLeaveNoUserAdmins(item.UserId, item.RoleId);
+                if (!result.WasSuccessful) return result;
+            }
+
+            return base.BeforeDelete(item);
+        }
+
         public override async Task<ItemResult<UserRole>> AfterSaveAsync(SaveKind kind, UserRole? oldItem, UserRole item)
         {
-            if (User.GetUserId() == item.Id)
+            if (User.GetUserId() == item.UserId)
             {
                 // If the user was editing their own roles, refresh their current sign-in immediately
                 // so that it doesn't feel like nothing happened.
@@ -68,5 +80,22 @@ public override async Task<ItemResult<UserRole>> AfterSaveAsync(SaveKind kind, U
 
             return true;
         }
+
+        private ItemResult CheckWouldLeaveNoUserAdmins(string userIdToExclude, string roleIdToExclude)
+        {
+            // Count users who have UserAdmin permission (excluding the user/role combination being removed)
+            var adminUserCount = Db.Users
+                .Where(u => u.UserRoles!.Any(ur => 
+                    !(ur.UserId == userIdToExclude && ur.RoleId == roleIdToExclude) &&
+                    ur.Role!.Permissions!.Contains(Permission.UserAdmin)))
+                .Count();
+
+            if (adminUserCount == 0)
+            {
+                return "This action would leave the system with no user administrators. At least one user admin must remain.";
+            }
+
+            return true;
+        }
     }
-}
+}
