fix: team check in edit user (#1013)

Co-authored-by: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com>

Author: dennisvankekem

src/otomi-stack.test.ts

@@ -9,7 +9,7 @@ import {
 } from 'src/otomi-models'
 import OtomiStack from 'src/otomi-stack'
 import { loadSpec } from './app'
-import { ValidationError } from './error'
+import { NotExistError, ValidationError } from './error'
 import { Git } from './git'
 
 jest.mock('./tty', () => ({
@@ -621,6 +621,60 @@ describe('Users tests', () => {
       })
     })
 
+    it('should not allow editing a user into a team that does not exist', async () => {
+      createTestTeam(otomiStack, 'team1')
+
+      const user = {
+        ...teamMember1,
+        id: 'missing-team-user',
+        email: 'missing-team-user@dev.linode-apl.net',
+        teams: ['team1'],
+      }
+
+      createTestUser(otomiStack, user)
+
+      await expect(
+        otomiStack.editUser(
+          user.id!,
+          {
+            ...user,
+            teams: ['team1', 'team-does-not-exist'],
+          },
+          platformAdminSession,
+        ),
+      ).rejects.toThrow(new NotExistError('Team(s) not found: team-does-not-exist'))
+
+      expect(mockGit.writeTextFile).not.toHaveBeenCalled()
+      expect(otomiStack.doDeployment).not.toHaveBeenCalled()
+    })
+
+    it('should allow editing a user into existing teams', async () => {
+      createTestTeam(otomiStack, 'team1')
+      createTestTeam(otomiStack, 'team2')
+
+      const user = {
+        ...teamMember1,
+        id: 'existing-team-user',
+        email: 'existing-team-user@dev.linode-apl.net',
+        teams: ['team1'],
+      }
+
+      createTestUser(otomiStack, user)
+
+      const result = await otomiStack.editUser(
+        user.id!,
+        {
+          ...user,
+          teams: ['team1', 'team2'],
+        },
+        platformAdminSession,
+      )
+
+      expect(result.teams).toEqual(['team1', 'team2'])
+      expect(mockGit.writeTextFile).toHaveBeenCalled()
+      expect(otomiStack.doDeployment).toHaveBeenCalled()
+    })
+
     describe('canTeamAdminUpdateUserTeams', () => {
       // set session user as team admin
       sessionUser.isPlatformAdmin = false

src/otomi-stack.ts

@@ -1218,21 +1218,35 @@ export default class OtomiStack {
     if (!existingData) {
       throw new NotExistError(`User ${id} not found`)
     }
+
     const existingUser = userSecretDataToUser(existingData)
 
-    // Merge updates, preserving initialPassword from existing secret
     const user: User = {
       ...existingUser,
       ...data,
       id,
       initialPassword: existingUser.initialPassword,
     }
 
+    this.validateUserTeamsExist(user)
+
     const aplRecord = await this.saveUser(user)
     await this.doDeployment(aplRecord)
+
     return user
   }
 
+  private validateUserTeamsExist(user: User): void {
+    const existingTeamIds = new Set(this.getTeamIds())
+    const userTeamIds = user.teams ?? []
+
+    const missingTeamIds = userTeamIds.filter((teamId) => !existingTeamIds.has(teamId))
+
+    if (missingTeamIds.length > 0) {
+      throw new NotExistError(`Team(s) not found: ${missingTeamIds.join(', ')}`)
+    }
+  }
+
   async deleteUser(id: string): Promise<void> {
     const existingData = await getUserSecretData(id, this.fileStore)
     if (!existingData) {