search

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +43 frameworks worldwide: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber and so much more
https://intuitem.com
GNU Affero General Public License v3.0
427 stars 67 forks source link

Return an error message when an admin try to delete the only admin account #192

Closed monsieurswag closed 1 month ago

monsieurswag commented 1 month ago

I removed import { fail } from 'assert'; in "frontend/src/routes/(app)/users/[id=uuid]/edit/+page.server.ts", it seems like it was an error surely from someone who auto-imported the wrong fail function in a previous commit.

According to this Mixin definition the "name" field isn't unique which means there may multiple UserGroup object with the same name :

class NameDescriptionMixin(AbstractBaseModel):
    name = models.CharField(max_length=200, verbose_name=_("Name"), unique=False)

I am not sure having 2 user groups with the exact same name should be authorized by the application, is this normal ? If some evil user could create a user group with the same name as the admin group and bypass some permission checks. To address this potential issue in my code i always added builtin=True when fetching the admin group since builtin objects are meant to be immutable.

eric-intuitem commented 1 month ago

Indeed, once groups will be user-defined, we'll need to add fields_to_check = ["name"]

monsieurswag commented 1 month ago

Done

monsieurswag commented 1 month ago

Remove builtin and user_groups__builtin, and make the languageTag: languageTag synthax like it was before