search

openfoodfoundation / openfoodnetwork

Connect suppliers, distributors and consumers to trade local produce.
https://www.openfoodnetwork.org
GNU Affero General Public License v3.0
1.1k stars 714 forks source link

[Enterprise->Users] Main owner can remove themselves as manager #10209

Open audez opened 1 year ago

audez commented 1 year ago

Description

The main owner of an enterprise can remove themselves as a manager: after deleting their own email, an error 401 "unauthorized" is triggered but the owner is still removed, and loose access to the admin dashboard.

Expected Behavior

If it's allowed to remove oneself as manager, there shouldn't be an error. If it's not allowed to remove oneself as manager, the trash icon shouldn't be activated.

Steps to Reproduce

  1. Create an enterprise with a new account
  2. In Enterprises> Users, add another mail in the fields: Managers, Notifications, and Owner
  3. See that the trash to delete the initial account is activated
  4. Click on the trash then click "Update"
  5. See the error: GET | https://staging.coopcircuits.fr/unauthorized -- 401 Unauthorized
  6. See that you can't access the admin dashboard anymore

Animated Gif/Screenshot

Enregistrement de l’écran 2022-12-26 à 20 17 03

Severity

bug-s3: a feature is broken but there is a workaround

RachL commented 1 year ago

I think the correct behavior here must be to change the owner first. The downside is that currently only the owner can remove users. What do you think @openfoodfoundation/train-drivers-product-owners ?