Merge pull request #9615 from appwrite/fix-owner-downgrade

Restrict role change for sole org owner
2026-05-18 22:48:31 +00:00 · 2025-04-06 13:59:02 +05:45 · 2025-04-06 13:59:02 +05:45 · 2d7b01aa35
commit 2d7b01aa35
parent a160b0f987 2243f0c72e
2 changed files with 48 additions and 2 deletions
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@ -1034,7 +1034,6 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId')
    ->param('membershipId', '', new UID(), 'Membership ID.')
    ->param('roles', [], function (Document $project) {
        if ($project->getId() === 'console') {
-            ;
            $roles = array_keys(Config::getParam('roles', []));
            array_filter($roles, function ($role) {
                return !in_array($role, [Auth::USER_ROLE_APPS, Auth::USER_ROLE_GUESTS, Auth::USER_ROLE_USERS]);
@ -1046,9 +1045,10 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId')
    ->inject('request')
    ->inject('response')
    ->inject('user')
+    ->inject('project')
    ->inject('dbForProject')
    ->inject('queueForEvents')
-    ->action(function (string $teamId, string $membershipId, array $roles, Request $request, Response $response, Document $user, Database $dbForProject, Event $queueForEvents) {
+    ->action(function (string $teamId, string $membershipId, array $roles, Request $request, Response $response, Document $user, Document $project, Database $dbForProject, Event $queueForEvents) {

        $team = $dbForProject->getDocument('teams', $teamId);
        if ($team->isEmpty()) {
@ -1069,6 +1069,21 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId')
        $isAppUser = Auth::isAppUser(Authorization::getRoles());
        $isOwner = Authorization::isRole('team:' . $team->getId() . '/owner');

+        if ($project->getId() === 'console') {
+            // Quick check: fetch up to 2 owners to determine if only one exists
+            $ownersCount = $dbForProject->count(
+                collection: 'memberships',
+                queries: [Query::contains('roles', ['owner'])],
+                max: 2
+            );
+
+            // Prevent role change if there's only one owner left,
+            // the requester is that owner, and the new `$roles` no longer include 'owner'!
+            if ($ownersCount === 1 && $isOwner && !\in_array('owner', $roles)) {
+                throw new Exception(Exception::GENERAL_ARGUMENT_INVALID, 'There must be at least one owner in the organization.');
+            }
+        }
+
        if (!$isOwner && !$isPrivilegedUser && !$isAppUser) { // Not owner, not admin, not app (server)
            throw new Exception(Exception::USER_UNAUTHORIZED, 'User is not allowed to modify roles');
        }
--- a/tests/e2e/Services/Teams/TeamsBase.php
+++ b/tests/e2e/Services/Teams/TeamsBase.php
@ -37,6 +37,37 @@ trait TeamsBase
        $teamUid = $response1['body']['$id'];
        $teamName = $response1['body']['name'];

+        /**
+         * Test: Attempt to downgrade the only OWNER in an organization (should fail)
+         */
+        if ($this->getProject()['$id'] === 'console') {
+            // Step 1: Fetch all team memberships — only one exists at this point
+            $response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
+                'content-type' => 'application/json',
+                'x-appwrite-project' => $this->getProject()['$id'],
+            ], $this->getHeaders()), [
+                'queries' => [
+                    Query::limit(1)->toString(),
+                ],
+            ]);
+
+            // Step 2: Extract the membership ID of the only member (also the only OWNER)
+            $membershipID = $response['body']['memberships'][0]['$id'];
+
+            // Step 3: Attempt to downgrade the member's role to 'developer'
+            $response = $this->client->call(Client::METHOD_PATCH, '/teams/' . $teamUid . '/memberships/' . $membershipID, array_merge([
+                'content-type' => 'application/json',
+                'x-appwrite-project' => $this->getProject()['$id'],
+            ], $this->getHeaders()), [
+                'roles' => ['developer']
+            ]);
+
+            // Step 4: Assert failure — cannot remove the only OWNER from a team
+            $this->assertEquals(400, $response['headers']['status-code']);
+            $this->assertEquals('general_argument_invalid', $response['body']['type']);
+            $this->assertEquals('There must be at least one owner in the organization.', $response['body']['message']);
+        }
+
        $teamId = ID::unique();
        $response2 = $this->client->call(Client::METHOD_POST, '/teams', array_merge([
            'content-type' => 'application/json',