From 8f1ec20e96a86ba2a8f00820814bc51630664bdc Mon Sep 17 00:00:00 2001
From: MartinOscar <40749467+rmartinoscar@users.noreply.github.com>
Date: Thu, 11 Sep 2025 12:56:21 +0200
Subject: [PATCH] Prevent rootAdmins from having other roles & being deleted
 via the API (#1699)

---
 .../Api/Application/Users/UserController.php  | 34 ++++++++++++-------
 .../Users/AssignUserRolesRequest.php          |  4 +--
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/app/Http/Controllers/Api/Application/Users/UserController.php b/app/Http/Controllers/Api/Application/Users/UserController.php
index c9a5e63e9..adf93d425 100644
--- a/app/Http/Controllers/Api/Application/Users/UserController.php
+++ b/app/Http/Controllers/Api/Application/Users/UserController.php
@@ -102,12 +102,15 @@ class UserController extends ApplicationApiController
      */
     public function assignRoles(AssignUserRolesRequest $request, User $user): array
     {
-        foreach ($request->input('roles') as $role) {
-            if ($role === Role::getRootAdmin()->id) {
-                continue;
-            }
+        if (!$user->isRootAdmin()) {
+            $rootAdminId = Role::getRootAdmin()->id;
+            foreach ($request->input('roles') as $role) {
+                if ($role === $rootAdminId) {
+                    continue;
+                }
 
-            $user->assignRole($role);
+                $user->assignRole($role);
+            }
         }
 
         $response = $this->fractal->item($user)
@@ -125,12 +128,15 @@ class UserController extends ApplicationApiController
      */
     public function removeRoles(AssignUserRolesRequest $request, User $user): array
     {
-        foreach ($request->input('roles') as $role) {
-            if ($role === Role::getRootAdmin()->id) {
-                continue;
-            }
+        if (!$user->isRootAdmin()) {
+            $rootAdminId = Role::getRootAdmin()->id;
+            foreach ($request->input('roles') as $role) {
+                if ($role === $rootAdminId) {
+                    continue;
+                }
 
-            $user->removeRole($role);
+                $user->removeRole($role);
+            }
         }
 
         $response = $this->fractal->item($user)
@@ -169,8 +175,12 @@ class UserController extends ApplicationApiController
      */
     public function delete(DeleteUserRequest $request, User $user): JsonResponse
     {
-        $user->delete();
+        if (!$user->isRootAdmin()) {
+            $user->delete();
 
-        return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
+            return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
+        }
+
+        return new JsonResponse([], JsonResponse::HTTP_FORBIDDEN);
     }
 }
diff --git a/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php b/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
index 9dbcfb127..f05e0f08b 100644
--- a/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
+++ b/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
@@ -8,8 +8,8 @@ class AssignUserRolesRequest extends StoreUserRequest
     public function rules(?array $rules = null): array
     {
         return [
-            'roles' => 'array',
-            'roles.*' => 'int',
+            'roles' => 'required|array',
+            'roles.*' => 'integer|exists:roles,id',
         ];
     }
 }