Server: forbid to remove the root user

diff --git a/server/middlewares/validators/users.js b/server/middlewares/validators/users.js
index d541e91247c0c1125761dff8f2b951836d90d501..02e4f34cba4fd2072a14452397d044e320917b16 100644 (file)
--- a/server/middlewares/validators/users.js
+++ b/server/middlewares/validators/users.js
@@ -47,6 +47,8 @@ function usersRemove (req, res, next) {
 
       if (!user) return res.status(404).send('User not found')
 
+      if (user.username === 'root') return res.status(400).send('Cannot remove the root user')
+
       next()
     })
   })

diff --git a/server/tests/api/check-params.js b/server/tests/api/check-params.js
index 57b5ca024d797685ab333f21a602343030b9f3c5..07f41daab7fbd88c996d3b6b7804826180dee3a3 100644 (file)
--- a/server/tests/api/check-params.js
+++ b/server/tests/api/check-params.js
@@ -497,6 +497,7 @@ describe('Test parameters validator', function () {
   describe('Of the users API', function () {
     const path = '/api/v1/users/'
     let userId = null
+    let rootId = null
 
     describe('When listing users', function () {
       it('Should fail with a bad start pagination', function (done) {
@@ -626,6 +627,7 @@ describe('Test parameters validator', function () {
           if (err) throw err
 
           userId = res.body.data[1].id
+          rootId = res.body.data[2].id
           done()
         })
       })
@@ -691,6 +693,13 @@ describe('Test parameters validator', function () {
           .expect(400, done)
       })
 
+      it('Should fail with the root user', function (done) {
+        request(server.url)
+          .delete(path + rootId)
+          .set('Authorization', 'Bearer ' + server.accessToken)
+          .expect(400, done)
+      })
+
       it('Should return 404 with a non existing id', function (done) {
         request(server.url)
           .delete(path + '579f982228c99c221d8092b8')