Merge pull request #1196 from automatisch/remove-role-check

chore: Warn user about default role of SAML before deleting role

packages/backend/src/graphql/mutations/delete-role.ee.ts

@@ -1,4 +1,5 @@
 import Role from '../../models/role';
+import SamlAuthProvider from '../../models/saml-auth-provider.ee';
 import Context from '../../types/express/context';
 
 type Params = {
@@ -14,14 +15,8 @@ const deleteRole = async (
 ) => {
   context.currentUser.can('delete', 'Role');
 
-  const role = await Role
+  const role = await Role.query().findById(params.input.id).throwIfNotFound();
-    .query()
+  const count = await role.$relatedQuery('users').resultSize();
-    .findById(params.input.id)
-    .throwIfNotFound();
-
-  const count = await role
-    .$relatedQuery('users')
-    .resultSize();
 
   if (count > 0) {
     throw new Error('All users must be migrated away from the role!');
@@ -31,6 +26,17 @@ const deleteRole = async (
     throw new Error('Admin role cannot be deleted!');
   }
 
+  const samlAuthProviderUsingDefaultRole = await SamlAuthProvider.query()
+    .where({ default_role_id: role.id })
+    .limit(1)
+    .first();
+
+  if (samlAuthProviderUsingDefaultRole) {
+    throw new Error(
+      'You need to change the default role in the SAML configuration before deleting this role.'
+    );
+  }
+
   // delete permissions first
   await role.$relatedQuery('permissions').delete();
   await role.$query().delete();