Skip to content

Prevent deletion of the last admin account #260

Description

@DogukanUrker

Problem

The admin panel allows an admin to delete their own account via the user management interface. If the last admin account is deleted, the system becomes permanently locked out — there is no way to create new admin accounts without direct database/code access.

Requirements

  1. In delete_user(), check if the user being deleted is an admin AND is the last admin account. If so, reject the deletion.
  2. Prevent admins from deleting their own account via the admin panel.
  3. Add appropriate error messages (using flash_message with the session language).
  4. Add logging for blocked deletion attempts.
  5. Add unit tests covering:
    • Last admin trying to delete themselves
    • Last admin trying to delete another admin
    • Second-to-last admin deleting another admin (should succeed)
    • Non-admin deleting an admin account (should succeed)

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issues

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions