From c8893f4533c77cd4683d6b6ff42f080d0974d352 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 20 Apr 2026 19:40:29 +0200 Subject: [PATCH] fix(cli): guard last admin on scheduled CLI deletion path The last-admin guard was only enforced in the --now branch of 'user delete'. The default scheduled path called user.RequestDeletion without the guard, letting an operator schedule deletion of the last reachable admin via the CLI; the cron flow would then confirm and execute it, violating the invariant the HTTP admin API already enforces. --- pkg/cmd/user.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/cmd/user.go b/pkg/cmd/user.go index 371cdcfdd..37b694e02 100644 --- a/pkg/cmd/user.go +++ b/pkg/cmd/user.go @@ -447,6 +447,10 @@ var userDeleteCmd = &cobra.Command{ log.Fatalf("Error removing the user: %s", err) } } else { + if err := user.GuardLastAdmin(s, u); err != nil { + _ = s.Rollback() + log.Fatalf("Could not request user deletion: %s", err) + } err := user.RequestDeletion(s, u) if err != nil { _ = s.Rollback()