From 1db5c3d1ed3fcbed0a0106751849e1182d404937 Mon Sep 17 00:00:00 2001
From: Tagadda <36127788+Tagadda@users.noreply.github.com>
Date: Sat, 18 Jan 2025 16:51:08 +0100
Subject: [PATCH] Prevent from removing the last user from admins

---
 src/tests/test_user-group.py | 6 ++++++
 src/user.py                  | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/src/tests/test_user-group.py b/src/tests/test_user-group.py
index 3fba251797..1df44dd703 100644
--- a/src/tests/test_user-group.py
+++ b/src/tests/test_user-group.py
@@ -356,3 +356,9 @@ def test_update_group_add_user_that_doesnt_exist(mocker):
         user_group_update("dev", add=["doesnt_exist"])
 
     assert "doesnt_exist" not in user_group_list()["groups"]["dev"]["members"]
+
+def test_update_group_remove_last_admin(mocker):
+    with raiseYunohostError(mocker, "group_cannot_remove_last_admin"):
+        user_group_update("admins", remove=["alice"])
+
+    assert "alice" in user_group_info("admins")["members"]
diff --git a/src/user.py b/src/user.py
index f814bfe2d2..f84042157e 100644
--- a/src/user.py
+++ b/src/user.py
@@ -1180,6 +1180,7 @@ def user_group_update(
     # Refuse to edit a primary group of a user (e.g. group 'sam' related to user 'sam')
     # Those kind of group should only ever contain the user (e.g. sam) and only this one.
     # We also can't edit "all_users" without the force option because that's a special group...
+    # Also prevent to remove the last admin
     if not force:
         if groupname == "all_users":
             raise YunohostValidationError("group_cannot_edit_all_users")
@@ -1189,6 +1190,8 @@ def user_group_update(
             raise YunohostValidationError(
                 "group_cannot_edit_primary_group", group=groupname
             )
+        elif remove and groupname == "admins" and len(user_group_info("admins")['members']) <= 1:
+            raise YunohostValidationError("group_cannot_remove_last_admin")
 
     ldap = _get_ldap_interface()