[backend] Avoid user deletion raising exception when authorized_membe…

…r is missing (#5580)
OpenCTI-Platform · Jan 30, 2024 · 38cb81a · 38cb81a
1 parent c684db0
commit 38cb81a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -756,11 +756,15 @@ export const meEditField = async (context, user, userId, inputs, password = null
   return userEditField(context, user, userId, inputs);
 };
 
-const isUserTheLastAdmin = (userId, authorized_members) => {
-  const currentUserIsAdmin = authorized_members.some(({ id, access_right }) => id === userId && access_right === 'admin');
-  const anotherUserIsAdmin = authorized_members.some(({ id, access_right }) => id !== userId && access_right === 'admin');
+export const isUserTheLastAdmin = (userId, authorized_members) => {
+  if (authorized_members !== null && authorized_members !== undefined) {
+    const currentUserIsAdmin = authorized_members.some(({ id, access_right }) => id === userId && access_right === 'admin');
+    const anotherUserIsAdmin = authorized_members.some(({ id, access_right }) => id !== userId && access_right === 'admin');
 
-  return currentUserIsAdmin && !anotherUserIsAdmin;
+    return currentUserIsAdmin && !anotherUserIsAdmin;
+  }
+  // if for some reason there is no authorized_member, then nothing prevent from deleting.
+  return false;
 };
 
 export const deleteAllWorkspaceForUser = async (context, authUser, userId) => {

diff --git a/...cti-platform/opencti-graphql/tests/02-integration/01-database/user-delete-cleanup-test.ts b/...cti-platform/opencti-graphql/tests/02-integration/01-database/user-delete-cleanup-test.ts
@@ -5,7 +5,7 @@ import { ENTITY_TYPE_USER } from '../../../src/schema/internalObject';
 import type { AuthContext, AuthUser } from '../../../src/types/user';
 import { addNotification, addTrigger, myNotificationsFind, triggerGet } from '../../../src/modules/notification/notification-domain';
 import type { MemberAccessInput, TriggerLiveAddInput, WorkspaceAddInput } from '../../../src/generated/graphql';
-import { addUser, assignGroupToUser, findById as findUserById, userDelete } from '../../../src/domain/user';
+import { addUser, assignGroupToUser, findById as findUserById, isUserTheLastAdmin, userDelete } from '../../../src/domain/user';
 import { addWorkspace, editAuthorizedMembers, findById as findWorkspaceById } from '../../../src/modules/workspace/workspace-domain';
 import type { NotificationAddInput } from '../../../src/modules/notification/notification-types';
 import { TriggerEventType, TriggerType } from '../../../src/generated/graphql';
@@ -147,4 +147,10 @@ describe('Testing user delete on cascade [issue/3720]', () => {
       console.log(JSON.stringify(e));
     }
   });
+  it('should data without authorized_member not throw exception during user deletion.', async () => {
+    // for some reason this can happend, see https://github.com/OpenCTI-Platform/opencti/issues/5580
+    const isLastAdminResult = isUserTheLastAdmin(ADMIN_USER.id, undefined);
+    expect(true, 'No exception should be raised here').toBe(true);
+    expect(isLastAdminResult, 'An entity without authorized_member data should not block deletion.').toBe(false);
+  });
 });