[H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only #19
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High
Component(s): server + dashboard
Affected file(s):
server/src/api/users.rs+ auth extractordashboard/src/.../EditUserModal.tsxProblem:
The server blocks self-delete but not self-role-demotion, and the lockout guard is client-only — a user can demote/disable themselves and lock out the last admin.
Recommended fix:
Enforce self-demotion/self-disable protection server-side (mirror GuruRMM SPEC-027 last-admin guards).
Remediation phase: P0
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H5) and REMEDIATION-PLAN.md (P0).