User deactivation error

Description

Hi Folks. When I try to deactivate a user, I get an error message: “Leaving the app without an active admin is not allowed [error-action-not-allowed]”, but I have the admin role. It was OK on the last version 3. But now, after upgrading to 4.1.0, this happens. Is this a bug or something needs to be adjusted somewhere?

Server Setup Information

  • Version of Rocket.Chat Server: 4.1.0
  • Operating System: Ubuntu 20.04
  • Deployment Method: tar
  • Number of Running Instances: 2
  • DB Replicaset Oplog: yes
  • NodeJS Version: 12.22.1
  • MongoDB Version: 5.0
  • Proxy: nginx
  • Firewalls involved:

Hi @Yures! Welcome to our forum.

I think this is probably something introduced at 4.1.0 according to here:

the release notes point to this PR here:

Please, can you:

  • Reproduce this behavior on a clean new install?
  • detail the exact steps and order to reproduce it?

We should triage this, and understand if it’s indeed a bug or an expected behavior.

If it’s a bug, we can open up an Issue at the github repo.

Thanks!

Made a clean installation. The versions are the same as in the working installation. The settings are all by default. Created a user and when I try to deactivate it, the same error. Also another error came up, when trying to change the password of the user in the admin panel, there is an error: “TOTP Required [totp-required]”.

Hi Yures!

I was able to reproduce this error. It’s indeed a bug.

You can no longer deactivate any user because of this new check. The user I tried to deactivate is not even an admin.

This will happen if you only have one admin. If you create a second admin, it will work.

it probably needs to check if the user marked for deactivation is an admin.

I can confirm the same happens when trying to deactivate thru the REST API:

In [9]: t = rocket.users_set_active_status(user_id="L9GwYzGLotxnfgTp8", active_status=False)

In [10]: t
Out[10]: <Response [400]>

In [11]: t.json()
Out[11]: 
{'success': False,
 'error': 'Leaving the app without an active admin is not allowed [error-action-not-allowed]',
 'errorType': 'error-action-not-allowed',
 'details': {'method': 'removeUserFromRole', 'action': 'Remove_last_admin'}}

Hey again! I just produced a PR to fix this:

Thanks!!