From 8e4539cf8ee2b464dc549f509967559ab254480b Mon Sep 17 00:00:00 2001
From: Ozzieisaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Mon, 10 Jun 2019 19:26:01 +0200
Subject: [PATCH] Prevent delete of last admin user

---
 cps/admin.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/cps/admin.py b/cps/admin.py
index a0b87177..dec1fcb3 100644
--- a/cps/admin.py
+++ b/cps/admin.py
@@ -650,10 +650,16 @@ def edit_user(user_id):
     if request.method == "POST":
         to_save = request.form.to_dict()
         if "delete" in to_save:
-            ub.session.query(ub.User).filter(ub.User.id == content.id).delete()
-            ub.session.commit()
-            flash(_(u"User '%(nick)s' deleted", nick=content.nickname), category="success")
-            return redirect(url_for('admin.admin'))
+            if ub.session.query(ub.User).filter(and_(ub.User.role.op('&')
+                                                             (constants.ROLE_ADMIN)== constants.ROLE_ADMIN,
+                                                         ub.User.id != content.id)).count():
+                ub.session.query(ub.User).filter(ub.User.id == content.id).delete()
+                ub.session.commit()
+                flash(_(u"User '%(nick)s' deleted", nick=content.nickname), category="success")
+                return redirect(url_for('admin.admin'))
+            else:
+                flash(_(u"No admin user remaining, can't delete user", nick=content.nickname), category="error")
+                return redirect(url_for('admin.admin'))
         else:
             if "password" in to_save and to_save["password"]:
                 content.password = generate_password_hash(to_save["password"])