From cefa47a176178a55f93035ae563609ebf798b14e Mon Sep 17 00:00:00 2001
From: "a.beging@eas-solutions.de" <a.beging@eas-solutions.de>
Date: Thu, 30 Apr 2026 09:53:05 +0200
Subject: [PATCH] Enhance user management: prevent deletion of the last admin
 user and restrict admin type changes for the last admin account

Co-authored-by: Copilot <copilot@github.com>
---
 .../Data/Service/UserService.cs                    | 14 ++++++++++++++
 FoodsharingSiegen.Server/Pages/Users.razor         | 14 +++++++++-----
 FoodsharingSiegen.Server/Pages/Users.razor.cs      | 11 +++++------
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/FoodsharingSiegen.Server/Data/Service/UserService.cs b/FoodsharingSiegen.Server/Data/Service/UserService.cs
index 5b4b7f6..4937a16 100644
--- a/FoodsharingSiegen.Server/Data/Service/UserService.cs
+++ b/FoodsharingSiegen.Server/Data/Service/UserService.cs
@@ -105,6 +105,13 @@ namespace FoodsharingSiegen.Server.Data.Service
                 var user = await Context.Users!.Include(x => x.Interactions).FirstOrDefaultAsync(x => x.Id == userId);
                 if (user == null) return new(new Exception("User not found"));
 
+                if (user.Type == UserType.Admin)
+                {
+                    var adminCount = await Context.Users!.CountAsync(x => x.Type == UserType.Admin && x.Id != userId);
+                    if (adminCount == 0)
+                        return new(new Exception("Der letzte Administrator kann nicht gelöscht werden."));
+                }
+
                 // Interaktionen vom aktuellen Nutzer übernehmen
                 if(CurrentUser?.Id != null)
                     foreach (var userInteraction in user.Interactions)
@@ -184,6 +191,13 @@ namespace FoodsharingSiegen.Server.Data.Service
                 var entityUser = await Context.Users!.FirstOrDefaultAsync(x => x.Id == user.Id);
                 if (entityUser == null) return new(new Exception("User not found"));
 
+                if (entityUser.Type == UserType.Admin && user.Type != UserType.Admin)
+                {
+                    var adminCount = await Context.Users!.CountAsync(x => x.Type == UserType.Admin && x.Id != user.Id);
+                    if (adminCount == 0)
+                        return new(new Exception("Der Typ des letzten Administrators kann nicht geändert werden."));
+                }
+
                 if (entityUser.Mail != user.Mail ||
                     entityUser.Type != user.Type ||
                     entityUser.Groups != user.Groups)
diff --git a/FoodsharingSiegen.Server/Pages/Users.razor b/FoodsharingSiegen.Server/Pages/Users.razor
index 1fabec4..dfeddb8 100644
--- a/FoodsharingSiegen.Server/Pages/Users.razor
+++ b/FoodsharingSiegen.Server/Pages/Users.razor
@@ -55,13 +55,13 @@
                     </div>
                 </CardBody>
                 <CardFooter Class="d-flex justify-content-between">
-                    <div>
-                        
-                    </div>
                     <Button Color="Color.Primary" Size="Size.Small" Clicked="() => EditUser(user)"><Icon Name="IconName.Edit" /></Button>
                         <Button Color="Color.Info" Size="Size.Small" Clicked="() => SetPassword(user)"><i class="fa-solid fa-key"></i></Button>
                         <Button Color="Color.Secondary" Size="Size.Small" Clicked="() => SendPasswordSetupMail(user)"><Icon Name="IconName.Mail" /></Button>
-                    <Button Color="Color.Danger" Size="Size.Small" Clicked="() => RemoveUserAsync(user)"><Icon Name="IconName.Delete" /></Button>
+                    @if (!(user.Type == UserType.Admin && SortedUsers.Count(x => x.Type == UserType.Admin) <= 1))
+                    {
+                        <Button Color="Color.Danger" Size="Size.Small" Clicked="() => RemoveUserAsync(user)"><Icon Name="IconName.Delete" /></Button>
+                    }
                 </CardFooter>
             </Card>
         }
@@ -105,12 +105,16 @@
                 </Field>
                 <Field>
                     <FieldLabel>Typ</FieldLabel>
-                    <Select TValue="UserType" SelectedValue="EditModel.Type" SelectedValueChanged="@(v => EditModel.Type = v)">
+                    <Select TValue="UserType" SelectedValue="EditModel.Type" SelectedValueChanged="@(v => EditModel.Type = v)" Disabled="@IsLastAdmin">
                         @foreach (var enumValue in Enum.GetValues<UserType>())
                         {
                             <SelectItem TValue="UserType" Value="enumValue">@enumValue</SelectItem>
                         }
                     </Select>
+                    @if (IsLastAdmin)
+                    {
+                        <small class="text-danger mt-1 d-block">Das ist der letzte Administrator-Account. Der Typ kann nicht geändert werden.</small>
+                    }
                 </Field>
                 <Field>
                     <FieldLabel>Gruppen</FieldLabel>
diff --git a/FoodsharingSiegen.Server/Pages/Users.razor.cs b/FoodsharingSiegen.Server/Pages/Users.razor.cs
index f487841..f9b1e2b 100644
--- a/FoodsharingSiegen.Server/Pages/Users.razor.cs
+++ b/FoodsharingSiegen.Server/Pages/Users.razor.cs
@@ -57,6 +57,11 @@ namespace FoodsharingSiegen.Server.Pages
         /// </summary>
         private bool IsEditing { get; set; }
 
+        /// <summary>
+        ///     Gets a value indicating whether the current editing user is the last admin
+        /// </summary>
+        private bool IsLastAdmin => IsEditing && EditModel?.Type == UserType.Admin && UserList?.Count(x => x.Type == UserType.Admin) <= 1;
+
         /// <summary>
         ///     Gets the value of the user groups (ab)
         /// </summary>
@@ -184,12 +189,6 @@ namespace FoodsharingSiegen.Server.Pages
         /// <returns>A task that represents the asynchronous remove operation.</returns>
         private async Task RemoveUserAsync(User user)
         {
-            if (user.IsAdmin())
-            {
-                await Notification.Error("Admins können nicht gelöscht werden!");
-                return;
-            }
-
             await ConfirmDialog.ShowAsync(ModalService, "Bestätigen", $"User {user.Mail} löschen?", async () =>
             {
                 var removeR = await UserService.RemoveAsync(user.Id);