From 1f48320a2f4531a9324b5dfe5089e6aae82e0c76 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Sun, 2 Feb 2025 21:24:39 -0500
Subject: [PATCH] api: don't allow revoke admin status of DefaultAdmins

---
 user.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/user.go b/user.go
index f887e02..2e25e45 100644
--- a/user.go
+++ b/user.go
@@ -328,6 +328,9 @@ func (app *App) UpdateUser(
 		if !callerIsAdmin {
 			return User{}, NewBadRequestUserError("Cannot change admin status of user without having admin privileges yourself.")
 		}
+		if !(*isAdmin) && app.IsDefaultAdmin(&user) {
+			return User{}, NewBadRequestUserError("Cannot revoke admin status of a default admin.")
+		}
 		user.IsAdmin = *isAdmin
 	}