fix(core): Do not allow admins to delete the instance owner (#9489)

packages/cli/src/controllers/users.controller.ts

@@ -168,6 +168,10 @@ export class UsersController {
 			);
 		}
 
+		if (userToDelete.role === 'global:owner') {
+			throw new ForbiddenError('Instance owner cannot be deleted.');
+		}
+
 		const personalProjectToDelete = await this.projectRepository.getPersonalProjectForUserOrFail(
 			userToDelete.id,
 		);

packages/cli/test/integration/users.api.test.ts

@@ -582,6 +582,15 @@ describe('DELETE /users/:id', () => {
 		expect(user).toBeDefined();
 	});
 
+	test('should fail to delete the instance owner', async () => {
+		const admin = await createAdmin();
+		const adminAgent = testServer.authAgentFor(admin);
+		await adminAgent.delete(`/users/${owner.id}`).expect(403);
+
+		const user = await getUserById(owner.id);
+		expect(user).toBeDefined();
+	});
+
 	test('should fail to delete a user that does not exist', async () => {
 		await ownerAgent.delete(`/users/${uuid()}`).query({ transferId: '' }).expect(404);
 	});