From 4f72153bd4c7c55a125cc4c9b695dc88da2104cf Mon Sep 17 00:00:00 2001
From: Valentin Tolmer <valentin@tolmer.fr>
Date: Sun, 5 Nov 2023 16:06:26 +0100
Subject: [PATCH] server: Disallow deleting hardcoded attributes

---
 server/src/infra/graphql/mutation.rs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/server/src/infra/graphql/mutation.rs b/server/src/infra/graphql/mutation.rs
index cf4b76a..ea04812 100644
--- a/server/src/infra/graphql/mutation.rs
+++ b/server/src/infra/graphql/mutation.rs
@@ -433,6 +433,15 @@ impl<Handler: BackendHandler> Mutation<Handler> {
                 &span,
                 "Unauthorized attribute deletion",
             ))?;
+        let schema = handler.get_schema().await?;
+        let attribute_schema = schema
+            .get_schema()
+            .user_attributes
+            .get_attribute_schema(&name)
+            .ok_or_else(|| anyhow!("Attribute {} is not defined in the schema", name))?;
+        if attribute_schema.is_hardcoded {
+            return Err(anyhow!("Permission denied: Attribute {} cannot be deleted", name).into());
+        }
         handler
             .delete_user_attribute(&name)
             .instrument(span)
@@ -454,6 +463,15 @@ impl<Handler: BackendHandler> Mutation<Handler> {
                 &span,
                 "Unauthorized attribute deletion",
             ))?;
+        let schema = handler.get_schema().await?;
+        let attribute_schema = schema
+            .get_schema()
+            .group_attributes
+            .get_attribute_schema(&name)
+            .ok_or_else(|| anyhow!("Attribute {} is not defined in the schema", name))?;
+        if attribute_schema.is_hardcoded {
+            return Err(anyhow!("Permission denied: Attribute {} cannot be deleted", name).into());
+        }
         handler
             .delete_group_attribute(&name)
             .instrument(span)