🚀 Feature: Protection against disabling / deleting only admin account #102

New Issue

Closed

opened 2025-10-07 00:01:46 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-07 00:01:46 +03:00

Owner

Copy Link

Originally created by @filleokus on GitHub.

Feature description

When logged in as an admin in the admin dashboard it would be nice if the application protected me from myself, by not allowing me to disable or delete the only admin account.

Pitch

I was disabling some users in my instance and didn't look too carefully and accidentally disabled my own account, locking myself out of PocketID since I only had one admin account 😅 Looking at the source I believe it's also possible to delete the account in the same fashion.

I don't know how big of an issue this is, but it probably doesn't make sense to disable or deactivate the only admin account (or maybe even not the currently logged in admin account?).

---

If anyone else stumbles upon this issue, it was easy to re-enable the account: I'm running pocket-id in kubernetes with a persistent volume, so I created a pod and just mounted in the pvc, and then used the sqlite cli to manually flip the flag in the database.

sqlite-debug-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: sqlite-debug
  namespace: pocket-id
spec:
  restartPolicy: Never
  containers:
  - name: sqlite
    image: nouchka/sqlite3
    command: ["sleep","3600"]
    volumeMounts:
    - name: app-data
      mountPath: /data
  volumes:
  - name: app-data
    persistentVolumeClaim:
      claimName: data-pocket-id-0

➜ ~ kubectl apply -f sqlite-debug-pod.yaml
➜ ~ kubectl exec -it sqlite-debug -n pocket-id -- bash
root@sqlite-debug:/# sqlite3 /data/pocket-id.db

BEGIN TRANSACTION;
UPDATE users
SET disabled = 0
WHERE email = 'filleokus@example.com';
COMMIT;

Originally created by @filleokus on GitHub. ### Feature description When logged in as an admin in the admin dashboard it would be nice if the application protected me from myself, by not allowing me to disable or delete the only admin account. ### Pitch I was disabling some users in my instance and didn't look too carefully and accidentally disabled my own account, locking myself out of PocketID since I only had one admin account 😅 Looking at the source I believe it's also possible to delete the account in the same fashion. I don't know how big of an issue this is, but it probably doesn't make sense to disable or deactivate the only admin account (or maybe even not the currently logged in admin account?). ---- If anyone else stumbles upon this issue, it was easy to re-enable the account: I'm running pocket-id in kubernetes with a persistent volume, so I created a pod and just mounted in the pvc, and then used the sqlite cli to manually flip the flag in the database. <details> <summary>sqlite-debug-pod.yaml</summary> ```yaml apiVersion: v1 kind: Pod metadata: name: sqlite-debug namespace: pocket-id spec: restartPolicy: Never containers: - name: sqlite image: nouchka/sqlite3 command: ["sleep","3600"] volumeMounts: - name: app-data mountPath: /data volumes: - name: app-data persistentVolumeClaim: claimName: data-pocket-id-0 ``` </details> ``` ➜ ~ kubectl apply -f sqlite-debug-pod.yaml ➜ ~ kubectl exec -it sqlite-debug -n pocket-id -- bash root@sqlite-debug:/# sqlite3 /data/pocket-id.db BEGIN TRANSACTION; UPDATE users SET disabled = 0 WHERE email = 'filleokus@example.com'; COMMIT; ```

OVERLORD added the needs more upvotes label 2025-10-07 00:01:46 +03:00

OVERLORD closed this issue 2025-10-07 00:01:47 +03:00

OVERLORD commented 2025-10-07 00:01:48 +03:00

Author

Owner

Copy Link

@filleokus commented on GitHub:

Thanks! From my perspective that's enough to solve my issue 👍

@filleokus commented on GitHub: Thanks! From my perspective that's enough to solve my issue 👍

OVERLORD commented 2025-10-07 00:01:49 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

As of this commit: f0c144c51c, You wont be able to Disable/Delete the admin account you are signed in with.

Does this suffice your needs? or do you think a better alterntiave should be used instead?

@kmendell commented on GitHub: As of this commit: https://github.com/pocket-id/pocket-id/commit/f0c144c51c635bc348222a00d3bc88bc4e0711ef, You wont be able to Disable/Delete the admin account you are signed in with. Does this suffice your needs? or do you think a better alterntiave should be used instead?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label needs more upvotes

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#102