🐛 Bug Report: Admin can delete their own account, resulting in a lockout if they are the only admin. #94

New Issue

Closed

opened 2025-10-07 00:01:27 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-07 00:01:27 +03:00

Owner

Copy Link

Originally created by @zeedif on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

1. Set up a fresh instance of Pocket-ID with a single administrator account.
2. Log in as that administrator.
3. Navigate to the "Users" page in the admin settings (/settings/admin/users).
4. Find your own user account in the list.
5. Click the "Delete" button for your own account and confirm the deletion in the dialog.

Expected behavior

The application should prevent the deletion of the last (and only) administrator account. At a minimum, it should display a strong, explicit warning highlighting that this action will result in a complete lockout from the application, requiring manual database intervention to recover.

Actual Behavior

The application allows the deletion to proceed without any special warnings. The user is immediately logged out. Upon trying to log back in, no passkeys are found. The /setup endpoint correctly reports that setup is already complete, leaving the user completely locked out with no UI-based recovery path.

Version and Environment

• Pocket ID Version: v1.6.4
• Environment: Running via Docker Compose behind an Nginx Proxy Manager reverse proxy. The underlying database is the default SQLite.

Log Output

No response

Originally created by @zeedif on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps 1. Set up a fresh instance of Pocket-ID with a single administrator account. 2. Log in as that administrator. 3. Navigate to the "Users" page in the admin settings (`/settings/admin/users`). 4. Find your own user account in the list. 5. Click the "Delete" button for your own account and confirm the deletion in the dialog. ### Expected behavior The application should prevent the deletion of the last (and only) administrator account. At a minimum, it should display a strong, explicit warning highlighting that this action will result in a complete lockout from the application, requiring manual database intervention to recover. ### Actual Behavior The application allows the deletion to proceed without any special warnings. The user is immediately logged out. Upon trying to log back in, no passkeys are found. The `/setup` endpoint correctly reports that setup is already complete, leaving the user completely locked out with no UI-based recovery path. ### Version and Environment * **Pocket ID Version:** v1.6.4 * **Environment:** Running via Docker Compose behind an Nginx Proxy Manager reverse proxy. The underlying database is the default SQLite. ### Log Output _No response_

OVERLORD closed this issue 2025-10-07 00:01:28 +03:00

OVERLORD commented 2025-10-07 00:01:30 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

This should be fixed for the UI side of things here: f0c144c51c, An admin will now not be able to delete or disable their own account via the UI.

This will be available in the next release.

@kmendell commented on GitHub: This should be fixed for the UI side of things here: https://github.com/pocket-id/pocket-id/commit/f0c144c51c635bc348222a00d3bc88bc4e0711ef, An admin will now not be able to delete or disable their own account via the UI. This will be available in the next release.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#94