From 9724327559950bbec28407d41437c29cfa5436b8 Mon Sep 17 00:00:00 2001
From: "groombook-ci[bot]" <ci@groombook.bot>
Date: Sun, 29 Mar 2026 20:47:26 +0000
Subject: [PATCH] fix(api): correct superuser guard condition from <= 1 to < 1

The guardrail should block ONLY when there are zero other active super
users. With the previous <= 1 condition, revoking/deleting a superuser
was incorrectly blocked when there were exactly 2 superusers total
(count of 1 other <= 1 triggered the block). Change to < 1 so that
having 1+ other superuser(s) correctly allows the operation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/routes/staff.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/routes/staff.ts b/apps/api/src/routes/staff.ts
index b762b95..977a176 100644
--- a/apps/api/src/routes/staff.ts
+++ b/apps/api/src/routes/staff.ts
@@ -120,7 +120,7 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
         .where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, targetId)))
         .limit(2);
 
-      if (superUserCount.length <= 1) {
+      if (superUserCount.length < 1) {
         return [
           body.isSuperUser === false
             ? "Cannot revoke the last super user. Assign another super user first."
@@ -201,7 +201,7 @@ staffRouter.delete("/:id", async (c) => {
         .from(staff)
         .where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, id)))
         .limit(2);
-      if (superUserCount.length <= 1) {
+      if (superUserCount.length < 1) {
         return ["Cannot delete the last super user. Assign another super user first.", null];
       }
     }