From c76a37b15cc41581338c7a7769db105bf25fc898 Mon Sep 17 00:00:00 2001
From: "groombook-ci[bot]" <ci@groombook.bot>
Date: Sun, 29 Mar 2026 12:11:53 +0000
Subject: [PATCH] fix(staff): add revoke button to super user rows + serialize
 guardrail in transaction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Frontend:
- Super users now see a "Revoke" button (disabled when last super user)
  alongside the ★ badge on super-user rows in the Staff table.
  Non-super-user rows show the existing "+ Grant" button.

Backend (race condition fix):
- PATCH /api/staff/:id (isSuperUser=false or active=false): count check +
  update now wrapped in a db.transaction() with FOR UPDATE lock on the
  target row, preventing a race where two concurrent revokes could both
  pass the guard and leave zero super users.
- DELETE /api/staff/:id: same transaction + FOR UPDATE guard applied.

GRO-206 CTO review feedback

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/routes/staff.ts | 128 ++++++++++++++++++++---------------
 apps/web/src/pages/Staff.tsx |  18 ++++-
 2 files changed, 90 insertions(+), 56 deletions(-)

diff --git a/apps/api/src/routes/staff.ts b/apps/api/src/routes/staff.ts
index 05b334d..4f5498c 100644
--- a/apps/api/src/routes/staff.ts
+++ b/apps/api/src/routes/staff.ts
@@ -65,42 +65,61 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
     return c.json({ error: "Forbidden: super user privileges required to modify super user status" }, 403);
   }
 
-  // Before revoking super user, check if this is the last one
-  if (body.isSuperUser === false) {
-    const superUserCount = await db
-      .select({ id: staff.id })
-      .from(staff)
-      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
-      .limit(2);
-    // If only 1 or 0 active super users and the target is one of them, block revoke
-    if (superUserCount.length <= 1) {
-      return c.json(
-        { error: "Cannot revoke the last super user. Assign another super user first." },
-        400
-      );
-    }
-  }
+  // Before revoking or deactivating the last super user, serialize access with a
+  // transaction + FOR UPDATE to prevent a race where two concurrent requests both
+  // pass the count check and leave zero super users.
+  const needsSuperUserGuard = body.isSuperUser === false || body.active === false;
+  if (needsSuperUserGuard) {
+    const [guardError, row] = await db.transaction(async (tx) => {
+      // Lock the target row so no other request can modify it concurrently
+      const [target] = await tx
+        .select({ isSuperUser: staff.isSuperUser })
+        .from(staff)
+        .where(eq(staff.id, targetId))
+        .limit(1)
+        .for("update");
 
-  // When deactivating a super user, also check last-super-user guardrail
-  if (body.active === false) {
-    const [target] = await db
-      .select({ isSuperUser: staff.isSuperUser })
-      .from(staff)
-      .where(eq(staff.id, targetId))
-      .limit(1);
-    if (target?.isSuperUser) {
-      const superUserCount = await db
+      if (!target) return ["Not found", null as (typeof staff.$inferSelect | null)];
+
+      // Only enforce guard if the target is actually a super user
+      const isRevokingSuperUser = body.isSuperUser === false && target.isSuperUser;
+      const isDeactivatingSuperUser = body.active === false && target.isSuperUser;
+      if (!isRevokingSuperUser && !isDeactivatingSuperUser) {
+        const [updated] = await tx
+          .update(staff)
+          .set({ ...body, updatedAt: new Date() })
+          .where(eq(staff.id, targetId))
+          .returning();
+        return [null, updated];
+      }
+
+      // Count active super users (excluding target — it will be changed)
+      const superUserCount = await tx
         .select({ id: staff.id })
         .from(staff)
-        .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
+        .where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, targetId)))
         .limit(2);
+
       if (superUserCount.length <= 1) {
-        return c.json(
-          { error: "Cannot deactivate the last super user. Assign another super user first." },
-          400
-        );
+        return [
+          body.isSuperUser === false
+            ? "Cannot revoke the last super user. Assign another super user first."
+            : "Cannot deactivate the last super user. Assign another super user first.",
+          null,
+        ];
       }
-    }
+
+      const [updated] = await tx
+        .update(staff)
+        .set({ ...body, updatedAt: new Date() })
+        .where(eq(staff.id, targetId))
+        .returning();
+      return [null, updated];
+    });
+
+    if (guardError) return c.json({ error: guardError }, guardError === "Not found" ? 404 : 400);
+    if (!row) return c.json({ error: "Not found" }, 404);
+    return c.json(row);
   }
 
   const [row] = await db
@@ -138,31 +157,34 @@ staffRouter.delete("/:id", async (c) => {
     );
   }
 
-  // Prevent deleting the last super user
-  const [targetStaff] = await db
-    .select({ isSuperUser: staff.isSuperUser })
-    .from(staff)
-    .where(eq(staff.id, id))
-    .limit(1);
-  if (targetStaff?.isSuperUser) {
-    const superUserCount = await db
-      .select({ id: staff.id })
+  // Prevent deleting the last super user — use transaction to avoid race
+  const [guardError, deleted] = await db.transaction(async (tx) => {
+    const [targetStaff] = await tx
+      .select({ isSuperUser: staff.isSuperUser })
       .from(staff)
-      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
-      .limit(2);
-    if (superUserCount.length <= 1) {
-      return c.json(
-        { error: "Cannot delete the last super user. Assign another super user first." },
-        400
-      );
-    }
-  }
+      .where(eq(staff.id, id))
+      .limit(1)
+      .for("update");
 
-  const [row] = await db
-    .delete(staff)
-    .where(eq(staff.id, id))
-    .returning();
-  if (!row) return c.json({ error: "Not found" }, 404);
+    if (!targetStaff) return ["Not found", null];
+
+    if (targetStaff.isSuperUser) {
+      const superUserCount = await tx
+        .select({ id: staff.id })
+        .from(staff)
+        .where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, id)))
+        .limit(2);
+      if (superUserCount.length <= 1) {
+        return ["Cannot delete the last super user. Assign another super user first.", null];
+      }
+    }
+
+    const [row] = await tx.delete(staff).where(eq(staff.id, id)).returning();
+    return [null, row];
+  });
+
+  if (guardError === "Not found") return c.json({ error: "Not found" }, 404);
+  if (guardError) return c.json({ error: guardError }, 400);
   return c.json({ ok: true });
 });
 
diff --git a/apps/web/src/pages/Staff.tsx b/apps/web/src/pages/Staff.tsx
index db75145..1b12a85 100644
--- a/apps/web/src/pages/Staff.tsx
+++ b/apps/web/src/pages/Staff.tsx
@@ -143,9 +143,21 @@ export function StaffPage() {
                 <td style={tdStyle}><span style={{ textTransform: "capitalize" }}>{s.role}</span></td>
                 <td style={tdStyle}>
                   {s.isSuperUser ? (
-                    <span style={{ display: "inline-flex", alignItems: "center", gap: 4, padding: "2px 8px", borderRadius: 12, fontSize: 11, fontWeight: 600, background: "#ede9fe", color: "#5b21b6" }}>
-                      ★ Super User
-                    </span>
+                    <>
+                      <span style={{ display: "inline-flex", alignItems: "center", gap: 4, padding: "2px 8px", borderRadius: 12, fontSize: 11, fontWeight: 600, background: "#ede9fe", color: "#5b21b6" }}>
+                        ★ Super User
+                      </span>
+                      {isCurrentUserSuperUser && s.id !== me?.id && (
+                        <button
+                          onClick={() => toggleSuperUser(s)}
+                          disabled={togglingSuperUser === s.id || activeSuperUserCount <= 1}
+                          title={activeSuperUserCount <= 1 ? "Cannot revoke: last super user" : undefined}
+                          style={{ ...btnStyle, padding: "0.2rem 0.6rem", fontSize: 11, background: "#f3f4f6", color: "#374151", borderColor: "#d1d5db", marginLeft: 4 }}
+                        >
+                          {togglingSuperUser === s.id ? "…" : "Revoke"}
+                        </button>
+                      )}
+                    </>
                   ) : isCurrentUserSuperUser ? (
                     <button
                       onClick={() => toggleSuperUser(s)}