fix(auth): prevent system roles from being updated

- throw error in updateRole when role is system-protected - hide edit button in roles table for system roles - update README to reflect roles cannot be modified (not just renamed)
2026-04-25 09:59:33 -04:00
parent ebdeea7287
commit 826ce3dcd1
3 changed files with 11 additions and 8 deletions
@@ -214,7 +214,7 @@ await assignUserRole(userId, roleId);
 await revokeUserRole(userId, roleId);
 ```
-Les rôles système (`is_system = true`) ne peuvent pas être renommés ni supprimés.
+Les rôles système (`is_system = true`) ne peuvent pas être modifiés ni supprimés.
 ---
@@ -54,6 +54,7 @@ export async function updateRole(roleId, { name, description, color, permissionK
  if (role.rows.length === 0) throw new Error('Role not found');
  const isSystem = role.rows[0].is_system;
  if (isSystem) throw new Error('Cannot update a system role');
  return transaction(async (client) => {
    const updateFields = [];
@@ -81,13 +81,15 @@ const RolesPageClient = ({ canManage }) => {
            align: 'right',
            render: (role) => (
                <div className="flex items-center justify-end gap-2">
-                    <Button
+                    {!role.is_system && (
-                        variant="secondary"
+                        <Button
-                        onClick={() => openEdit(role.id)}
+                            variant="secondary"
-                        icon={PencilEdit01Icon}
+                            onClick={() => openEdit(role.id)}
-                    >
+                            icon={PencilEdit01Icon}
-                        Modifier
+                        >
-                    </Button>
+                            Modifier
                        </Button>
                    )}
                    {!role.is_system && (
                        <Button
                            variant="danger"