From b7f37c80bdf92923358106c9b34c4ae7d8c17cae Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 27 Jan 2026 14:29:07 +0100
Subject: [PATCH] Prevent deletion of system actor user

Add destroy validation and explicit destroy action (primary, require_atomic? false).
Validation blocks destroy when email == SystemActor.system_user_email().
---
 lib/accounts/user.ex | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex
index bcaf506..65eef35 100644
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@@ -86,7 +86,13 @@ defmodule Mv.Accounts.User do
     #       - :create_user (for manual user creation with optional member link)
     #       - :register_with_password (for password-based registration)
     #       - :register_with_rauthy (for OIDC-based registration)
-    defaults [:read, :destroy]
+    defaults [:read]
+
+    destroy :destroy do
+      primary? true
+      # Required because custom validation (system actor protection) cannot run atomically
+      require_atomic? false
+    end
 
     # Primary generic update action:
     # - Selected by AshAdmin's generated "Edit" UI and generic AshPhoenix
@@ -359,6 +365,19 @@ defmodule Mv.Accounts.User do
         :ok
       end
     end
+
+    # Prevent deletion of the system actor user (required for internal operations)
+    validate fn changeset, _context ->
+               if to_string(changeset.data.email) == Mv.Helpers.SystemActor.system_user_email() do
+                 {:error,
+                  field: :email,
+                  message:
+                    "Cannot delete system actor user. This user is required for internal operations."}
+               else
+                 :ok
+               end
+             end,
+             on: [:destroy]
   end
 
   def validate_oidc_id_present(changeset, _context) do