Skip to content

bug: Users with "User Admin" role can delete users with workspaces #19209

New issue
New issue
Closed
Bug
#19211
Closed
bug: Users with "User Admin" role can delete users with workspaces#19209
Bug
#19211
Assignees
ethanndickson
Labels
needs-triageIssue that require triage
@evilhamsterman

Description

@evilhamsterman
evilhamsterman
opened on Aug 6, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

We setup our Helpdesk team with the User Admin role to allow them to remove users that leave. According to issue #7872 they shouldn't be able to delete a user with workspaces. However it appears they are able to. An owner like myself am unable to delete the user, but they can.

My guess is the check here

coder/coderd/users.go

Line 555 in a7fac30

if len(workspaces) > 0 {
is using is using my help desk user's permissions to look up the workspaces for the user they are deleting, but since they don't have rights to see the users workspace the number of workspaces returned is 0. So len(workspaces) > 0 is false from their perspective and the user delete is allowed to proceed.

Relevant Log Output



Expected Behavior


The user workspaces are deleted with the user, or the user delete is blocked.


Steps to Reproduce


    

  1. Create a test user and a test workspace
    2. 

  2. Create a useradmin user with the User Admin role
    3. 

  3. Use useradmin to delete the user
    4. 

  4. The user is deleted but the workspace remains
    5. 



Environment


    

  • Host OS: K3S 1.32.5+k3s1
    • 

  • Coder version: v2.22.1+8708d81
    • 



Additional Context


No response
Metadata
Metadata
Assignees
Labels
needs-triageIssue that require triage
Type
Bug
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions