From 713d6f21da54168dfee0ce598cf874df7b18b762 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marius=20D=C3=B6rbandt?= <github.marius@doerbandt.de>
Date: Thu, 22 Aug 2024 16:33:56 +0200
Subject: [PATCH] Fix removal of user leaking permissions to public user

---
 .../services/custom-update.ts                 | 28 +++++++++----------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/projects/bp-strapi/src/api/parameterized-permission/services/custom-update.ts b/projects/bp-strapi/src/api/parameterized-permission/services/custom-update.ts
index 095b655d0..6ebfb7e4e 100644
--- a/projects/bp-strapi/src/api/parameterized-permission/services/custom-update.ts
+++ b/projects/bp-strapi/src/api/parameterized-permission/services/custom-update.ts
@@ -198,12 +198,6 @@ export const removeUser = async (id: string) => {
     return;
   }
 
-  await userQuery.delete({
-    where: {
-      id,
-    },
-  });
-
   const permissionQuery = strapi.db.query('api::parameterized-permission.parameterized-permission');
   // deleteMany currently doesn't support relational filters:
   // https://github.com/strapi/strapi/issues/11998
@@ -214,15 +208,19 @@ export const removeUser = async (id: string) => {
       },
     },
   });
-  await Promise.all(
-    permissionsToDelete.map(permission => {
-      permissionQuery.delete({
-        where: {
-          id: permission.id,
-        },
-      });
-    })
-  );
+  await permissionQuery.delete({
+    where: {
+      id: {
+        $in: permissionsToDelete.map(permission => permission.id),
+      },
+    },
+  });
+
+  await userQuery.delete({
+    where: {
+      id,
+    },
+  });
 
   return 1;
 };