[management] Add missing group usage checks for network resources and…

… routes access control (#3117) * Prevent deletion of groups linked to routes access control groups Signed-off-by: bcmmbaga <[email protected]> * Prevent deletion of groups linked to network resource Signed-off-by: bcmmbaga <[email protected]> --------- Signed-off-by: bcmmbaga <[email protected]>
netbirdio · Dec 27, 2024 · 445b626 · 445b626
1 parent b3c87cb
commit 445b626
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/management/server/group.go b/management/server/group.go
@@ -474,6 +474,10 @@ func validateDeleteGroup(ctx context.Context, transaction store.Store, group *ty
 		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
 	}
 
+	if len(group.Resources) > 0 {
+		return &GroupLinkError{"network resource", group.Resources[0].ID}
+	}
+
 	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
 		return &GroupLinkError{"route", string(linkedRoute.NetID)}
 	}
@@ -529,7 +533,10 @@ func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountI
 	}
 
 	for _, r := range routes {
-		if slices.Contains(r.Groups, groupID) || slices.Contains(r.PeerGroups, groupID) {
+		isLinked := slices.Contains(r.Groups, groupID) ||
+			slices.Contains(r.PeerGroups, groupID) ||
+			slices.Contains(r.AccessControlGroups, groupID)
+		if isLinked {
 			return true, r
 		}
 	}