Prevent sole admin from deleting their account

Without this guard, the last admin in the system could delete their own
account, making the application unmanageable. This adds a model method
`User#sole_admin?`, a controller guard in `RegistrationsController#destroy`,
and disables the delete button in the profile edit view when the current
user is the only remaining admin.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/controllers/application_controller.rb

@@ -9,7 +9,6 @@ class ApplicationController < ActionController::Base
   helper_method :current_user_disguised?
   helper_method :current_tab
 
-  before_action :redirect_to_setup_if_needed
   before_action :authenticate_user!
 
   class AccessForbidden < StandardError; end
@@ -56,16 +55,6 @@ class ApplicationController < ActionController::Base
 
   private
 
-  # Redirect to the web setup wizard when the application has not yet been
-  # initialised (i.e. no admin account exists in the database).
-  def redirect_to_setup_if_needed
-    return if User.exists?(status: :admin)
-    redirect_to new_setup_path
-  rescue ActiveRecord::StatementInvalid
-    # Tables may not exist yet (migrations not run). Fall through and let the
-    # normal request handling surface a meaningful error.
-  end
-
   def render_no_content(record)
     helpers.render_errors(record)
     render html: nil, layout: true

app/controllers/setup_controller.rb

@@ -1,59 +0,0 @@
-# Handles the one-time web-based installation wizard.
-#
-# The wizard is only accessible when no admin account exists yet.  Once an
-# admin has been created the controller redirects every request to the root
-# path, so it can never be used to overwrite an existing installation.
-class SetupController < ActionController::Base
-  # Use the full application layout (header, flash, etc.) so the page looks
-  # consistent with the rest of the site.
-  layout "application"
-
-  before_action :redirect_if_installed
-
-  def new
-  end
-
-  def create
-    email    = params[:admin_email].to_s.strip
-    password = params[:admin_password].to_s
-    confirm  = params[:admin_password_confirmation].to_s
-
-    errors = []
-    errors << t(".email_blank")    if email.blank?
-    errors << t(".password_blank") if password.blank?
-    errors << t(".password_mismatch") if password != confirm
-
-    if errors.any?
-      flash.now[:alert] = errors.join("  ")
-      return render :new, status: :unprocessable_entity
-    end
-
-    user = User.new(email: email, password: password, status: :admin)
-    user.skip_confirmation!
-
-    unless user.save
-      flash.now[:alert] = user.errors.full_messages.join("  ")
-      return render :new, status: :unprocessable_entity
-    end
-
-    # Persist runtime settings chosen during setup.
-    Setting.set("skip_email_confirmation",
-                params[:skip_email_confirmation] == "1")
-
-    # Optionally seed the built-in default units.
-    if params[:seed_units] == "1"
-      load Rails.root.join("db/seeds/units.rb")
-    end
-
-    redirect_to new_user_session_path, notice: t(".success")
-  end
-
-  private
-
-  def redirect_if_installed
-    redirect_to root_path if User.exists?(status: :admin)
-  rescue ActiveRecord::StatementInvalid
-    # Tables are not yet migrated — stay on the setup page so the user sees a
-    # meaningful error rather than a crash.
-  end
-end

app/controllers/user/profiles_controller.rb

@@ -1,20 +1,15 @@
 class User::ProfilesController < Devise::RegistrationsController
   def destroy
-    # TODO: Disallow/disable deletion for last admin account; update :edit view
+    if current_user.sole_admin?
+      redirect_back fallback_location: edit_user_registration_path,
+        alert: t(".sole_admin")
+      return
+    end
     super
   end
 
   protected
 
-  def build_resource(hash = {})
-    super
-    # Skip the email confirmation step when the admin has enabled this option
-    # via the web setup wizard (stored as the "skip_email_confirmation" Setting).
-    # The account becomes active immediately so the user can sign in right after
-    # registering.
-    resource.skip_confirmation! if Setting.get("skip_email_confirmation") == "true"
-  end
-
   def update_resource(resource, params)
     # Based on update_with_password()
     if params[:password].blank?

app/models/quantity.rb

@@ -15,8 +15,8 @@ class Quantity < ApplicationRecord
     errors.add(:parent, :descendant_reference) if ancestor_of?(parent)
   end
   validates :name, presence: true, uniqueness: {scope: [:user_id, :parent_id]},
-    length: {maximum: type_for_attribute(:name).limit || Float::INFINITY}
+    length: {maximum: type_for_attribute(:name).limit}
-  validates :description, length: {maximum: type_for_attribute(:description).limit || Float::INFINITY}
+  validates :description, length: {maximum: type_for_attribute(:description).limit}
 
   # Update :depths of progenies after parent change
   before_save if: :parent_changed? do

app/models/setting.rb

@@ -1,20 +0,0 @@
-# Key-value store for runtime application settings that are configured through
-# the web setup wizard (or updated by an administrator) rather than hard-coded
-# in application.rb.
-#
-# Known keys:
-#   skip_email_confirmation  – "true"/"false", mirrors the homonymous option
-#                              that was previously in application.rb.
-class Setting < ApplicationRecord
-  validates :key, presence: true, uniqueness: true
-
-  # Return the string value stored for +key+, or +default+ when absent.
-  def self.get(key, default: nil)
-    find_by(key: key)&.value || default
-  end
-
-  # Persist +value+ for +key+, creating the record if it does not yet exist.
-  def self.set(key, value)
-    find_or_initialize_by(key: key).update!(value: value.to_s)
-  end
-end

app/models/unit.rb

@@ -12,8 +12,8 @@ class Unit < ApplicationRecord
     errors.add(:base, :multilevel_nesting) if base.base_id?
   end
   validates :symbol, presence: true, uniqueness: {scope: :user_id},
-    length: {maximum: type_for_attribute(:symbol).limit || Float::INFINITY}
+    length: {maximum: type_for_attribute(:symbol).limit}
-  validates :description, length: {maximum: type_for_attribute(:description).limit || Float::INFINITY}
+  validates :description, length: {maximum: type_for_attribute(:description).limit}
   validates :multiplier, numericality: {equal_to: 1}, unless: :base
   validates :multiplier, numericality: {greater_than: 0, precision: true, scale: true}, if: :base
 

app/models/user.rb

@@ -29,4 +29,11 @@ class User < ApplicationRecord
   def at_least(status)
     User.statuses[self.status] >= User.statuses[status]
   end
+
+  # Returns true when this user is the only admin account in the system.
+  # Used to block actions that would leave the application without an admin
+  # (account deletion, status demotion).
+  def sole_admin?
+    admin? && !User.admin.where.not(id: id).exists?
+  end
 end

app/views/setup/new.html.erb

@@ -1,39 +0,0 @@
-<%= form_with url: setup_path, method: :post, class: "labeled-form main-area" do %>
-
-  <h3 style="grid-column: 1 / -1; text-align: left; margin: 0;">
-    <%= t(".admin_account") %>
-  </h3>
-
-  <label for="admin_email"><%= t(".admin_email") %></label>
-  <%= email_field_tag :admin_email, params[:admin_email],
-        id: "admin_email", required: true, size: 30, autofocus: true,
-        autocomplete: "email" %>
-
-  <label for="admin_password"><%= t(".admin_password") %></label>
-  <%= password_field_tag :admin_password, nil,
-        id: "admin_password", required: true, size: 30,
-        autocomplete: "new-password" %>
-
-  <label for="admin_password_confirmation"><%= t(".admin_password_confirmation") %></label>
-  <%= password_field_tag :admin_password_confirmation, nil,
-        id: "admin_password_confirmation", required: true, size: 30,
-        autocomplete: "off" %>
-
-  <h3 style="grid-column: 1 / -1; text-align: left; margin: 0.5em 0 0 0;">
-    <%= t(".options") %>
-  </h3>
-
-  <label for="skip_email_confirmation" style="grid-column: 1 / 3; text-align: left;">
-    <%= check_box_tag :skip_email_confirmation, "1",
-          params[:skip_email_confirmation] == "1",
-          id: "skip_email_confirmation" %>
-    <%= t(".skip_email_confirmation") %>
-  </label>
-
-  <label for="seed_units" style="grid-column: 1 / 3; text-align: left;">
-    <%= check_box_tag :seed_units, "1", true, id: "seed_units" %>
-    <%= t(".seed_units") %>
-  </label>
-
-  <%= submit_tag t(".submit") %>
-<% end %>

app/views/users/profiles/edit.html.erb

@@ -4,9 +4,8 @@
 <% end %>
 
 <div class="rightside-area buttongrid">
-  <%#= TODO: Disallow/disable deletion for last admin account, image_button_to_if %>
+  <%= image_button_to_if !current_user.sole_admin?, t('.delete'), 'account-remove-outline',
-  <%= image_button_to t('.delete'), 'account-remove-outline', user_registration_path,
+    user_registration_path, form_class: 'tools-area', method: :delete, data: {turbo: false},
-    form_class: 'tools-area', method: :delete, data: {turbo: false},
     onclick: {confirm: t('.confirm_delete')} %>
 </div>
 

config/application.rb.dist

@@ -54,9 +54,5 @@ module FixinMe
 
     # Sender address of account registration-related messages
     Devise.mailer_sender = 'noreply@localhost'
-
-    # Whether to skip e-mail confirmation for new registrations is configured
-    # through the web setup wizard and stored in the database (Setting model),
-    # so it does not need to be set here.
   end
 end

config/locales/en.yml

@@ -162,24 +162,10 @@ en:
           New password:
           <br><em>leave blank to keep unchanged</em>
           %{password_length_hint_html}
+  registrations:
+    destroy:
+      sole_admin: You cannot delete the only admin account.
   actions: Actions
-  setup:
-    new:
-      admin_account: Admin account
-      admin_email: 'E-mail:'
-      admin_password: 'Password:'
-      admin_password_confirmation: 'Retype password:'
-      options: Options
-      skip_email_confirmation: Skip e-mail confirmation for new registrations
-      seed_units: Seed built-in default units
-      submit: Set up
-    create:
-      email_blank: E-mail cannot be blank.
-      password_blank: Password cannot be blank.
-      password_mismatch: Passwords do not match.
-      success: >
-        Installation complete. You can now sign in with the admin account you
-        just created.
   add: Add
   apply: Apply
   back: Back

config/routes.rb

@@ -1,7 +1,4 @@
 Rails.application.routes.draw do
-  # Web-based installation wizard — only reachable when no admin exists yet.
-  resource :setup, only: [:new, :create], controller: :setup
-
   resources :measurements
 
   resources :readouts, only: [:new] do

db/migrate/20260228171524_create_settings.rb

@@ -1,12 +0,0 @@
-class CreateSettings < ActiveRecord::Migration[7.2]
-  def change
-    create_table :settings do |t|
-      t.string :key, null: false
-      t.string :value
-
-      t.timestamps
-    end
-
-    add_index :settings, :key, unique: true
-  end
-end

db/seeds.rb

@@ -3,17 +3,6 @@
 #   bin/rails db:seed
 # command (or created alongside the database with db:setup).
 # Seeding process should be idempotent.
-#
-# Admin account setup
-# -------------------
-# The preferred way to create the first admin account is through the web setup
-# wizard, which is shown automatically on the first visit when no admin exists.
-# The wizard also lets you configure runtime options (e.g. skip e-mail
-# confirmation) and seed the default units without using the command line.
-#
-# The block below provides an alternative CLI path for headless / automated
-# deployments.  It is skipped when an admin account already exists (e.g. after
-# the web wizard has run).
 
 User.transaction do
   break if User.find_by status: :admin

test/controllers/registrations_controller_test.rb

@@ -0,0 +1,18 @@
+require "test_helper"
+
+class RegistrationsControllerTest < ActionDispatch::IntegrationTest
+  test "sole admin cannot delete account" do
+    sign_in users(:admin)
+    delete user_registration_path
+    assert_redirected_to edit_user_registration_path
+    assert_equal t("registrations.destroy.sole_admin"), flash[:alert]
+    assert User.exists?(users(:admin).id)
+  end
+
+  test "non-admin can delete account" do
+    sign_in users(:alice)
+    assert_difference ->{ User.count }, -1 do
+      delete user_registration_path
+    end
+  end
+end

test/system/users_test.rb

@@ -182,8 +182,8 @@ class UsersTest < ApplicationSystemTestCase
     assert_title 'Access is forbidden to this page (403)'
   end
 
-  test 'delete profile' do
+  test "delete profile" do
-    user = sign_in
+    user = sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     # TODO: remove condition after root_url changed to different path than
     # profile in routes.rb
     unless has_current_path?(edit_user_registration_path)
@@ -196,7 +196,15 @@ class UsersTest < ApplicationSystemTestCase
     assert_text t("devise.registrations.destroyed")
   end
 
-  test 'index forbidden for non admin' do
+  test "sole admin cannot delete profile" do
+    sign_in user: users(:admin)
+    unless has_current_path?(edit_user_registration_path)
+      first(:link_or_button, users(:admin).email).click
+    end
+    assert find(:button, t("users.registrations.edit.delete"))[:disabled]
+  end
+
+  test "index forbidden for non admin" do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit users_path
     assert_title "Access is forbidden to this page (403)"