Cannot delete pending admin invite, last admin guard false positiveΒ #10623
Description
Bug description
Deleting a pending invite via DELETE /api/v1/invite/{id} returns 403 Forbidden when the invited user has the Admin role, even when the caller is the founding admin of the instance.
The DeleteInvite handler routes through DeleteUser (pkg/modules/user/impluser/module.go). The last-admin guard at line 393 counts only active admins via GetActiveUsersByRoleAndOrgID (correctly returning 1, the founding admin), but then checks user.Role == types.RoleAdmin on the target user without considering its pending_invite status. The pending user was never counted in the active admin query, so deleting it cannot reduce the active admin count. The guard fires incorrectly.
Inviting as Viewer or Editor and then deleting works fine. The guard only triggers for Admin role.
Expected behavior
Deleting a pending admin invite should succeed. A pending_invite user is not an active admin and removing them cannot make the caller the "last admin."
How to reproduce
- Deploy SigNoz, log in as the founding admin (only admin in the org)
- Invite a new user with Admin role
- Attempt to cancel/delete the pending invite via the UI
- Observe 403 Forbidden
Version information
- Signoz version: v0.115.0
- Browser version: Brave 1.87.191
- Your OS and version: Kubernetes (Helm chart), Talos Linux nodes
- Your CPU Architecture: ARM (arm64)
Additional context
The DeleteUser code path is reasonable for invite deletion since invites create real user records. The last-admin guard just needs to exclude pending_invite status users from the check, since they are not yet active admins.