Prevents the removal of all user groups from a user (#19995)

AndyButland · nikolajlauridsen · web-flow · commit cbb1eaec2804 · 2025-08-27T11:38:28.000Z
* Prevents the removal of all user groups from a user.

* Add additional user group when removing

---------

Co-authored-by: mole &lt;nikolajlauridsen@protonmail.ch&gt;
diff --git a/src/Umbraco.Cms.Api.Management/Controllers/User/UserOrCurrentUserControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/User/UserOrCurrentUserControllerBase.cs
@@ -25,7 +25,7 @@ protected IActionResult UserOperationStatusResult(UserOperationStatus status, Er
                 .Build()),
             UserOperationStatus.NoUserGroup => BadRequest(problemDetailsBuilder
                 .WithTitle("No User Group Specified")
-                .WithDetail("A user group must be specified to create a user")
+                .WithDetail("A user must be assigned to at least one group")
                 .Build()),
             UserOperationStatus.UserNameIsNotEmail => BadRequest(problemDetailsBuilder
                 .WithTitle("Invalid Username")
diff --git a/src/Umbraco.Core/Services/UserService.cs b/src/Umbraco.Core/Services/UserService.cs
@@ -883,7 +883,7 @@ private async Task<UserOperationStatus> ValidateUserCreateModel(UserCreateModel
             return UserOperationStatus.DuplicateUserName;
         }
 
-        if(model.UserGroupKeys.Count == 0)
+        if (model.UserGroupKeys.Count == 0)
         {
             return UserOperationStatus.NoUserGroup;
         }
@@ -912,6 +912,13 @@ private async Task<UserOperationStatus> ValidateUserCreateModel(UserCreateModel
             return Attempt.FailWithStatus<IUser?, UserOperationStatus>(UserOperationStatus.MissingUser, existingUser);
         }
 
+        // A user must remain assigned to at least one group.
+        if (model.UserGroupKeys.Count == 0)
+        {
+            scope.Complete();
+            return Attempt.FailWithStatus<IUser?, UserOperationStatus>(UserOperationStatus.NoUserGroup, existingUser);
+        }
+
         // User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create
         // as the setting is applied to the BackOfficeIdentityOptions, but we need to check ourselves for updates.
         var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;
diff --git a/tests/Umbraco.Tests.AcceptanceTest/tests/DefaultConfig/Users/User.spec.ts b/tests/Umbraco.Tests.AcceptanceTest/tests/DefaultConfig/Users/User.spec.ts
@@ -642,4 +642,4 @@ test.skip('cannot remove all user group from a user', {tag: '@release'}, async (
 
   // Assert
   await umbracoUi.user.isErrorNotificationVisible();
-});
+});
diff --git a/tests/Umbraco.Tests.Integration/Umbraco.Core/Services/UserServiceCrudTests.Update.cs b/tests/Umbraco.Tests.Integration/Umbraco.Core/Services/UserServiceCrudTests.Update.cs
@@ -151,7 +151,21 @@ public async Task Can_Update_User_Name()
             Assert.AreEqual(email, updatedUser.Email);
             Assert.AreEqual(name, updatedUser.Name);
         });
+    }
+
+    [Test]
+    public async Task Cannot_Update_User_To_Have_No_Groups()
+    {
+        var userService = CreateUserService(securitySettings: new SecuritySettings { UsernameIsEmail = false });
 
+        var (updateModel, createdUser) = await CreateUserForUpdate(userService);
+
+        updateModel.UserGroupKeys.Clear();
+
+        var updateAttempt = await userService.UpdateAsync(Constants.Security.SuperUserKey, updateModel);
+
+        Assert.IsFalse(updateAttempt.Success);
+        Assert.AreEqual(UserOperationStatus.NoUserGroup, updateAttempt.Status);
     }
 
     [Test]

Original file line number	Diff line number	Diff line change
`@@ -883,7 +883,7 @@ private async Task<UserOperationStatus> ValidateUserCreateModel(UserCreateModel`
`883`	`883`	`return UserOperationStatus.DuplicateUserName;`
`884`	`884`	`}`
`885`	`885`
`886`		`- if(model.UserGroupKeys.Count == 0)`
	`886`	`+ if (model.UserGroupKeys.Count == 0)`
`887`	`887`	`{`
`888`	`888`	`return UserOperationStatus.NoUserGroup;`
`889`	`889`	`}`
`@@ -912,6 +912,13 @@ private async Task<UserOperationStatus> ValidateUserCreateModel(UserCreateModel`
`912`	`912`	`return Attempt.FailWithStatus<IUser?, UserOperationStatus>(UserOperationStatus.MissingUser, existingUser);`
`913`	`913`	`}`
`914`	`914`
	`915`	`+ // A user must remain assigned to at least one group.`
	`916`	`+ if (model.UserGroupKeys.Count == 0)`
	`917`	`+ {`
	`918`	`+ scope.Complete();`
	`919`	`+ return Attempt.FailWithStatus<IUser?, UserOperationStatus>(UserOperationStatus.NoUserGroup, existingUser);`
	`920`	`+ }`
	`921`	`+`
`915`	`922`	`// User names can only contain the configured allowed characters. This is validated by ASP.NET Identity on create`
`916`	`923`	`// as the setting is applied to the BackOfficeIdentityOptions, but we need to check ourselves for updates.`
`917`	`924`	`var allowedUserNameCharacters = _securitySettings.AllowedUserNameCharacters;`