Skip to content

fix(cli): ensure first user created via CLI is admin#6155

Merged
gustavosbarreto merged 1 commit into
masterfrom
fix/first-user-cli-admin
Apr 10, 2026
Merged

fix(cli): ensure first user created via CLI is admin#6155
gustavosbarreto merged 1 commit into
masterfrom
fix/first-user-cli-admin

Conversation

@geovannewashington

@geovannewashington geovannewashington commented Apr 9, 2026

Copy link
Copy Markdown
Member

What changed

The CLI now ensures that the first user created is automatically granted admin privileges, even when the --admin flag is not used.

Why

Previously, admin privileges were only assigned when the --admin flag was explicitly provided. This created an inconsistency with the API setup endpoint, which automatically promotes the first user to admin.

This change aligns the CLI behavior with the API and prevents misconfiguration during initial system setup.

How to test

  1. Start the environment with make start
  2. Remove the database volume to ensure a clean state
  3. Run ./bin/cli user create <username> <password> <email>
  4. Run ./bin/cli user list
  5. Verify that the created user has the role "admin"

Fixes #6153

@geovannewashington geovannewashington self-assigned this Apr 9, 2026
@geovannewashington geovannewashington requested a review from a team as a code owner April 9, 2026 20:43
@github-actions

github-actions Bot commented Apr 9, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @geovannewashington's task in 5m 53s —— View job

Code Review Complete

Reviewed 1 file. 1 inline issue posted (1 critical).

The production code logic (Admin: input.Admin || !system.Setup) is correct and properly aligns the CLI with the API's setup behavior. However, the unit tests in cli/services/users_test.go were not updated to reflect the new call order and admin-promotion logic, and will fail.

Summary of test breakage

The SystemGet call was moved from after UserCreate to before it, changing the mock expectations needed. Two existing test cases will fail:

  • "fails creates a user" — missing SystemGet mock entirely (will panic on unexpected call)
  • "successfully creates a user" — expects Admin: false but the new logic produces Admin: true when Setup is false

See the inline comment for detailed fix instructions.

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

github-actions[bot]
github-actions Bot reviewed Apr 9, 2026
View reviewed changes
Comment thread cli/services/users.go
@geovannewashington geovannewashington force-pushed the fix/first-user-cli-admin branch from b1c801c to 6659e25 Compare April 9, 2026 21:09
@gustavosbarreto

gustavosbarreto commented Apr 9, 2026

Copy link
Copy Markdown
Member

/review

@github-actions

github-actions Bot commented Apr 9, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @gustavosbarreto's task in 3m 5s —— View job

Code Review Complete

Reviewed 2 files. 1 inline issue posted (1 critical).

The production code logic (Admin: input.Admin || !system.Setup) is correct and properly aligns the CLI with the API's setup behavior. However, the test suite still lacks coverage for the Setup: true path — the scenario where a user is created after initial setup and should not be auto-promoted to admin. All existing tests use Setup: false, so a regression removing the guard would go undetected.

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

github-actions[bot]
github-actions Bot reviewed Apr 9, 2026
View reviewed changes
Comment thread cli/services/users_test.go
@geovannewashington geovannewashington force-pushed the fix/first-user-cli-admin branch from 6659e25 to 29d2c85 Compare April 10, 2026 11:58
@gustavosbarreto

gustavosbarreto commented Apr 10, 2026

Copy link
Copy Markdown
Member

/review

@github-actions

github-actions Bot commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @gustavosbarreto's task in 2m 0s —— View job

Code Review Complete

Reviewed 2 files. 1 inline issue posted (1 critical).

The production code logic (Admin: input.Admin || !system.Setup) is correct and properly aligns the CLI with the API's setup behavior. The previous review feedback has been addressed — tests now cover both Setup: false (auto-promote) and Setup: true (no auto-promote) paths.

However, the SystemGet error fallback now has a privilege escalation implication it didn't have before (see inline comment).

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

github-actions[bot]
github-actions Bot reviewed Apr 10, 2026
View reviewed changes
Comment thread cli/services/users.go
@geovannewashington
fix(cli): ensure first user created via CLI is admin
be6cc41 
Ensure the first user created via CLI is automatically promoted
to admin, matching the behavior of the API setup endpoint.

Previously, admin privileges were only assigned when the
--admin flag was explicitly provided, which caused an
inconsistency between CLI and API flows.

This change checks the system setup state before user creation
and forces admin privileges when the system is not yet
initialized.

The logic is implemented in the service layer to guarantee
consistent behavior across all entry points.
@geovannewashington geovannewashington force-pushed the fix/first-user-cli-admin branch from 29d2c85 to be6cc41 Compare April 10, 2026 12:48
@gustavosbarreto

gustavosbarreto commented Apr 10, 2026

Copy link
Copy Markdown
Member

/review

@github-actions

github-actions Bot commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @gustavosbarreto's task in 3m 3s —— View job

Code Review Complete

Reviewed 2 files across code quality, security, testing, language patterns, and architecture — no issues found. The code looks good as-is.

The production code logic (Admin: input.Admin || !system.Setup) is correct and properly aligns the CLI with the API's setup behavior. The previous review feedback has been fully addressed:

  • Tests now cover both Setup: false (auto-promote first user) and Setup: true (no auto-promote) paths
  • The SystemGet error fallback conservatively defaults to Setup: true, preventing unintended privilege escalation during infrastructure failures (as suggested in review build(deps): bump mixin-deep from 1.3.1 to 1.3.2 in /ui #3)

If you push additional changes and want a new review, tag @shellhub-io/admin and a team member can trigger it.

View job

@gustavosbarreto gustavosbarreto merged commit c65767c into master Apr 10, 2026
12 checks passed
@gustavosbarreto gustavosbarreto deleted the fix/first-user-cli-admin branch April 10, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

@geovannewashington geovannewashington

Labels

area/cli

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cli: auto-promote first user to admin

2 participants

@geovannewashington @gustavosbarreto