cds-snc · smcmurtry · Feb 5, 2025 · Feb 5, 2025
diff --git a/app/dao/permissions_dao.py b/app/dao/permissions_dao.py
@@ -67,5 +67,9 @@ def get_permissions_by_user_id_and_service_id(self, user_id, service_id):
             self.Meta.model.query.filter_by(user_id=user_id).join(Permission.service).filter_by(active=True, id=service_id).all()
         )
 
+    def get_team_members_with_permission(self, service_id, permission):
+        permission_objs = self.Meta.model.query.filter_by(service_id=service_id, permission=permission).join(Permission.user).filter_by(state="active").all()
+        return [p.user for p in permission_objs]
+
 
 permission_dao = PermissionDAO()
diff --git a/app/dao/users_dao.py b/app/dao/users_dao.py
@@ -104,7 +104,7 @@ def verify_within_time(user, age=timedelta(seconds=30)):
     return query.count()
 
 
-def get_user_by_id(user_id=None):
+def get_user_by_id(user_id=None) -> User:
     if user_id:
         return User.query.filter_by(id=user_id).one()
     return User.query.filter_by().all()

diff --git a/app/models.py b/app/models.py
@@ -645,6 +645,12 @@
             "research_mode": self.research_mode,
         }
 
+    def get_users_with_permission(self, permission):
+        from app.dao.permissions_dao import permission_dao
+
+        if permission:
+            return permission_dao.get_team_members_with_permission(self.id, permission)
+        return []
 
 class AnnualBilling(BaseModel):
     __tablename__ = "annual_billing"

diff --git a/app/service/rest.py b/app/service/rest.py
@@ -90,6 +90,7 @@
     EMAIL_TYPE,
     KEY_TYPE_NORMAL,
     LETTER_TYPE,
+    MANAGE_SETTINGS,
     NOTIFICATION_CANCELLED,
     SMS_TYPE,
     EmailBranding,
@@ -490,6 +491,8 @@ def add_user_to_service(service_id, user_id):
 def remove_user_from_service(service_id, user_id):
     service = dao_fetch_service_by_id(service_id)
     user = get_user_by_id(user_id=user_id)
+    users_with_manage_settings_perm = service.get_users_with_permission(MANAGE_SETTINGS)
+
     if user not in service.users:
         error = "User not found"
         raise InvalidRequest(error, status_code=404)
@@ -498,6 +501,14 @@ def remove_user_from_service(service_id, user_id):
         error = "You cannot remove the only user for a service"
         raise InvalidRequest(error, status_code=400)
 
+    elif len(service.users) == 2:
+        error = "SERVICE_CANNOT_HAVE_LT_2_MEMBERS"
+        raise InvalidRequest(error, status_code=400)
+
+    elif user in users_with_manage_settings_perm and len(users_with_manage_settings_perm) <= 1:
+        error = "SERVICE_NEEDS_USER_W_MANAGE_SETTINGS_PERM"
+        raise InvalidRequest(error, status_code=400)
+
     dao_remove_user_from_service(service, user)
 
     if current_app.config["FF_SALESFORCE_CONTACT"]: