ldap: Check for deactivating owner role precisely.

Since the invariant we're trying to protect is that every realm has an active owner, we should check precisely that. The root bug here, which the parent commit failed to fix properly, is that we were doing a "greater than" check when we clearly originally meant a "less than" check -- lower role numbers have more permissions.
2025-11-04 22:13:26 +00:00 · 2021-05-06 10:10:30 -07:00
parent 5db8e43d5c
commit c598a84dd6
1 changed files with 1 additions and 1 deletions
--- a/zerver/management/commands/sync_ldap_user_data.py
+++ b/zerver/management/commands/sync_ldap_user_data.py
@@ -46,7 +46,7 @@ def sync_ldap_user_data(
                    is_bot=False,
                    is_active=True,
                    realm__string_id=string_id,
-                    role__gte=UserProfile.ROLE_REALM_OWNER,
+                    role=UserProfile.ROLE_REALM_OWNER,
                ).exists():
                    error_msg = (
                        "Ldap sync would have deactivated all owners of realm %s. "