From a06d6c56e6be7958e0556cc9c4e429d28307bc57 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 8 Mar 2026 23:50:09 -0700
Subject: [PATCH] fix: validate members/policies before deleting group in admin
 handler

AdminServer.DeleteGroup now checks for attached members and policies
before delegating to credentialManager, matching the IAM handler guards.
---
 weed/admin/dash/group_management.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/weed/admin/dash/group_management.go b/weed/admin/dash/group_management.go
index c95fe16f1..155027e78 100644
--- a/weed/admin/dash/group_management.go
+++ b/weed/admin/dash/group_management.go
@@ -102,6 +102,17 @@ func (s *AdminServer) DeleteGroup(ctx context.Context, name string) error {
 	if s.credentialManager == nil {
 		return fmt.Errorf("credential manager not available")
 	}
+	// Check for members and attached policies before deleting (same guards as IAM handlers)
+	g, err := s.credentialManager.GetGroup(ctx, name)
+	if err != nil {
+		return fmt.Errorf("failed to get group: %w", err)
+	}
+	if len(g.Members) > 0 {
+		return fmt.Errorf("cannot delete group %s: group has %d member(s)", name, len(g.Members))
+	}
+	if len(g.PolicyNames) > 0 {
+		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", name, len(g.PolicyNames))
+	}
 	if err := s.credentialManager.DeleteGroup(ctx, name); err != nil {
 		return fmt.Errorf("failed to delete group: %w", err)
 	}