server/projects/strict_collaborator_management: fix invalidated use o…

…f cached values and add test
sagemathinc · haraldschilly · Dec 3, 2025 · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
commit ecc4be46597178de20013f3e5fe2782c6ab69478
diff --git a/src/packages/server/projects/manage-users-owner-only.test.ts b/src/packages/server/projects/manage-users-owner-only.test.ts
@@ -3,18 +3,19 @@
  *  License: MS-RSL – see LICENSE.md for details
  */
 
-import { callback2 } from "@cocalc/util/async-utils";
-import { uuid } from "@cocalc/util/misc";
 import { db } from "@cocalc/database";
 import getPool, { initEphemeralDatabase } from "@cocalc/database/pool";
+import { resetServerSettingsCache } from "@cocalc/database/settings/server-settings";
+import userQuery from "@cocalc/database/user-query";
 import createAccount from "@cocalc/server/accounts/create-account";
-import createProject from "@cocalc/server/projects/create";
 import {
   addCollaborator,
   changeUserType,
   removeCollaborator,
 } from "@cocalc/server/projects/collaborators";
-import { resetServerSettingsCache } from "@cocalc/database/settings/server-settings";
+import createProject from "@cocalc/server/projects/create";
+import { callback2 } from "@cocalc/util/async-utils";
+import { uuid } from "@cocalc/util/misc";
 
 async function setSiteStrictCollab(value: "yes" | "no") {
   await callback2(db().set_server_setting, {
@@ -289,6 +290,22 @@ describe("strict collaborator management site setting", () => {
     );
   });
 
+  test("owner cannot disable manage_users_owner_only when site enforcement is on", async () => {
+    await expect(
+      userQuery({
+        account_id: ownerId,
+        query: {
+          projects: {
+            project_id: projectId,
+            manage_users_owner_only: false,
+          },
+        },
+      }),
+    ).rejects.toMatch(
+      "Collaborator management is enforced by the site administrator and cannot be disabled.",
+    );
+  });
+
   test("owner can remove non-owner collaborators when site enforcement is on", async () => {
     await expect(
       removeCollaborator({

diff --git a/src/packages/util/db-schema/projects.ts b/src/packages/util/db-schema/projects.ts
@@ -11,13 +11,13 @@ import {
   ExecuteCodeOptionsAsyncGet,
   ExecuteCodeOutput,
 } from "@cocalc/util/types/execute-code";
-import { callback2 } from "@cocalc/util/async-utils";
 import { DEFAULT_QUOTAS } from "@cocalc/util/upgrade-spec";
 import { isUserGroup } from "@cocalc/util/project-ownership";
 
 import { NOTES } from "./crm";
 import { FALLBACK_COMPUTE_IMAGE } from "./defaults";
 import { SCHEMA as schema } from "./index";
+import { callback2 } from "@cocalc/util/async-utils";
 import { Table } from "./types";
 
 export const MAX_FILENAME_SEARCH_RESULTS = 100;
@@ -141,9 +141,8 @@ Table({
               }
 
               const siteSettings =
-                (await callback2(db.get_site_settings, {})) ?? {};
-              const siteEnforced =
-                siteSettings.strict_collaborator_management === true;
+                (await callback2(db.get_server_settings_cached, {})) ?? {};
+              const siteEnforced = !!siteSettings.strict_collaborator_management;
               if (siteEnforced && obj.manage_users_owner_only !== true) {
                 throw Error(
                   "Collaborator management is enforced by the site administrator and cannot be disabled.",