fix: protect default and zitadel project org from remove (#4875)

internal/command/main_test.go

@@ -234,7 +234,7 @@ func (m *mockInstance) DefaultLanguage() language.Tag {
 }
 
 func (m *mockInstance) DefaultOrganisationID() string {
-	return "orgID"
+	return "defaultOrgID"
 }
 
 func (m *mockInstance) RequestedDomain() string {

internal/command/org.go

@@ -314,6 +314,19 @@ func (c *Commands) RemoveOrg(ctx context.Context, id string) (*domain.ObjectDeta
 func (c *Commands) prepareRemoveOrg(a *org.Aggregate) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			instance := authz.GetInstance(ctx)
+			if a.ID == instance.DefaultOrganisationID() {
+				return nil, errors.ThrowPreconditionFailed(nil, "COMMA-wG9p1", "Errors.Org.DefaultOrgNotDeletable")
+			}
+			err := c.checkProjectExists(ctx, instance.ProjectID(), a.ID)
+			// if there is no error, the ZITADEL project was found on the org to be deleted
+			if err == nil {
+				return nil, errors.ThrowPreconditionFailed(err, "COMMA-AF3JW", "Errors.Org.ZitadelOrgNotDeletable")
+			}
+			// "precondition failed" error means the project does not exist, return other errors
+			if !errors.IsPreconditionFailed(err) {
+				return nil, err
+			}
 			writeModel, err := c.getOrgWriteModelByID(ctx, a.ID)
 			if err != nil {
 				return nil, errors.ThrowPreconditionFailed(err, "COMMA-wG9p1", "Errors.Org.NotFound")

internal/command/org_test.go

@@ -1026,11 +1026,53 @@ func TestCommandSide_RemoveOrg(t *testing.T) {
 		args   args
 		res    res
 	}{
+		{
+			name: "default org, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:   authz.WithInstance(context.Background(), &mockInstance{}),
+				orgID: "defaultOrgID",
+			},
+			res: res{
+				err: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "zitadel org, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							project.NewProjectAddedEvent(context.Background(),
+								&project.NewAggregate("projectID", "org1").Aggregate,
+								"ZITADEL",
+								false,
+								false,
+								false,
+								domain.PrivateLabelingSettingUnspecified,
+							),
+						)),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+			},
+			res: res{
+				err: errors.IsPreconditionFailed,
+			},
+		},
 		{
 			name: "org not found, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(), // zitadel project check
 					expectFilter(),
 				),
 			},
@@ -1047,6 +1089,7 @@ func TestCommandSide_RemoveOrg(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(), // zitadel project check
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
@@ -1074,6 +1117,7 @@ func TestCommandSide_RemoveOrg(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(), // zitadel project check
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
@@ -1121,6 +1165,7 @@ func TestCommandSide_RemoveOrg(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(), // zitadel project check
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
@@ -1165,6 +1210,7 @@ func TestCommandSide_RemoveOrg(t *testing.T) {
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(), // zitadel project check
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),