From 10f6edeb68db4eb15288c1261c4f7bd68638bcd5 Mon Sep 17 00:00:00 2001
From: Tikhon Petrishchev <41113186+tikhonp@users.noreply.github.com>
Date: Sun, 18 Jan 2026 09:30:23 +0300
Subject: [PATCH] Fix: list index out of range when trying to unset admin role
 (#432)

---
 src/swingmusic/api/auth.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/swingmusic/api/auth.py b/src/swingmusic/api/auth.py
index 5a4c148f..77f36ee9 100644
--- a/src/swingmusic/api/auth.py
+++ b/src/swingmusic/api/auth.py
@@ -173,7 +173,7 @@ def update_profile(body: UpdateProfileBody):
         if "admin" not in current_user["roles"]:
             return {"msg": "Only admins can update roles"}, 403
 
-        all_users = UserTable.get_all()
+        all_users = list(UserTable.get_all())
         if "admin" not in body.roles:
             # check if we're removing the last admin
             admins = [user for user in all_users if "admin" in user.roles]
@@ -186,15 +186,18 @@ def update_profile(body: UpdateProfileBody):
         if "guest" in _user.roles:
             return {"msg": "Cannot update guest user"}, 400
 
-        # finally, convert roles to json string
-        user["roles"] = body.roles
-
     if user["password"]:
         user["password"] = hash_password(user["password"])
 
     # remove empty values
     clean_user = {k: v for k, v in user.items() if v}
 
+    # finally, convert roles to json string
+    # doing it here to prevent deleting roles from clean user 
+    # when body.roles is an empty list
+    if body.roles is not None:
+        clean_user["roles"] = body.roles
+
     try:
         # return authdb.update_user(clean_user)
         UserTable.update_one(clean_user)