From bd538133910284b6ba2fd5fd027a98efa0fb4187 Mon Sep 17 00:00:00 2001
From: hanghang zhang <zhangh20414@gmail.com>
Date: Fri, 22 May 2026 22:25:06 +0100
Subject: [PATCH] fix(cli): set-admin transaction uses isAdmin=true filter
 (TypeORM rejects empty-where)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/auth/auth.service.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
index 6a23ad5..5052487 100644
--- a/src/auth/auth.service.ts
+++ b/src/auth/auth.service.ts
@@ -226,10 +226,12 @@ export class AuthService {
     if (!target) {
       throw new UnauthorizedException(`user ${email} not found`);
     }
-    // Enforce at-most-one-admin: clear every other row first, then set
+    // Enforce at-most-one-admin: clear every existing admin row first
+    // (TypeORM rejects an empty-where update, so target by isAdmin=true
+    // — the no-op cost when no rows match is one cheap query), then set
     // the target. Two UPDATEs in one txn so a peer never sees two admins.
     await this.userRepo.manager.transaction(async (txn) => {
-      await txn.update(User, {}, { isAdmin: false });
+      await txn.update(User, { isAdmin: true }, { isAdmin: false });
       await txn.update(User, { id: target.id }, { isAdmin: true });
     });
     await this.audit.write({