From 80c9bb47960df4e3353e5401bda0fa9ff2783b33 Mon Sep 17 00:00:00 2001
From: Niklas Wojtkowiak <niklas@wojtkowiak.com>
Date: Tue, 24 Feb 2026 11:19:41 -0500
Subject: [PATCH] fix(rooms): prevent removing admin room alias

Only the server user can now remove the #admins alias, matching the
existing check for setting the alias. This prevents users from
accidentally breaking the admin room functionality.

fixes #1408
---
 src/service/rooms/alias/mod.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/service/rooms/alias/mod.rs b/src/service/rooms/alias/mod.rs
index c48330fb..c3470866 100644
--- a/src/service/rooms/alias/mod.rs
+++ b/src/service/rooms/alias/mod.rs
@@ -94,6 +94,12 @@ impl Service {
 
 	#[tracing::instrument(skip(self))]
 	pub async fn remove_alias(&self, alias: &RoomAliasId, user_id: &UserId) -> Result<()> {
+		if alias == self.services.globals.admin_alias
+			&& user_id != self.services.globals.server_user
+		{
+			return Err!(Request(Forbidden("Only the server user can remove this alias")));
+		}
+
 		if !self.user_can_remove_alias(alias, user_id).await? {
 			return Err!(Request(Forbidden("User is not permitted to remove this alias.")));
 		}