From 1244b2103943e0a0ade0719036ae39baaf6c47b5 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 30 Jul 2025 10:05:51 -0500
Subject: Implement revocation of `system-administrator` role.

---
 gn_auth/auth/authorisation/users/admin/models.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gn_auth/auth/authorisation/users/admin/models.py b/gn_auth/auth/authorisation/users/admin/models.py
index 03a027e..3543dac 100644
--- a/gn_auth/auth/authorisation/users/admin/models.py
+++ b/gn_auth/auth/authorisation/users/admin/models.py
@@ -46,3 +46,10 @@ def make_sys_admin(cursor: db.DbCursor, user: User) -> User:
             f"The function `{__name__}.make_sys_admin` will be removed soon"),
         stacklevel=1)
     return grant_sysadmin_role(cursor, user)
+
+
+def revoke_sysadmin_role(conn: db.DbConnection, user: User) -> User:
+    """Revoke `system-administrator` role from `user`."""
+    with db.cursor(conn) as cursor:
+        cursor.execute("DELETE FROM user_roles WHERE user_id=? AND role_id=?",
+                       (str(user.user_id), str(sysadmin_role(conn).role_id)))
-- 
cgit 1.4.1