sources: prevent deletion of built-in source

authentik/core/api/sources.py

@@ -5,6 +5,7 @@
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@@ -154,6 +155,17 @@
             matching_sources.append(source_settings.validated_data)
         return Response(matching_sources)
 
+    def destroy(self, request: Request, *args, **kwargs):
+        """Prevent deletion of built-in sources"""
+        instance = self.get_object()
+
+        if instance.slug.startswith("authentik-built-in"):
+            raise ValidationError(
+                {"detail": "Built-in sources cannot be deleted"}, code="protected"
+            )
+
+        return super().destroy(request, *args, **kwargs)
+
 
 class UserSourceConnectionSerializer(SourceSerializer):
     """User source connection"""

web/src/admin/sources/SourceListPage.ts

@@ -57,10 +57,13 @@ export class SourceListPage extends TablePage<Source> {
     }
 
     renderToolbarSelected(): TemplateResult {
-        const disabled = this.selectedElements.length < 1;
+        const disabled =
+            this.selectedElements.length < 1 ||
+            this.selectedElements.some((item) => item.component === "");
+        const nonBuiltInSources = this.selectedElements.filter((item) => item.component !== "");
         return html`<ak-forms-delete-bulk
             objectLabel=${msg("Source(s)")}
-            .objects=${this.selectedElements}
+            .objects=${nonBuiltInSources}
             .usedBy=${(item: Source) => {
                 return new SourcesApi(DEFAULT_CONFIG).sourcesAllUsedByList({
                     slug: item.slug,