Alice has created a new repository `rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji` with only herself as the sole delegate. After Bob has cloned it, let's ensure he can't add himself as a delegate too:

``` ~bob (fail)

$ rad id update --repo rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji --title "Add myself!" --delegate did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk --no-confirm

✗ Error: did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk is not a delegate, and only delegates are allowed to create a revision

✗ Hint: bob (you) is attempting to modify the identity document but isn't a delegate!

```

use crate::terminal::format::Author;

                        update::error::PrivacyAllowList::Overlapping(overlap) =>anyhow::bail!("`--allow` and `--disallow` must not overlap: {overlap:?}"),

                        update::error::PrivacyAllowList::PublicVisibility => return Err(Error::with_hint(

                            "use `--visibility private` to make the repository private, or perhaps you meant to use `--delegate`/`--rescind`")

                        .into())

            let revision = update(

                title,

                description,

                proposal,

                &mut identity,

                &signer,

                &profile,

            )?;

    profile: &Profile,

        let id = current

            .update(title, description, &doc, signer)

            .map_err(|e| on_identity_err(e, profile))?;

fn on_identity_err(e: identity::Error, profile: &Profile) -> anyhow::Error {

    let e = anyhow::Error::from(e);

    e.chain()

        .find_map(|c| c.downcast_ref::<identity::ApplyError>())

        .map(|e| on_apply_err(e, profile))

        .unwrap_or(e)

}

fn on_apply_err(e: &identity::ApplyError, profile: &Profile) -> anyhow::Error {

    match e {

        e @ identity::ApplyError::NonDelegateUnauthorized { author, .. } => {

            let nid = NodeId::from(*author);

            let labels = Author::new(&nid, profile, false).labels();

            Error::with_hint(

                anyhow!(e.to_string()),

                format!(

                    "{} {} is attempting to modify the identity document but isn't a delegate!",

                    labels.0, labels.1

                ),

            )

            .into()

        }

        e => anyhow!(e.to_string()),

    }

}

                .map_err(|e| {

                    Error::with_hint(e, "reset the cache with `rad issue cache` and try again")

    let Some(patch) = patches

        .get(patch_id)

        .map_err(|e| Error::with_hint(e, "reset the cache with `rad patch cache` and try again"))?

        return Err(term::Error::with_hint(

            anyhow!("repository is already public"),

            "to announce the repository to the network, run `rad sync --inventory`",

        )

        return Err(term::Error::with_hint(

            anyhow!("only repositories with a single delegate can be published with this command"),

            "see `rad id --help` to publish repositories with more than one delegate",

        )

            Err(radicle::profile::Error::NotFound(path)) => Err(args::Error::with_hint(

                anyhow::anyhow!("Radicle profile not found in '{}'.", path.display()),

                "To setup your radicle profile, run `rad auth`.",

            )

    WithHint { err: anyhow::Error, hint: String },

}

impl Error {

    pub fn with_hint<E, H>(err: E, hint: H) -> Self

    where

        E: Into<anyhow::Error>,

        H: ToString,

    {

        Self::WithHint {

            err: err.into(),

            hint: hint.to_string(),

        }

    }

            terminal::args::Error::with_hint(e, MIGRATION_HINT).into()

fn rad_id_unauthorized_delegate() {

    let mut environment = Environment::new();

    let alice = environment.node("alice");

    let bob = environment.node("bob");

    let acme = RepoId::from_str("z42hL2jL4XNk6K8oHQaSWfMgCL7ji").unwrap();

    environment.repository(&alice);

    test(

        "examples/rad-init.md",

        environment.work(&alice),

        Some(&alice.home),

        [],

    )

    .unwrap();

    let mut alice = alice.spawn();

    let mut bob = bob.spawn();

    // Alice sets up the seed

    alice.handle.seed(acme, Scope::Followed).unwrap();

    bob.connect(&alice).converge([&alice]);

    bob.rad(

        "clone",

        &[acme.to_string().as_str()],

        environment.work(&bob),

    )

    .unwrap();

    formula(

        &environment.tempdir(),

        "examples/rad-id-unauthorized-delegate.md",

    )

    .unwrap()

    .home(

        "alice",

        environment.work(&alice),

        [("RAD_HOME", alice.home.path().display())],

    )

    .home(

        "bob",

        environment.work(&bob),

        [("RAD_HOME", bob.home.path().display())],

    )

    .run()

    .unwrap();

}

#[test]

    // On Mac OS X and BSD systems `SUN_LEN` is 104 bytes, "distrustful" was causing paths to be

    // 106, and as such this test will error. Renamed to shorter "bad".

    let distrustful = environment.seed("bad");

    #[error("{author} is not a delegate, and only delegates are allowed to {action}")]

    NonDelegateUnauthorized { author: Did, action: String },

}

impl ApplyError {

    fn non_delegate_unauthorized(author: Did, action: &Action) -> Self {

        let action = match action {

            Action::Revision { .. } => "create a revision",

            Action::RevisionEdit { .. } => "edit a revision",

            Action::RevisionAccept { .. } => "accept a revision",

            Action::RevisionReject { .. } => "reject a revision",

            Action::RevisionRedact { .. } => "redact a revision",

        };

        Self::NonDelegateUnauthorized {

            author,

            action: action.to_string(),

        }

    }

        let did = author.into();

        if !current.is_delegate(&did) {

            return Err(ApplyError::non_delegate_unauthorized(did, &action));

        assert_eq!(eve_identity.timeline, vec![a0, a1, a2, e1]);

        assert_eq!(eve_identity.timeline, vec![a0, a1, a2, b1]);