From 0bffd3d93cd8a6f286d3a796ec0448c38d57b526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Mon, 23 Jan 2023 11:40:17 -0500 Subject: [PATCH] fix: #11195, allow users with admin:users privilege to delete users in acp --- src/api/users.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/api/users.js b/src/api/users.js index c23f2c04d6..e0382c95cd 100644 --- a/src/api/users.js +++ b/src/api/users.js @@ -307,18 +307,17 @@ async function isPrivilegedOrSelfAndPasswordMatch(caller, data) { async function processDeletion({ uid, method, password, caller }) { const isTargetAdmin = await user.isAdministrator(uid); const isSelf = parseInt(uid, 10) === parseInt(caller.uid, 10); - const isAdmin = await user.isAdministrator(caller.uid); + const hasAdminPrivilege = await privileges.admin.can('admin:users', caller.uid); if (isSelf && meta.config.allowAccountDelete !== 1) { throw new Error('[[error:account-deletion-disabled]]'); - } else if (!isSelf && !isAdmin) { + } else if (!isSelf && !hasAdminPrivilege) { throw new Error('[[error:no-privileges]]'); } else if (isTargetAdmin) { throw new Error('[[error:cant-delete-admin]'); } // Privilege checks -- only deleteAccount is available for non-admins - const hasAdminPrivilege = await privileges.admin.can('admin:users', caller.uid); if (!hasAdminPrivilege && ['delete', 'deleteContent'].includes(method)) { throw new Error('[[error:no-privileges]]'); }