GDPR15A (OpenUserJS#1658)

* Suspend removals on reserved. This can obviously be overridden with Admin+ by elevating the account... just a precaution. Post OpenUserJS#1657 df4ec36 *(missed increment of GDPR14 i.e. should have been 15)* Auto-merge
Martii · Aug 19, 2019 · f4389bc · f4389bc
1 parent df4ec36
commit f4389bc
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/libs/remove.js b/libs/remove.js
@@ -31,8 +31,12 @@ function removeable(aModel, aContent, aUser, aCallback) {
 
   // You can't remove yourself
   // You can only remove a remove a user with a lesser role than yourself
+  //   except a reserved account
   if (aModel.modelName === 'User') {
-    aCallback(aContent._id != aUser._id && aContent.role > aUser.role, aContent);
+    aCallback(
+      aContent._id != aUser._id && aContent.role > aUser.role && aContent.role !== 6,
+        aContent
+    );
     return;
   }
 
@@ -53,7 +57,8 @@ function removeable(aModel, aContent, aUser, aCallback) {
     }
 
     // You can only remove content by an author with a lesser user role
-    aCallback(aAuthor.role > aUser.role, aAuthor);
+    //   except a reserved account
+    aCallback(aAuthor.role > aUser.role && aAuthor.role !== 6, aAuthor);
   });
 }
 exports.removeable = removeable;