--- issue: 033 title: "Admin can delete other admin accounts via new controller — legacy admin-on-admin protection does not apply" severity: major domain: User Management labels: [security, bug, backend, major, privilege-escalation] status: resolved resolved: 2026-05-29 fix: "Added pre-flight check in userController.deleteUser — looks up target user and returns 403 CANNOT_DELETE_ADMIN if role is 'admin'." status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 Admin can delete other admin accounts via new controller — legacy admin-on-admin protection does not apply **Severity:** major **Domain:** User Management **Labels:** security, bug, backend, major, privilege-escalation ## Description The new controller (DELETE /api/user/admin/:userId) only blocks self-deletion. It does not prevent an admin from deleting other admin accounts. The legacy route (DELETE /api/users/admin/:userId) blocks admin-on-admin deletion. The two routes have divergent authorization logic. ## Current Behavior An admin can delete other admin accounts via the new controller endpoint without a 403 error. ## Expected Behavior DELETE /api/user/admin/:userId should check if target user has role=admin and return 403 (matching legacy route behavior). ## Affected Files - `backend/src/controllers/userController.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)