Files
nick-doc/Issues/ISSUE-033-admin-can-delete-other-admin-accounts-via-new-controller-leg.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.4 KiB

issue, title, severity, domain, labels, status, resolved, fix, status, created, source
issue title severity domain labels status resolved fix status created source
033 Admin can delete other admin accounts via new controller — legacy admin-on-admin protection does not apply major User Management
security
bug
backend
major
privilege-escalation
resolved 2026-05-29 Added pre-flight check in userController.deleteUser — looks up target user and returns 403 CANNOT_DELETE_ADMIN if role is 'admin'. open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Admin can delete other admin accounts via new controller — legacy admin-on-admin protection does not apply

Severity: major Domain: User Management Labels: security, bug, backend, major, privilege-escalation

Description

The new controller (DELETE /api/user/admin/:userId) only blocks self-deletion. It does not prevent an admin from deleting other admin accounts. The legacy route (DELETE /api/users/admin/:userId) blocks admin-on-admin deletion. The two routes have divergent authorization logic.

Current Behavior

An admin can delete other admin accounts via the new controller endpoint without a 403 error.

Expected Behavior

DELETE /api/user/admin/:userId should check if target user has role=admin and return 403 (matching legacy route behavior).

Affected Files

  • backend/src/controllers/userController.ts

References