fix: Prevent editors from deleting any comment

Closes #1288

client/src/components/comments/Comments/Item.jsx

@@ -60,15 +60,14 @@ const Item = React.memo(({ id }) => {
       isEditor = boardMembership.role === BoardMembershipRoles.EDITOR;
     }
 
+    const canEditOrDeleteAsMember =
+      isMember &&
+      comment.userId === boardMembership.userId &&
+      (isEditor || boardMembership.canComment);
+
     return {
-      canEdit:
-        isMember &&
-        comment.userId === boardMembership.userId &&
-        (isEditor || boardMembership.canComment),
-      canDelete:
-        isManager ||
-        isEditor ||
-        (isMember && comment.userId === boardMembership.userId && boardMembership.canComment),
+      canEdit: canEditOrDeleteAsMember,
+      canDelete: isManager || canEditOrDeleteAsMember,
     };
   }, shallowEqual);
 

server/api/controllers/comments/delete.js

@@ -44,6 +44,10 @@ module.exports = {
     const isProjectManager = await sails.helpers.users.isProjectManager(currentUser.id, project.id);
 
     if (!isProjectManager) {
+      if (comment.userId !== currentUser.id) {
+        throw Errors.NOT_ENOUGH_RIGHTS;
+      }
+
       const boardMembership = await BoardMembership.qm.getOneByBoardIdAndUserId(
         board.id,
         currentUser.id,
@@ -54,10 +58,6 @@ module.exports = {
       }
 
       if (boardMembership.role !== BoardMembership.Roles.EDITOR) {
-        if (comment.userId !== currentUser.id) {
-          throw Errors.NOT_ENOUGH_RIGHTS;
-        }
-
         if (!boardMembership.canComment) {
           throw Errors.NOT_ENOUGH_RIGHTS;
         }