Allow workspace admins to remove comments (#5270)

server/policies/comment.ts

@@ -12,5 +12,9 @@ allow(User, ["read", "update", "delete"], Comment, (user, comment) => {
   if (!comment) {
     return false;
   }
-  return user?.id === comment.createdById;
+  if (user.teamId !== comment.createdBy.teamId) {
+    return false;
+  }
+
+  return user.isAdmin || user?.id === comment.createdById;
 });

server/routes/api/comments/comments.ts

@@ -1,5 +1,4 @@
 import Router from "koa-router";
-import { Transaction } from "sequelize";
 import commentCreator from "@server/commands/commentCreator";
 import commentDestroyer from "@server/commands/commentDestroyer";
 import commentUpdater from "@server/commands/commentUpdater";
@@ -122,9 +121,8 @@ router.post(
     const { user } = ctx.state.auth;
     const { transaction } = ctx.state;
 
-    const comment = await Comment.unscoped().findByPk(id, {
+    const comment = await Comment.findByPk(id, {
       transaction,
-      lock: Transaction.LOCK.UPDATE,
     });
     authorize(user, "delete", comment);