From 4dade03c33a7c81704a297d8b55da0419d1556ad Mon Sep 17 00:00:00 2001
From: Tom Moor <tom@getoutline.com>
Date: Thu, 27 Apr 2023 21:34:01 -0400
Subject: [PATCH] Allow workspace admins to remove comments (#5270)

---
 server/policies/comment.ts             | 6 +++++-
 server/routes/api/comments/comments.ts | 4 +---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/policies/comment.ts b/server/policies/comment.ts
index e339cbc39..c468323e5 100644
--- a/server/policies/comment.ts
+++ b/server/policies/comment.ts
@@ -12,5 +12,9 @@ allow(User, ["read", "update", "delete"], Comment, (user, comment) => {
   if (!comment) {
     return false;
   }
-  return user?.id === comment.createdById;
+  if (user.teamId !== comment.createdBy.teamId) {
+    return false;
+  }
+
+  return user.isAdmin || user?.id === comment.createdById;
 });
diff --git a/server/routes/api/comments/comments.ts b/server/routes/api/comments/comments.ts
index 30793e2a2..fd6b388d3 100644
--- a/server/routes/api/comments/comments.ts
+++ b/server/routes/api/comments/comments.ts
@@ -1,5 +1,4 @@
 import Router from "koa-router";
-import { Transaction } from "sequelize";
 import commentCreator from "@server/commands/commentCreator";
 import commentDestroyer from "@server/commands/commentDestroyer";
 import commentUpdater from "@server/commands/commentUpdater";
@@ -122,9 +121,8 @@ router.post(
     const { user } = ctx.state.auth;
     const { transaction } = ctx.state;
 
-    const comment = await Comment.unscoped().findByPk(id, {
+    const comment = await Comment.findByPk(id, {
       transaction,
-      lock: Transaction.LOCK.UPDATE,
     });
     authorize(user, "delete", comment);