Only let top admin purge. Fixes #2731 (#2732)

crates/api/src/site/purge/comment.rs

@@ -3,7 +3,7 @@ use actix_web::web::Data;
 use lemmy_api_common::{
   context::LemmyContext,
   site::{PurgeComment, PurgeItemResponse},
-  utils::{get_local_user_view_from_jwt, is_admin},
+  utils::{get_local_user_view_from_jwt, is_top_admin},
 };
 use lemmy_db_schema::{
   source::{
@@ -28,8 +28,8 @@ impl Perform for PurgeComment {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let comment_id = data.comment_id;
 

crates/api/src/site/purge/community.rs

@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeCommunity, PurgeItemResponse},
-  utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_community},
+  utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_community},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgeCommunity {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let community_id = data.community_id;
 

crates/api/src/site/purge/person.rs

@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeItemResponse, PurgePerson},
-  utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_person},
+  utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_person},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgePerson {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     // Read the person to get their images
     let person_id = data.person_id;

crates/api/src/site/purge/post.rs

@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeItemResponse, PurgePost},
-  utils::{get_local_user_view_from_jwt, is_admin},
+  utils::{get_local_user_view_from_jwt, is_top_admin},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgePost {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let post_id = data.post_id;
 

crates/api_common/src/utils.rs

@@ -30,6 +30,7 @@ use lemmy_db_views_actor::structs::{
   CommunityModeratorView,
   CommunityPersonBanView,
   CommunityView,
+  PersonViewSafe,
 };
 use lemmy_utils::{
   claims::Claims,
@@ -60,6 +61,18 @@ pub async fn is_mod_or_admin(
   Ok(())
 }
 
+pub async fn is_top_admin(pool: &DbPool, person_id: PersonId) -> Result<(), LemmyError> {
+  let admins = PersonViewSafe::admins(pool).await?;
+  let top_admin = admins
+    .get(0)
+    .ok_or_else(|| LemmyError::from_message("no admins"))?;
+
+  if top_admin.person.id != person_id {
+    return Err(LemmyError::from_message("not_top_admin"));
+  }
+  Ok(())
+}
+
 pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> {
   if !local_user_view.person.admin {
     return Err(LemmyError::from_message("not_an_admin"));