As a non-admin user, I shouldn't be able to delete another user's board

[sylvansson]

The deleteBoard route currently allows callers to delete boards owned by another user, even if the caller is not an admin.

Acceptance criteria

• A non-admin user gets a 404 if they try to delete another user's board.
• An admin can delete any board.
• The tests added in Write tests for deleteBoard route bug #174 are not skipped and are passing.

[sylvansson]

@martinbedouret This might be a good task for Katerina and Maria? I know it's security-related but it should be fairly simple, and I wrote some tests in #174 so they can validate that the fix works as intended.

[callapa1]

Just in case, I'm completely new to this app and api (and a beginner dev), but I realized that the same problem should happen with deleting a user?
removeUser is almost identical with deleteBoard, both not considering the user and going straight to findByIdAndRemove

[sylvansson]

Hi @callapa1, good observation. I would have to check, but as far as I know only an admin can call the removeUser route. It's a bit hidden but you can see it in the Swagger definition for the route.

[callapa1]

Hi @sylvansson . Yes, I just found it. Only admin in x-security-scopes

[sylvansson]

Hi @callapa1, are you still working on this? If not, I might assign the issue to someone else.

[callapa1]

Hello @sylvansson . Sorry, I had some problems trying to reproduce the environment because of all the API keys needed. Yes, you can assign this to someone else