From 2c996a14e2ea8ad55d8d478e34279a670ea46035 Mon Sep 17 00:00:00 2001
From: HardiReady <hardi@noarch.de>
Date: Sat, 20 Oct 2018 22:52:45 +0200
Subject: [PATCH] Restrict delete user API endpoint to  MT+ level (CC-67)

---
 api/routes/users.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/api/routes/users.js b/api/routes/users.js
index 6145877..7fc55d1 100644
--- a/api/routes/users.js
+++ b/api/routes/users.js
@@ -9,6 +9,7 @@ const codes = require('./http-codes');
 
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkHl = require('../middleware/permission-check').checkHl;
+const checkMT = require('../middleware/permission-check').checkMT;
 
 const offsetlimitMiddleware = require('../middleware/limitoffset-middleware-mongo');
 const filterHandlerCreator = require('../middleware/filter-handler-mongo');
@@ -180,7 +181,7 @@ users.route('/:id')
        });
      })
 
-     .delete(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
+     .delete(apiAuthenticationMiddleware, checkMT, (req, res, next) => {
        UserModel.findByIdAndRemove(req.params.id, (err, item) => {
          if (err) {
            err.status = codes.wrongrequest;