From 24ad43d3e44fb90dd1fc2008bd2101f0ef61d83c Mon Sep 17 00:00:00 2001
From: Faruk AYDIN <omerfaruk26@gmail.com>
Date: Fri, 23 Feb 2024 13:44:48 +0100
Subject: [PATCH] fix: Allow permitted users to delete others steps

---
 .../backend/src/graphql/mutations/delete-step.js    | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/graphql/mutations/delete-step.js b/packages/backend/src/graphql/mutations/delete-step.js
index fb4a7bd2..8aa5b64e 100644
--- a/packages/backend/src/graphql/mutations/delete-step.js
+++ b/packages/backend/src/graphql/mutations/delete-step.js
@@ -1,8 +1,13 @@
-const deleteStep = async (_parent, params, context) => {
-  context.currentUser.can('update', 'Flow');
+import Step from '../../models/flow.js';
 
-  const step = await context.currentUser
-    .$relatedQuery('steps')
+const deleteStep = async (_parent, params, context) => {
+  const conditions = context.currentUser.can('update', 'Flow');
+  const isCreator = conditions.isCreator;
+  const allSteps = Step.query();
+  const userSteps = context.currentUser.$relatedQuery('steps');
+  const baseQuery = isCreator ? userSteps : allSteps;
+
+  const step = await baseQuery
     .withGraphFetched('flow')
     .findOne({
       'steps.id': params.input.id,