fix: Allow permitted users to delete others steps

packages/backend/src/graphql/mutations/delete-step.js

@@ -1,8 +1,13 @@
-const deleteStep = async (_parent, params, context) => {
+import Step from '../../models/flow.js';
-  context.currentUser.can('update', 'Flow');
 
-  const step = await context.currentUser
+const deleteStep = async (_parent, params, context) => {
-    .$relatedQuery('steps')
+  const conditions = context.currentUser.can('update', 'Flow');
+  const isCreator = conditions.isCreator;
+  const allSteps = Step.query();
+  const userSteps = context.currentUser.$relatedQuery('steps');
+  const baseQuery = isCreator ? userSteps : allSteps;
+
+  const step = await baseQuery
     .withGraphFetched('flow')
     .findOne({
       'steps.id': params.input.id,