Bug: Moderators can disable Administrators

[bonnedav]

Version: cloned from master on 8/18/24

Current Behavior:

When the Who can anonymize and disable accounts: setting is set to administrators and moderators, moderators are able to anonymize and disable administrators.

Expeted Behavior:

When the Who can anonymize and disable accounts: setting is set to administrators and moderators, moderators should be able to anonymize and disable blocked, suspended, watched, and approved users, but not moderators or administrators.

Steps to Reproduce:

1. Create 2 test accounts.
2. Set one test account to administrator and the other to moderator.
3. Set Who can anonymize and disable accounts: to administrators and moderators.
4. As the test moderator, assess the test administrator's profile.
5. Access the account tab. Note how the account tab, the anonymize and disable button, and the export data button, are visible and useable while the moderation tab is not.
6. Attampt to anonymize and disable the test administrator as the test moderator. Note that it works and the test administrator is now disabled and no longer an administrator.
7. Attempt to login as the test administrator. Note that you cannot.

[evgenyfadeev]

@bonnedav thank you for catching this. I've made a commit that should fix this issue. Could you test please and close the issue if it's solved for you?

[bonnedav]

Its still doing the same thing. the commit says terminate but this was about anonymize, terminate can't be enabled for moderators at all.

[bonnedav]

I have performed some testing of my own and I fixed it by placing the code you added to user_can_terminate_account in user_can_anonymize_account between the perm = line and the first if.

[evgenyfadeev]

@bonnedav thank you, I've merged your patch