From a37645fafaf26f11a98e530d8531f6e1841e0bdd Mon Sep 17 00:00:00 2001
From: Nafies Luthfi <nafiesl@gmail.com>
Date: Sat, 11 Apr 2020 17:10:37 +0800
Subject: [PATCH] System admin can delete any user

---
 app/Policies/UserPolicy.php            |  2 +-
 tests/Unit/Policies/UserPolicyTest.php | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
index 4dd7b41..9004da0 100644
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/UserPolicy.php
@@ -30,6 +30,6 @@ class UserPolicy
      */
     public function delete(User $user, User $editableUser)
     {
-        return $editableUser->manager_id == $user->id && $editableUser->id != $user->id;
+        return ($editableUser->manager_id == $user->id || is_system_admin($user)) && $editableUser->id != $user->id;
     }
 }
diff --git a/tests/Unit/Policies/UserPolicyTest.php b/tests/Unit/Policies/UserPolicyTest.php
index 793eeaa..d41dcf5 100644
--- a/tests/Unit/Policies/UserPolicyTest.php
+++ b/tests/Unit/Policies/UserPolicyTest.php
@@ -53,10 +53,32 @@ class UserPolicyTest extends TestCase
     /** @test */
     public function manager_can_delete_a_user()
     {
+        $otherUserManagerId = Str::random();
         $manager = factory(User::class)->create();
         $user = factory(User::class)->create(['manager_id' => $manager->id]);
+        $otherUser = factory(User::class)->create(['manager_id' => $otherUserManagerId]);
+
+        $this->assertTrue($manager->can('delete', $user));
+        $this->assertFalse($manager->can('delete', $otherUser));
+    }
+
+    /** @test */
+    public function admins_can_delete_any_user()
+    {
+        $adminEmail = 'admin@example.net';
+        $otherUserManagerId = Str::random();
+        putenv('SYSTEM_ADMIN_EMAILS='.$adminEmail);
+
+        $manager = factory(User::class)->create();
+        $admin = factory(User::class)->create(['email' => $adminEmail]);
+        $user = factory(User::class)->create(['manager_id' => $manager->id]);
+        $otherUser = factory(User::class)->create(['manager_id' => $otherUserManagerId]);
+
+        $this->assertTrue($admin->can('delete', $user));
+        $this->assertTrue($admin->can('delete', $otherUser));
 
         $this->assertTrue($manager->can('delete', $user));
+        $this->assertFalse($manager->can('delete', $otherUser));
     }
 
     /** @test */