From be183c6fd3a378df7fdf3f834902ccb9dc6dc47b Mon Sep 17 00:00:00 2001
From: Blitblank <pmcgeee03@gmail.com>
Date: Wed, 22 Apr 2026 23:30:25 -0500
Subject: [PATCH] allow removal of self permissions, just not the important one

---
 api/src/Controllers/UsersController.cs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api/src/Controllers/UsersController.cs b/api/src/Controllers/UsersController.cs
index b29e0fc..f10b9e9 100644
--- a/api/src/Controllers/UsersController.cs
+++ b/api/src/Controllers/UsersController.cs
@@ -70,8 +70,7 @@ public class UsersController : ControllerBase {
     [HttpDelete("{id}/{permission}")]
     public async Task<ActionResult> removePermission(string id, string permission) {
 
-        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
-        if(userId == id) return BadRequest(); // dont allow permission removal of yourself
+        if(permission == Permission.SensitiveData_Modify) return BadRequest(); // dont allow permission removal of whats allowing us to re-add premissions
 
         // get list of permissions of that user
         var user = await service_.GetById(id);