Steps to reproduce:
log in with JohnDoe
create a new patient, draw its pedigree
log in with Admin
create a new patient, add it to JohnDoe's family & pedigree
log in with JohnDoe, edit the family
correct: JohnDoe cannot click on Admin's patient, view its details, or edit it in any way
bug: JohnDoe can delete the whole node from the pedigree
In Admin's patient history, the patient appears modified by JohnDoe, even though JohnDoe cannot access that patient
consequence bug: if JohnDoe click Undo in the pedigree, saving will fail due to insufficient permissions; the behavior is correct, JohnDoe shouldn't be able to put Admin's patient in a family, and this bug will not be present once the original bug is fixed
I think this is not a bug, or rather there is a bug, but not as described.
First of all, the fact that Admin user added a patient to JohnDoe's family is contrary to the regular workflow (allowed by the special admin privileges, not available to regular users), where no one can add anything to a family until the owner of the family shares the family or a patient with someone else.
I agree the situation is still possible, for example when JohnDoe shares the patient with other user A, who, having access to the family, now added patient X to the pedigree which JohnDoe can not edit. Then the steps to reproduce the problem will work (note: there is a missing step, which is to save the pedigree after deleting thenode. If ther eis no save, undo works and save works after undo). However conceptually this is still JohnDoe's pedigree, and I will argue that JohnDoe has the right to remove anyone and anything from it, just because the workflow for the patient JohnDoe started the pedigree for somehow demands this (e.g. user A who added patient X was not aware of some privacy issues). After all, user A knew the patient is beoing added to someone else's family, so it should not be a surprise the patient got removed from that family.
The only bug here is that if you remove the node, then save, then undo, it happily does the undo and now save actually fails. I would argue that everything is fine, and the only exception is that when JohnDoe remove that patient X and saves the pedigree, there should be a note that JohnDoe wont be able to put patient X back into the pedigree, and undo should not place the patient back there. Patient X will still have JohnDoe in the change log, but I would argue in this case this is correct, since user A knew what he is getting into