Users can remove from a family patients that they can't normally access

I think this is not a bug, or rather there is a bug, but not as described.

First of all, the fact that Admin user added a patient to JohnDoe's family is contrary to the regular workflow (allowed by the special admin privileges, not available to regular users), where no one can add anything to a family until the owner of the family shares the family or a patient with someone else.

I agree the situation is still possible, for example when JohnDoe shares the patient with other user A, who, having access to the family, now added patient X to the pedigree which JohnDoe can not edit. Then the steps to reproduce the problem will work (note: there is a missing step, which is to save the pedigree after deleting thenode. If ther eis no save, undo works and save works after undo). However conceptually this is still JohnDoe's pedigree, and I will argue that JohnDoe has the right to remove anyone and anything from it, just because the workflow for the patient JohnDoe started the pedigree for somehow demands this (e.g. user A who added patient X was not aware of some privacy issues). After all, user A knew the patient is beoing added to someone else's family, so it should not be a surprise the patient got removed from that family.

The only bug here is that if you remove the node, then save, then undo, it happily does the undo and now save actually fails. I would argue that everything is fine, and the only exception is that when JohnDoe remove that patient X and saves the pedigree, there should be a note that JohnDoe wont be able to put patient X back into the pedigree, and undo should not place the patient back there. Patient X will still have JohnDoe in the change log, but I would argue in this case this is correct, since user A knew what he is getting into