Users with 'community' role are able to grant 'trusted' role to others. This is done via Flag module and permissions to 'moderate users' and 'toggle trusted role'.
'Moderate users' permission (I think) makes 'Administer nodes' and 'Administer comments' sub-tabs visible on user profiles. When 'community' user tries to delete either comments or nodes on those sub-tabs, they can't, since they don't have administer content permissions.
'Administer nodes/comments' sub-tabs should not be accessible for users with 'community' role at all. Per the upcoming changes to the users role progression (
So we need some solution here which would still let them give 'trusted' role to others.
Original report by @naveenvalecha
I am able to access the administer xy tabs and can trigger the delete process which results in a bogus success message.