diff --git a/src/common/utils/__test__/communityWatchRemoveComment.test.ts b/src/common/utils/__test__/communityWatchRemoveComment.test.ts
index 3a8584dc3..eb700b2ac 100644
--- a/src/common/utils/__test__/communityWatchRemoveComment.test.ts
+++ b/src/common/utils/__test__/communityWatchRemoveComment.test.ts
@@ -284,6 +284,15 @@ describe('communityWatchRemoveComment', () => {
     )
   })
 
+  test('rejects frozen community watch users before loading the comment', async () => {
+    const { context } = createContext({ viewerState: USER_STATE.frozen })
+
+    await expect(removeComment(context)).rejects.toHaveProperty(
+      'extensions.code',
+      'FORBIDDEN_BY_STATE'
+    )
+  })
+
   test('rejects non-comment targets', async () => {
     const { context } = createContext()
 
diff --git a/src/types/__test__/2/system.test.ts b/src/types/__test__/2/system.test.ts
index dac9762f4..bd9349884 100644
--- a/src/types/__test__/2/system.test.ts
+++ b/src/types/__test__/2/system.test.ts
@@ -1422,6 +1422,20 @@ describe('submitReport', () => {
     }
   `
 
+  test('rejects non-admin users from OSS reports', async () => {
+    const server = await testClient({
+      isAuth: true,
+      connections,
+    })
+    const { errors, data } = await server.executeOperation({
+      query: GET_REPORTS,
+      variables: { input: { first: 1, filter: { source: 'community_watch' } } },
+    })
+
+    expect(errors?.[0].extensions.code).toBe('FORBIDDEN')
+    expect(data).toBe(null)
+  })
+
   test('submit report successfully', async () => {
     const server = await testClient({
       isAuth: true,
diff --git a/src/types/__test__/2/user/user.test.ts b/src/types/__test__/2/user/user.test.ts
index 6bbdfe3bd..158937bf4 100644
--- a/src/types/__test__/2/user/user.test.ts
+++ b/src/types/__test__/2/user/user.test.ts
@@ -1028,6 +1028,29 @@ describe('update user state', () => {
   const activeUser1Email = 'test2@matters.news'
   const activeUser2Email = 'test3@matters.news'
 
+  test('non-admin users can not update user state', async () => {
+    const UPDATE_USER_STATE = /* GraphQL */ `
+      mutation ($input: UpdateUserStateInput!) {
+        updateUserState(input: $input) {
+          id
+        }
+      }
+    `
+    const server = await testClient({ isAuth: true, connections })
+    const { errors, data } = await server.executeOperation({
+      query: UPDATE_USER_STATE,
+      variables: {
+        input: {
+          id: activeUser1Id,
+          state: USER_STATE.frozen,
+        },
+      },
+    })
+
+    expect(errors?.[0].extensions.code).toBe('FORBIDDEN')
+    expect(data.updateUserState).toBe(null)
+  })
+
   test('archive user should provide viewer passwd', async () => {
     const { errors } = await updateUserState(
       { id, state: USER_STATE.archived },