Backend has no authorization checks
In backend, e.g. deleteGroup() function, there is no authorizations checks. Means also simple managers or anyone with a limited backend access can do anything in groupjive.
Imho, authorization checks are needed in backend too, with admins and super-admins having all rights.