diff --git a/src/routes/users.js b/src/routes/users.js
index 8c899312e..868339fe1 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -102,11 +102,6 @@ function get(req, res, next) {
 function remove(req, res, next) {
     assert.strictEqual(typeof req.params.userId, 'string');
 
-    // rules:
-    // - admin can remove any user
-    // - admin cannot remove admin
-    // - user cannot remove himself <- TODO should this actually work?
-
     if (req.user.id === req.params.userId) return next(new HttpError(409, 'Not allowed to remove yourself.'));
 
     users.remove(req.params.userId, auditSource(req), function (error) {