diff --git a/src/httpd.js.c b/src/httpd.js.c
index 33be5d83..2b5b448c 100644
--- a/src/httpd.js.c
+++ b/src/httpd.js.c
@@ -1106,8 +1106,9 @@ static void _httpd_endpoint_delete_work(tf_ssb_t* ssb, void* user_data)
 	{
 		size_t length = strlen(user_string);
 		if (request->path && request->path[0] == '/' && request->path[1] == '~' &&
-			/* TODO: admin users used to be able to delete core apps */
-			strncmp(request->path + 2, user_string, length) == 0 && request->path[2 + length] == '/')
+			(strncmp(request->path + 2, user_string, length) == 0 ||
+				(strncmp(request->path + 2, "core", strlen("core") == 0 && tf_ssb_db_user_has_permission(ssb, user_string, "administration")))) &&
+			request->path[2 + length] == '/')
 		{
 			char* app_name = tf_strdup(request->path + 2 + length + 1);
 			if (app_name)