From 308361a83409eec36c77e61796b74ad14cda3324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Schw=C3=B6rer?= <pubgit@mikescher.com>
Date: Thu, 27 Jul 2023 15:23:56 +0200
Subject: [PATCH] Prevent deleting messages of subscribed-only channels

---
 scnserver/TODO.md                   | 3 +++
 scnserver/api/handler/apiMessage.go | 2 +-
 scnserver/logic/permissions.go      | 9 +++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/scnserver/TODO.md b/scnserver/TODO.md
index afed683..0de62b1 100644
--- a/scnserver/TODO.md
+++ b/scnserver/TODO.md
@@ -10,6 +10,9 @@
 
  - ios purchase verification
 
+ - increase max body size (smth like 2MB?)
+   (also increase cronexec char limit)
+
 #### UNSURE
 
  - (?) default-priority for channels
diff --git a/scnserver/api/handler/apiMessage.go b/scnserver/api/handler/apiMessage.go
index 1ee9f78..501e243 100644
--- a/scnserver/api/handler/apiMessage.go
+++ b/scnserver/api/handler/apiMessage.go
@@ -266,7 +266,7 @@ func (h APIHandler) DeleteMessage(g *gin.Context) ginresp.HTTPResponse {
 		return ginresp.APIError(g, 500, apierr.DATABASE_ERROR, "Failed to query message", err)
 	}
 
-	if !ctx.CheckPermissionMessageRead(msg) {
+	if !ctx.CheckPermissionMessageDelete(msg) {
 		return ginresp.APIError(g, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil)
 	}
 
diff --git a/scnserver/logic/permissions.go b/scnserver/logic/permissions.go
index 7ab4e40..09b12e3 100644
--- a/scnserver/logic/permissions.go
+++ b/scnserver/logic/permissions.go
@@ -97,6 +97,15 @@ func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {
 	return false
 }
 
+func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {
+	p := ac.permissions
+	if p.Token != nil && p.Token.IsAdmin(msg.OwnerUserID) {
+		return true
+	}
+
+	return false
+}
+
 func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse {
 	p := ac.permissions
 	if p.Token == nil {