Prevent deleting messages of subscribed-only channels

scnserver/TODO.md

@@ -10,6 +10,9 @@
 
  - ios purchase verification
 
+ - increase max body size (smth like 2MB?)
+   (also increase cronexec char limit)
+
 #### UNSURE
 
  - (?) default-priority for channels

scnserver/api/handler/apiMessage.go

@@ -266,7 +266,7 @@ func (h APIHandler) DeleteMessage(g *gin.Context) ginresp.HTTPResponse {
 		return ginresp.APIError(g, 500, apierr.DATABASE_ERROR, "Failed to query message", err)
 	}
 
-	if !ctx.CheckPermissionMessageRead(msg) {
+	if !ctx.CheckPermissionMessageDelete(msg) {
 		return ginresp.APIError(g, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil)
 	}
 

scnserver/logic/permissions.go

@@ -97,6 +97,15 @@ func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {
 	return false
 }
 
+func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {
+	p := ac.permissions
+	if p.Token != nil && p.Token.IsAdmin(msg.OwnerUserID) {
+		return true
+	}
+
+	return false
+}
+
 func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse {
 	p := ac.permissions
 	if p.Token == nil {