Prevent deleting messages of subscribed-only channels

This commit is contained in:
Mike Schwörer 2023-07-27 15:23:56 +02:00
parent 44df964f6f
commit 308361a834
Signed by: Mikescher
GPG Key ID: D3C7172E0A70F8CF
3 changed files with 13 additions and 1 deletions

View File

@ -10,6 +10,9 @@
- ios purchase verification - ios purchase verification
- increase max body size (smth like 2MB?)
(also increase cronexec char limit)
#### UNSURE #### UNSURE
- (?) default-priority for channels - (?) default-priority for channels

View File

@ -266,7 +266,7 @@ func (h APIHandler) DeleteMessage(g *gin.Context) ginresp.HTTPResponse {
return ginresp.APIError(g, 500, apierr.DATABASE_ERROR, "Failed to query message", err) return ginresp.APIError(g, 500, apierr.DATABASE_ERROR, "Failed to query message", err)
} }
if !ctx.CheckPermissionMessageRead(msg) { if !ctx.CheckPermissionMessageDelete(msg) {
return ginresp.APIError(g, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil) return ginresp.APIError(g, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil)
} }

View File

@ -97,6 +97,15 @@ func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {
return false return false
} }
func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {
p := ac.permissions
if p.Token != nil && p.Token.IsAdmin(msg.OwnerUserID) {
return true
}
return false
}
func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse { func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse {
p := ac.permissions p := ac.permissions
if p.Token == nil { if p.Token == nil {