Prevent deleting messages of subscribed-only channels

2023-07-27 15:23:56 +02:00 · 2023-07-27 15:23:56 +02:00 · 308361a834
commit 308361a834
parent 44df964f6f
3 changed files with 13 additions and 1 deletions
--- a/scnserver/TODO.md
+++ b/scnserver/TODO.md
@ -10,6 +10,9 @@

 - ios purchase verification

+ - increase max body size (smth like 2MB?)
+   (also increase cronexec char limit)
+
 #### UNSURE

 - (?) default-priority for channels
--- a/scnserver/api/handler/apiMessage.go
+++ b/scnserver/api/handler/apiMessage.go
@ -266,7 +266,7 @@ func (h APIHandler) DeleteMessage(g *gin.Context) ginresp.HTTPResponse {
 		return ginresp.APIError(g, 500, apierr.DATABASE_ERROR, "Failed to query message", err)
 	}

-	if !ctx.CheckPermissionMessageRead(msg) {
+	if !ctx.CheckPermissionMessageDelete(msg) {
 		return ginresp.APIError(g, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil)
 	}

--- a/scnserver/logic/permissions.go
+++ b/scnserver/logic/permissions.go
@ -97,6 +97,15 @@ func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {
 	return false
 }

+func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {
+	p := ac.permissions
+	if p.Token != nil && p.Token.IsAdmin(msg.OwnerUserID) {
+		return true
+	}
+
+	return false
+}
+
 func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse {
 	p := ac.permissions
 	if p.Token == nil {