added checks to updateMessage and deleteMessage

8a462752 · Aaron · fbbe66b0 · 8a462752 · 8a462752 · 8a462752
Commit 8a462752 authored 9 years ago by Aaron
--- a/server/methods/deleteMessage.coffee
+++ b/server/methods/deleteMessage.coffee
@@ -6,6 +6,10 @@ Meteor.methods
 		if not RocketChat.settings.get 'Message_AllowDeleting'
 			throw new Meteor.Error 'message-deleting-not-allowed', "[methods] updateMessage -> Message deleting not allowed"

+		user = Meteor.users.findOne Meteor.userId()
+
+		unless user?.admin is true or message.u._id is Meteor.userId()
+			throw new Meteor.Error 'not-authorized', '[methods] deleteMessage -> Not authorized'

 		console.log '[methods] deleteMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments

@@ -25,7 +29,7 @@ Meteor.methods
 					_id: message._id
 					'u._id': Meteor.userId()
 				,
-					$set: 
+					$set:
 						_hidden: true

 		else
@@ -39,7 +43,7 @@ Meteor.methods
 				_id: message._id
 				'u._id': Meteor.userId()
 			,
-				$set: 
+				$set:
 					msg: ''
 					t: 'rm'
 					ets: new Date()

--- a/server/methods/deleteUser.coffee
+++ b/server/methods/deleteUser.coffee
@@ -2,12 +2,11 @@ Meteor.methods
 	deleteUser: (userId) ->
 		if not Meteor.userId()
 			throw new Meteor.Error('invalid-user', "[methods] deleteUser -> Invalid user")
-		
-		user = Meteor.users.findOne Meteor.userId()
+
+		user = Meteor.users.findOne userId()
 		unless user?.admin is true
 			throw new Meteor.Error 'not-authorized', '[methods] deleteUser -> Not authorized'

-		user = Meteor.users.findOne userId
 		unless user?
 			throw new Meteor.Error 'not-found', '[methods] deleteUser -> User not found'

@@ -18,10 +17,6 @@ Meteor.methods
 			if room.t isnt 'c' and room.usernames.length is 1
 				ChatRoom.remove subscription.rid # Remove non-channel rooms with only 1 user (the one being deleted)

-			
-
-
-
 		ChatSubscription.remove { "u._id": userId } # Remove user subscriptions

 		rooms = ChatRoom.find({ "u._id": userId }).fetch()
@@ -31,4 +26,4 @@ Meteor.methods
 		ChatRoom.update {}, { $pull: { usernames: user.username } }, { multi: true } # Remove user from all other rooms
 		Meteor.users.remove { _id: userId } # Remove user from users database

-		return true
\ No newline at end of file
+		return true
--- a/server/methods/updateMessage.coffee
+++ b/server/methods/updateMessage.coffee
@@ -6,6 +6,11 @@ Meteor.methods
 		if not RocketChat.settings.get 'Message_AllowEditing'
 			throw new Meteor.Error 'message-editing-not-allowed', "[methods] updateMessage -> Message editing not allowed"

+		user = Meteor.users.findOne Meteor.userId()	
+
+		unless user?.admin is true or message.u._id is Meteor.userId()
+			throw new Meteor.Error 'not-authorized', '[methods] updateMessage -> Not authorized'
+
 		console.log '[methods] updateMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments

 		# If we keep history of edits, insert a new message to store history information
@@ -31,4 +36,4 @@ Meteor.methods
 			$set: message

 		# Meteor.defer ->
-		# 	RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id)
\ No newline at end of file
+		# 	RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id)