Fix files uploaded by other users not being able to be deleted by users with permission

b618e77d · Bradley Hilton · 1bae5c52 · b618e77d · b618e77d · b618e77d
Unverified Commit b618e77d authored 8 years ago by Bradley Hilton
--- a/client/methods/deleteMessage.js
+++ b/client/methods/deleteMessage.js
@@ -7,6 +7,9 @@ Meteor.methods({
 			return false;
 		}
+		//We're now only passed in the `_id` property to lower the amount of data sent to the server
+		message = ChatMessage.findOne({ _id: message._id });
 		const hasPermission = RocketChat.authz.hasAtLeastOnePermission('delete-message', message.rid);
 		const deleteAllowed = RocketChat.settings.get('Message_AllowDeleting');
 		let deleteOwn = false;

--- a/packages/rocketchat-file-upload/lib/FileUploadBase.js
+++ b/packages/rocketchat-file-upload/lib/FileUploadBase.js
@@ -9,7 +9,7 @@ UploadFS.config.defaultStorePermissions = new UploadFS.StorePermissions({
 		return userId === doc.userId;
 	},
 	remove: function(userId, doc) {
-		return userId === doc.userId;
+		return RocketChat.authz.hasPermission(Meteor.userId(), 'delete-message', doc.rid) || (RocketChat.settings.get('Message_AllowDeleting') && userId === doc.userId);
 	}
 });

--- a/packages/rocketchat-ui/lib/chatMessages.coffee
+++ b/packages/rocketchat-ui/lib/chatMessages.coffee
@@ -253,7 +253,7 @@ class @ChatMessages
 				toastr.error(t('Message_deleting_blocked'))
 				return
-		Meteor.call 'deleteMessage', message, (error, result) ->
+		Meteor.call 'deleteMessage', { _id: message._id }, (error, result) ->
 			if error
 				return handleError(error)

--- a/server/methods/deleteFileMessage.js
+++ b/server/methods/deleteFileMessage.js
+/* global FileUpload */
 Meteor.methods({
 	deleteFileMessage: function(fileID) {
 		check(fileID, String);
-		return Meteor.call('deleteMessage', RocketChat.models.Messages.getMessageByFileId(fileID));
+		const msg = RocketChat.models.Messages.getMessageByFileId(fileID);
+		if (msg) {
+			return Meteor.call('deleteMessage', msg);
+		}
+		return FileUpload.delete(fileID);
 	}
 });