Merge pull request #5687 from RocketChat/fix-deleting-files-not-allowed

Fix files uploaded by other users not being able to be deleted by uses w/ permission

client/methods/deleteMessage.js

@@ -7,6 +7,9 @@ Meteor.methods({
 			return false;
 		}
 
+		//We're now only passed in the `_id` property to lower the amount of data sent to the server
+		message = ChatMessage.findOne({ _id: message._id });
+
 		const hasPermission = RocketChat.authz.hasAtLeastOnePermission('delete-message', message.rid);
 		const deleteAllowed = RocketChat.settings.get('Message_AllowDeleting');
 		let deleteOwn = false;

packages/rocketchat-file-upload/lib/FileUploadBase.js

@@ -9,7 +9,7 @@ UploadFS.config.defaultStorePermissions = new UploadFS.StorePermissions({
 		return userId === doc.userId;
 	},
 	remove: function(userId, doc) {
-		return userId === doc.userId;
+		return RocketChat.authz.hasPermission(Meteor.userId(), 'delete-message', doc.rid) || (RocketChat.settings.get('Message_AllowDeleting') && userId === doc.userId);
 	}
 });
 

packages/rocketchat-ui/lib/chatMessages.coffee

@@ -253,7 +253,7 @@ class @ChatMessages
 				toastr.error(t('Message_deleting_blocked'))
 				return
 
-		Meteor.call 'deleteMessage', message, (error, result) ->
+		Meteor.call 'deleteMessage', { _id: message._id }, (error, result) ->
 			if error
 				return handleError(error)
 

server/methods/deleteFileMessage.js

+/* global FileUpload */
 Meteor.methods({
 	deleteFileMessage: function(fileID) {
 		check(fileID, String);
 
-		return Meteor.call('deleteMessage', RocketChat.models.Messages.getMessageByFileId(fileID));
+		const msg = RocketChat.models.Messages.getMessageByFileId(fileID);
+
+		if (msg) {
+			return Meteor.call('deleteMessage', msg);
+		}
+
+		return FileUpload.delete(fileID);
 	}
 });