Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-06-17 16:10:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: assertion check to ensure messages are in the room when editing/deleting, etc

Browse Source
This commit is contained in:
Julian Lam
2021-12-22 14:58:42 -05:00
parent 82768fcf6e
commit d95b4ee29a
3 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/messaging/index.js
View File

@@ -277,4 +277,15 @@ Messaging.hasPrivateChat = async (uid, withUid) => {
return roomId;
};
Messaging.canViewMessage = async (mids, roomId, uid) => {
let single = false;
if (!Array.isArray(mids) && isFinite(mids)) {
mids = [mids];
single = true;
}
const canView = await db.isSortedSetMembers(`uid:${uid}:chat:room:${roomId}:mids`, mids);
return single ? canView.pop() : canView;
};
require('../promisify')(Messaging);

6
src/middleware/assert.js
View File

@@ -128,7 +128,11 @@ Assert.room = helpers.try(async (req, res, next) => {
});
Assert.message = helpers.try(async (req, res, next) => {
if (!isFinite(req.params.mid) || !(await messaging.messageExists(req.params.mid))) {
if (
!isFinite(req.params.mid) ||
!(await messaging.messageExists(req.params.mid)) ||
!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
) {
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
}