fix: assertion check to ensure messages are in the room when editing/deleting, etc

2026-02-15 02:57:51 +01:00 · 2021-12-22 14:58:42 -05:00
parent 82768fcf6e
commit d95b4ee29a
3 changed files with 22 additions and 1 deletions
--- a/src/middleware/assert.js
+++ b/src/middleware/assert.js
@@ -128,7 +128,11 @@ Assert.room = helpers.try(async (req, res, next) => {
 });

 Assert.message = helpers.try(async (req, res, next) => {
-	if (!isFinite(req.params.mid) || !(await messaging.messageExists(req.params.mid))) {
+	if (
+		!isFinite(req.params.mid) ||
+		!(await messaging.messageExists(req.params.mid)) ||
+		!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
+	) {
 		return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
 	}