From 7531acdcbf2c42f9d6aed83a28b5bb895b370eda Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Tue, 20 Dec 2022 21:21:15 -0800
Subject: [PATCH] Security fix

---
 pkg/controller/inbox/delete.go | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/pkg/controller/inbox/delete.go b/pkg/controller/inbox/delete.go
index ae2da76..44b95e7 100644
--- a/pkg/controller/inbox/delete.go
+++ b/pkg/controller/inbox/delete.go
@@ -54,6 +54,20 @@ func Delete() http.HandlerFunc {
 			templates.Redirect(w, next)
 		}
 
+		// We should be a party on this message.
+		if deleteAll {
+			if message.SourceUserID != currentUser.ID &&
+				message.TargetUserID != currentUser.ID {
+				session.FlashError(w, r, "That is not your conversation thread.")
+				templates.Redirect(w, next)
+				return
+			}
+		} else if message.SourceUserID != currentUser.ID {
+			session.FlashError(w, r, "You did not create that message so you can't delete it.")
+			templates.Redirect(w, next)
+			return
+		}
+
 		// Delete whole thread?
 		if deleteAll {
 			if err := models.DeleteMessageThread(message); err != nil {
@@ -65,13 +79,6 @@ func Delete() http.HandlerFunc {
 			return
 		}
 
-		// We should be a party on this message.
-		if message.SourceUserID != currentUser.ID {
-			session.FlashError(w, r, "You did not create that message so you can't delete it.")
-			templates.Redirect(w, next)
-			return
-		}
-
 		// Do the needful.
 		if err := message.Delete(); err != nil {
 			session.FlashError(w, r, "Error deleting the message: %s", err)