Security fix

This commit is contained in:
Noah Petherbridge 2022-12-20 21:21:15 -08:00
parent 72a7f57f03
commit 7531acdcbf

View File

@ -54,6 +54,20 @@ func Delete() http.HandlerFunc {
templates.Redirect(w, next) templates.Redirect(w, next)
} }
// We should be a party on this message.
if deleteAll {
if message.SourceUserID != currentUser.ID &&
message.TargetUserID != currentUser.ID {
session.FlashError(w, r, "That is not your conversation thread.")
templates.Redirect(w, next)
return
}
} else if message.SourceUserID != currentUser.ID {
session.FlashError(w, r, "You did not create that message so you can't delete it.")
templates.Redirect(w, next)
return
}
// Delete whole thread? // Delete whole thread?
if deleteAll { if deleteAll {
if err := models.DeleteMessageThread(message); err != nil { if err := models.DeleteMessageThread(message); err != nil {
@ -65,13 +79,6 @@ func Delete() http.HandlerFunc {
return return
} }
// We should be a party on this message.
if message.SourceUserID != currentUser.ID {
session.FlashError(w, r, "You did not create that message so you can't delete it.")
templates.Redirect(w, next)
return
}
// Do the needful. // Do the needful.
if err := message.Delete(); err != nil { if err := message.Delete(); err != nil {
session.FlashError(w, r, "Error deleting the message: %s", err) session.FlashError(w, r, "Error deleting the message: %s", err)