fix: toMid to posts you cant see

1 year ago · 53106c009c
parent bd94f2632a
commit 53106c009c
3 changed files with 59 additions and 4 deletions
--- a/src/messaging/create.js
+++ b/src/messaging/create.js
@ -42,8 +42,13 @@ module.exports = function (Messaging) {
 		if (!roomData) {
 			throw new Error('[[error:no-room]]');
 		}
-		if (data.toMid && !utils.isNumber(data.toMid)) {
-			throw new Error('[[error:invalid-mid]]');
+		if (data.toMid) {
+			if (!utils.isNumber(data.toMid)) {
+				throw new Error('[[error:invalid-mid]]');
+			}
+			if (!await Messaging.canViewMessage(data.toMid, roomId, uid)) {
+				throw new Error('[[error:no-privileges]]');
+			}
 		}
 		const mid = await db.incrObjectField('global', 'nextMid');
 		const timestamp = data.timestamp || Date.now();
--- a/src/messaging/data.js
+++ b/src/messaging/data.js
@ -132,6 +132,9 @@ module.exports = function (Messaging) {
 			return;
 		}
 		parentMids = _.uniq(parentMids);
+		const canView = await Messaging.canViewMessage(parentMids, roomId, uid);
+		parentMids = parentMids.filter((mid, idx) => canView[idx]);
+
 		const parentMessages = await Messaging.getMessagesFields(parentMids, [
 			'fromuid', 'content', 'timestamp', 'deleted',
 		]);
--- a/test/messaging.js
+++ b/test/messaging.js
@ -1,7 +1,6 @@
 'use strict';

 const assert = require('assert');
-const async = require('async');
 const request = require('request-promise-native');
 const nconf = require('nconf');
 const util = require('util');
@ -369,7 +368,6 @@ describe('Messaging Library', () => {
 		});

 		it('should fail to send second message due to rate limit', async () => {
-			const socketMock = { uid: mocks.users.foo.uid };
 			const oldValue = meta.config.chatMessageDelay;
 			meta.config.chatMessageDelay = 1000;

@ -572,6 +570,55 @@ describe('Messaging Library', () => {
 		});
 	});

+	describe('toMid', () => {
+		let roomId;
+		let firstMid;
+		before(async () => {
+			// create room
+			const { body } = await callv3API('post', `/chats`, {
+				uids: [mocks.users.bar.uid],
+			}, 'foo');
+			roomId = body.response.roomId;
+			// send message
+			const result = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'first chat message',
+			}, 'foo');
+
+			firstMid = result.body.response.mid;
+		});
+
+		it('should fail if toMid is not a number', async () => {
+			const result = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: 'osmaosd',
+			}, 'foo');
+			assert.strictEqual(result.body.status.message, 'Invalid Chat Message ID');
+		});
+
+		it('should reply to firstMid using toMid', async () => {
+			const { body } = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: firstMid,
+			}, 'bar');
+			assert(body.response.mid);
+		});
+
+		it('should fail if user can not view toMid', async () => {
+			// add new user
+			await callv3API('post', `/chats/${roomId}/users`, { uids: [mocks.users.herp.uid] }, 'foo');
+			// try to reply to firstMid that this user cant see
+			const { body } = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: firstMid,
+			}, 'herp');
+			assert.strictEqual(body.status.message, 'You do not have enough privileges for this action.');
+		});
+	});
+
 	describe('edit/delete', () => {
 		const socketModules = require('../src/socket.io/modules');
 		let mid;