fix: disallow editing of other users' notes

Feel free to close this if it is intentional, but as you are not allowed to delete other users notes I expect you shouldn't be able to edit them. Editing another users post also changes ownership, allowing you to then delete it. I also added `error:` to the errormessage so that they display properly.
4 years ago · edcba61aa9
parent ca72aa93d7
commit edcba61aa9
1 changed files with 9 additions and 1 deletions
--- a/src/socket.io/flags.js
+++ b/src/socket.io/flags.js
@ -51,8 +51,16 @@ SocketFlags.appendNote = async function (socket, data) {

 	const allowed = await user.isPrivileged(socket.uid);
 	if (!allowed) {
-		throw new Error('[[no-privileges]]');
+		throw new Error('[[error:no-privileges]]');
 	}
+	
+  	if (data.datetime && data.flagId) {
+    		const note = await flags.getNote(data.flagId, data.datetime);
+		if (note.uid !== socket.uid) {
+  			throw new Error('[[error:no-privileges]]'));
+		}
+	  }
+	
 	await flags.appendNote(data.flagId, socket.uid, data.note, data.datetime);

 	const [notes, history] = await Promise.all([