diff options
| author | George Goldberg <george@gberg.me> | 2018-05-31 10:25:31 +0100 |
|---|---|---|
| committer | George Goldberg <george@gberg.me> | 2018-05-31 10:25:31 +0100 |
| commit | 27e7841a734e9c3ed71f988a653f5865d2ef6f91 (patch) | |
| tree | 1ccc65246fb166c25a9923f4e05ad7d6223892d1 /api4/post.go | |
| parent | e39f5f46f3f6cdcb7ab8aeef8c601047f5942f85 (diff) | |
| parent | 994ccf475f96bcad668269fe25b0d22e975bc222 (diff) | |
| download | chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.gz chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.tar.bz2 chat-27e7841a734e9c3ed71f988a653f5865d2ef6f91.zip | |
Merge branch 'advanced-permissions-phase-2'
Diffstat (limited to 'api4/post.go')
| -rw-r--r-- | api4/post.go | 41 |
1 files changed, 35 insertions, 6 deletions
diff --git a/api4/post.go b/api4/post.go index 189edfc20..b4392a74e 100644 --- a/api4/post.go +++ b/api4/post.go @@ -246,11 +246,24 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_DELETE_OTHERS_POSTS) { - c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_POSTS) + post, err := c.App.GetSinglePost(c.Params.PostId) + if err != nil { + c.SetPermissionError(model.PERMISSION_DELETE_POST) return } + if c.Session.UserId == post.UserId { + if !c.App.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_POST) { + c.SetPermissionError(model.PERMISSION_DELETE_POST) + return + } + } else { + if !c.App.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) { + c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_POSTS) + return + } + } + if _, err := c.App.DeletePost(c.Params.PostId); err != nil { c.Err = err return @@ -364,11 +377,19 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { - c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) + originalPost, err := c.App.GetSinglePost(c.Params.PostId) + if err != nil { + c.SetPermissionError(model.PERMISSION_EDIT_POST) return } + if c.Session.UserId != originalPost.UserId { + if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) + return + } + } + post.Id = c.Params.PostId rpost, err := c.App.UpdatePost(c.App.PostWithProxyRemovedFromImageURLs(post), false) @@ -398,11 +419,19 @@ func patchPost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { - c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) + originalPost, err := c.App.GetSinglePost(c.Params.PostId) + if err != nil { + c.SetPermissionError(model.PERMISSION_EDIT_POST) return } + if c.Session.UserId != originalPost.UserId { + if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) + return + } + } + patchedPost, err := c.App.PatchPost(c.Params.PostId, c.App.PostPatchWithProxyRemovedFromImageURLs(post)) if err != nil { c.Err = err |