Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions app/authorization/server/functions/canDeleteMessage.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
import { hasPermissionAsync } from './hasPermission';
import { getValue } from '../../../settings/server/raw';

const diff = (ts) => {
Comment thread
ggazzo marked this conversation as resolved.
Outdated
const dif = Date.now() - ts;
return Math.round((dif / 1000) / 60);
};

const notAllowed = () => {
throw new Error('error-action-not-allowed');
};

export const canDeleteMessageAsync = async (uid, { u, rid, ts }) => {
const forceDelete = await hasPermissionAsync(uid, 'force-delete-message', rid);

if (forceDelete) {
return true;
}
const deleteAllowed = await getValue('Message_AllowDeleting');

if (!deleteAllowed) {
return notAllowed();
}

const allowedToDeleteAny = await hasPermissionAsync(uid, 'delete-message', rid);

const allowed = allowedToDeleteAny || (uid === u._id && await hasPermissionAsync(uid, 'delete-own-message'));
if (!allowed) {
return notAllowed();
}
const blockDeleteInMinutes = await getValue('Message_AllowDeleting_BlockDeleteInMinutes');

if (!blockDeleteInMinutes) {
return true;
}

if (ts == null) {
return notAllowed();
}

const currentTsDiff = diff(ts);
if (currentTsDiff > blockDeleteInMinutes) {
throw new Error('error-message-deleting-blocked', 'Message deleting is blocked', {
method: 'deleteMessage',
});
}
};

export const canDeleteMessage = (uid, { u, rid, ts }) => Promise.await(canDeleteMessageAsync(uid, { u, rid, ts }));
1 change: 1 addition & 0 deletions app/authorization/server/startup.js
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ Meteor.startup(function() {
{ _id: 'delete-c', roles: ['admin', 'owner'] },
{ _id: 'delete-d', roles: ['admin'] },
{ _id: 'delete-message', roles: ['admin', 'owner', 'moderator'] },
{ _id: 'delete-own-message', roles: ['admin', 'user'] },
{ _id: 'delete-p', roles: ['admin', 'owner'] },
{ _id: 'delete-user', roles: ['admin'] },
{ _id: 'edit-message', roles: ['admin', 'owner', 'moderator'] },
Expand Down
44 changes: 16 additions & 28 deletions app/lib/server/methods/deleteMessage.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
import { Meteor } from 'meteor/meteor';
import { Match, check } from 'meteor/check';
import moment from 'moment';

import { hasPermission } from '../../../authorization';
import { settings } from '../../../settings';
import { canDeleteMessage } from '../../../authorization/server/functions/canDeleteMessage';
import { Messages } from '../../../models';
import { deleteMessage } from '../functions';

Expand All @@ -12,11 +10,15 @@ Meteor.methods({
check(message, Match.ObjectIncluding({
_id: String,
}));
if (!Meteor.userId()) {

const uid = Meteor.userId();

if (!uid) {
throw new Meteor.Error('error-invalid-user', 'Invalid user', {
method: 'deleteMessage',
});
}

const originalMessage = Messages.findOneById(message._id, {
fields: {
u: 1,
Expand All @@ -25,38 +27,24 @@ Meteor.methods({
ts: 1,
},
});
if (originalMessage == null) {

if (!originalMessage) {
throw new Meteor.Error('error-action-not-allowed', 'Not allowed', {
method: 'deleteMessage',
action: 'Delete_message',
});
}
const forceDelete = hasPermission(Meteor.userId(), 'force-delete-message', originalMessage.rid);
const _hasPermission = hasPermission(Meteor.userId(), 'delete-message', originalMessage.rid);
const deleteAllowed = settings.get('Message_AllowDeleting');
const deleteOwn = originalMessage && originalMessage.u && originalMessage.u._id === Meteor.userId();
if (!(_hasPermission || (deleteAllowed && deleteOwn)) && !forceDelete) {
throw new Meteor.Error('error-action-not-allowed', 'Not allowed', {

try {
if (!canDeleteMessage(uid, originalMessage)) {
return;
}
return deleteMessage(originalMessage, Meteor.user());
} catch (error) {
throw new Meteor.Error('Not allowed', {
method: 'deleteMessage',
action: 'Delete_message',
});
}
const blockDeleteInMinutes = settings.get('Message_AllowDeleting_BlockDeleteInMinutes');
if (blockDeleteInMinutes != null && blockDeleteInMinutes !== 0 && !forceDelete) {
if (originalMessage.ts == null) {
return;
}
const msgTs = moment(originalMessage.ts);
if (msgTs == null) {
return;
}
const currentTsDiff = moment().diff(msgTs, 'minutes');
if (currentTsDiff > blockDeleteInMinutes) {
throw new Meteor.Error('error-message-deleting-blocked', 'Message deleting is blocked', {
method: 'deleteMessage',
});
}
}
return deleteMessage(originalMessage, Meteor.user());
},
});
1 change: 1 addition & 0 deletions app/ui-utils/client/lib/messageContext.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export function messageContext({ rid } = Template.instance()) {
showreply: true,
showReplyButton: true,
hasPermissionDeleteMessage: hasPermission('delete-message', rid),
hasPermissionDeleteOwnMessage: hasPermission('delete-own-message'),

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this being used somewhere?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not yet, but hasPermissionDeleteMessage is not being used too, I just passing the context, and maybe after I could improve some stuffs.

hideRoles: !settings.get('UI_DisplayRoles') || getUserPreference(uid, 'hideRoles'),
UI_Use_Real_Name: settings.get('UI_Use_Real_Name'),
Chatops_Username: settings.get('Chatops_Username'),
Expand Down
8 changes: 2 additions & 6 deletions app/ui/client/lib/chatMessages.js
Original file line number Diff line number Diff line change
Expand Up @@ -493,12 +493,8 @@ export class ChatMessages {
}
}

try {
await call('deleteMessage', { _id });
} catch (error) {
console.error(error);
handleError(error);
}

await call('deleteMessage', { _id });
}

keydown(event) {
Expand Down
11 changes: 6 additions & 5 deletions app/utils/client/lib/canDeleteMessage.js
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
import { Meteor } from 'meteor/meteor';
import moment from 'moment';

import { hasAtLeastOnePermission } from '../../../authorization/client';
import { hasPermission } from '../../../authorization/client';
import { settings } from '../../../settings/client';

export const canDeleteMessage = ({ rid, ts, uid }) => {
const userId = Meteor.userId();

const forceDelete = hasAtLeastOnePermission('force-delete-message', rid);
const forceDelete = hasPermission('force-delete-message', rid);
if (forceDelete) {
return true;
}
Expand All @@ -17,9 +17,10 @@ export const canDeleteMessage = ({ rid, ts, uid }) => {
return false;
}

const hasPermission = hasAtLeastOnePermission('delete-message', rid);
const deleteOwn = uid === userId;
if (!hasPermission && !deleteOwn) {
const allowed = hasPermission('delete-message', rid);

const deleteOwn = allowed || (uid === userId && hasPermission('delete-own-message'));
Comment thread
ggazzo marked this conversation as resolved.
if (!allowed && !deleteOwn) {
return false;
}

Expand Down