summaryrefslogtreecommitdiffstats
path: root/api4
diff options
context:
space:
mode:
Diffstat (limited to 'api4')
-rw-r--r--api4/post.go41
1 files changed, 35 insertions, 6 deletions
diff --git a/api4/post.go b/api4/post.go
index 189edfc20..b4392a74e 100644
--- a/api4/post.go
+++ b/api4/post.go
@@ -246,11 +246,24 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_DELETE_OTHERS_POSTS) {
- c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_POSTS)
+ post, err := c.App.GetSinglePost(c.Params.PostId)
+ if err != nil {
+ c.SetPermissionError(model.PERMISSION_DELETE_POST)
return
}
+ if c.Session.UserId == post.UserId {
+ if !c.App.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_POST) {
+ c.SetPermissionError(model.PERMISSION_DELETE_POST)
+ return
+ }
+ } else {
+ if !c.App.SessionHasPermissionToChannel(c.Session, post.ChannelId, model.PERMISSION_DELETE_OTHERS_POSTS) {
+ c.SetPermissionError(model.PERMISSION_DELETE_OTHERS_POSTS)
+ return
+ }
+ }
+
if _, err := c.App.DeletePost(c.Params.PostId); err != nil {
c.Err = err
return
@@ -364,11 +377,19 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
- c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+ originalPost, err := c.App.GetSinglePost(c.Params.PostId)
+ if err != nil {
+ c.SetPermissionError(model.PERMISSION_EDIT_POST)
return
}
+ if c.Session.UserId != originalPost.UserId {
+ if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+ return
+ }
+ }
+
post.Id = c.Params.PostId
rpost, err := c.App.UpdatePost(c.App.PostWithProxyRemovedFromImageURLs(post), false)
@@ -398,11 +419,19 @@ func patchPost(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !c.App.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
- c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+ originalPost, err := c.App.GetSinglePost(c.Params.PostId)
+ if err != nil {
+ c.SetPermissionError(model.PERMISSION_EDIT_POST)
return
}
+ if c.Session.UserId != originalPost.UserId {
+ if !c.App.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+ return
+ }
+ }
+
patchedPost, err := c.App.PatchPost(c.Params.PostId, c.App.PostPatchWithProxyRemovedFromImageURLs(post))
if err != nil {
c.Err = err
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-20 08:48:46 +0000