2 files changed, 25 insertions, 2 deletions

diff --git a/api4/post.go b/api4/post.go
index 67cd325d9..5cbfeae92 100644
--- a/api4/post.go
+++ b/api4/post.go
@@ -238,9 +238,14 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	post.UserId = c.Session.UserId
+	if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
+		c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+		return
+	}
+
+	post.Id = c.Params.PostId
 
-	rpost, err := app.UpdatePost(post)
+	rpost, err := app.UpdatePost(post, false)
 	if err != nil {
 		c.Err = err
 		return
@@ -262,6 +267,11 @@ func patchPost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_POST) {
+		c.SetPermissionError(model.PERMISSION_EDIT_POST)
+		return
+	}
+
 	if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
 		c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
 		return
diff --git a/api4/post_test.go b/api4/post_test.go
index 562136ca9..e5c72ae9e 100644
--- a/api4/post_test.go
+++ b/api4/post_test.go
@@ -167,6 +167,15 @@ func TestUpdatePost(t *testing.T) {
 	Client.Logout()
 	_, resp = Client.UpdatePost(rpost.Id, rpost)
 	CheckUnauthorizedStatus(t, resp)
+
+	th.LoginBasic2()
+	_, resp = Client.UpdatePost(rpost.Id, rpost)
+	CheckForbiddenStatus(t, resp)
+
+	Client.Logout()
+
+	_, resp = th.SystemAdminClient.UpdatePost(rpost.Id, rpost)
+	CheckNoError(t, resp)
 }
 
 func TestPatchPost(t *testing.T) {
@@ -262,6 +271,10 @@ func TestPatchPost(t *testing.T) {
 	_, resp = Client.PatchPost(post.Id, patch)
 	CheckUnauthorizedStatus(t, resp)
 
+	th.LoginBasic2()
+	_, resp = Client.PatchPost(post.Id, patch)
+	CheckForbiddenStatus(t, resp)
+
 	th.LoginTeamAdmin()
 	_, resp = Client.PatchPost(post.Id, patch)
 	CheckNoError(t, resp)