From 97de1d0982ddb4818f5e41527f4d7da2234e829f Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Tue, 4 Apr 2017 15:17:47 -0400
Subject: Fix blanking out of FileIds and backwards compatability issue with v3
 (#5950)

---
 api4/post.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'api4/post.go')

diff --git a/api4/post.go b/api4/post.go
index 67cd325d9..5cbfeae92 100644
--- a/api4/post.go
+++ b/api4/post.go
@@ -238,9 +238,14 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	post.UserId = c.Session.UserId
+	if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
+		c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
+		return
+	}
+
+	post.Id = c.Params.PostId
 
-	rpost, err := app.UpdatePost(post)
+	rpost, err := app.UpdatePost(post, false)
 	if err != nil {
 		c.Err = err
 		return
@@ -262,6 +267,11 @@ func patchPost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_POST) {
+		c.SetPermissionError(model.PERMISSION_EDIT_POST)
+		return
+	}
+
 	if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) {
 		c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS)
 		return
-- 
cgit v1.2.3-1-g7c22