Merge pull request #621 from geekgonecrazy/permission-checks

Added checks to updateMessage and deleteMessage

Author: engelgabriel

server/methods/deleteMessage.coffee

@@ -6,6 +6,10 @@ Meteor.methods
 		if not RocketChat.settings.get 'Message_AllowDeleting'
 			throw new Meteor.Error 'message-deleting-not-allowed', "[methods] updateMessage -> Message deleting not allowed"
 
+		user = Meteor.users.findOne Meteor.userId()
+
+		unless user?.admin is true or message.u._id is Meteor.userId()
+			throw new Meteor.Error 'not-authorized', '[methods] deleteMessage -> Not authorized'
 
 		console.log '[methods] deleteMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments
 
@@ -25,7 +29,7 @@ Meteor.methods
 					_id: message._id
 					'u._id': Meteor.userId()
 				,
-					$set: 
+					$set:
 						_hidden: true
 
 		else
@@ -39,7 +43,7 @@ Meteor.methods
 				_id: message._id
 				'u._id': Meteor.userId()
 			,
-				$set: 
+				$set:
 					msg: ''
 					t: 'rm'
 					ets: new Date()

server/methods/updateMessage.coffee

@@ -6,6 +6,11 @@ Meteor.methods
 		if not RocketChat.settings.get 'Message_AllowEditing'
 			throw new Meteor.Error 'message-editing-not-allowed', "[methods] updateMessage -> Message editing not allowed"
 
+		user = Meteor.users.findOne Meteor.userId()	
+
+		unless user?.admin is true or message.u._id is Meteor.userId()
+			throw new Meteor.Error 'not-authorized', '[methods] updateMessage -> Not authorized'
+
 		console.log '[methods] updateMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments
 
 		# If we keep history of edits, insert a new message to store history information
@@ -31,4 +36,4 @@ Meteor.methods
 			$set: message
 
 		# Meteor.defer ->
-		# 	RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id)
+		# 	RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id)