diff --git a/server/methods/deleteMessage.coffee b/server/methods/deleteMessage.coffee index f440c41edfba..2ad455583626 100644 --- a/server/methods/deleteMessage.coffee +++ b/server/methods/deleteMessage.coffee @@ -6,6 +6,10 @@ Meteor.methods if not RocketChat.settings.get 'Message_AllowDeleting' throw new Meteor.Error 'message-deleting-not-allowed', "[methods] updateMessage -> Message deleting not allowed" + user = Meteor.users.findOne Meteor.userId() + + unless user?.admin is true or message.u._id is Meteor.userId() + throw new Meteor.Error 'not-authorized', '[methods] deleteMessage -> Not authorized' console.log '[methods] deleteMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments @@ -25,7 +29,7 @@ Meteor.methods _id: message._id 'u._id': Meteor.userId() , - $set: + $set: _hidden: true else @@ -39,7 +43,7 @@ Meteor.methods _id: message._id 'u._id': Meteor.userId() , - $set: + $set: msg: '' t: 'rm' ets: new Date() diff --git a/server/methods/updateMessage.coffee b/server/methods/updateMessage.coffee index dffe9ea5a491..2db3f603664b 100644 --- a/server/methods/updateMessage.coffee +++ b/server/methods/updateMessage.coffee @@ -6,6 +6,11 @@ Meteor.methods if not RocketChat.settings.get 'Message_AllowEditing' throw new Meteor.Error 'message-editing-not-allowed', "[methods] updateMessage -> Message editing not allowed" + user = Meteor.users.findOne Meteor.userId() + + unless user?.admin is true or message.u._id is Meteor.userId() + throw new Meteor.Error 'not-authorized', '[methods] updateMessage -> Not authorized' + console.log '[methods] updateMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments # If we keep history of edits, insert a new message to store history information @@ -31,4 +36,4 @@ Meteor.methods $set: message # Meteor.defer -> - # RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id) \ No newline at end of file + # RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id)