[PLUGIN][DeleteNote] Ensure permissions properly

This commit is contained in:
Diogo Peralta Cordeiro 2021-12-28 14:40:34 +00:00
parent 5c2b46a71d
commit b7c82b9dcb
No known key found for this signature in database
GPG Key ID: 18D2D35001FBFAB0

View File

@ -30,6 +30,7 @@ use App\Core\Router\Router;
use App\Entity\Activity;
use App\Entity\Actor;
use App\Entity\Note;
use App\Util\Common;
use App\Util\Exception\ClientException;
use Symfony\Component\HttpFoundation\Request;
@ -48,9 +49,8 @@ class DeleteNote extends NoteHandlerPlugin
{
private static function undertaker(Actor $actor, Note $note): Activity
{
// Only let the original actor delete it
// TODO: Let actors of appropriate role do this as well
if ($note->getActor()->getId() !== $actor->getId()) {
// Check permissions
if (!$actor->canAdmin($note->getActor())) {
throw new ClientException(_m('You don\'t have permissions to delete this note.'), 401);
}
@ -82,8 +82,13 @@ class DeleteNote extends NoteHandlerPlugin
public function onAddExtraNoteActions(Request $request, Note $note, array &$actions)
{
if (\is_null($actor = Common::actor())) {
return Event::next;
}
// Only add action if note wasn't already deleted!
if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))) {
if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))
// And has permissions
&& $actor->canAdmin($note->getActor())) {
$delete_action_url = Router::url('delete_note_action', ['note_id' => $note->getId()]);
$query_string = $request->getQueryString();
$delete_action_url .= '?from=' . mb_substr($query_string, 2);