summaryrefslogtreecommitdiff
path: root/src/server/api/endpoints/notes/delete.ts
diff options
context:
space:
mode:
Diffstat (limited to 'src/server/api/endpoints/notes/delete.ts')
-rw-r--r--src/server/api/endpoints/notes/delete.ts11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/server/api/endpoints/notes/delete.ts b/src/server/api/endpoints/notes/delete.ts
index 6d9826cf7b..2fe36897c0 100644
--- a/src/server/api/endpoints/notes/delete.ts
+++ b/src/server/api/endpoints/notes/delete.ts
@@ -1,7 +1,7 @@
import $ from 'cafy'; import ID from '../../../../misc/cafy-id';
import Note from '../../../../models/note';
import deleteNote from '../../../../services/note/delete';
-import { ILocalUser } from '../../../../models/user';
+import User, { ILocalUser } from '../../../../models/user';
export const meta = {
desc: {
@@ -21,15 +21,18 @@ export default (params: any, user: ILocalUser) => new Promise(async (res, rej) =
// Fetch note
const note = await Note.findOne({
- _id: noteId,
- userId: user._id
+ _id: noteId
});
if (note === null) {
return rej('note not found');
}
- await deleteNote(user, note);
+ if (!user.isAdmin && !note.userId.equals(user._id)) {
+ return rej('access denied');
+ }
+
+ await deleteNote(await User.findOne({ _id: note.userId }), note);
res();
});
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-10 21:56:07 +0000