From faf29b768f0d774401b234a40eb227bf33cbe034 Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Wed, 19 Sep 2018 17:29:03 +0900
Subject: Make admin can delete any note

---
 src/server/api/endpoints/notes/delete.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/server/api/endpoints/notes/delete.ts')

diff --git a/src/server/api/endpoints/notes/delete.ts b/src/server/api/endpoints/notes/delete.ts
index 6d9826cf7b..741a8a1dc0 100644
--- a/src/server/api/endpoints/notes/delete.ts
+++ b/src/server/api/endpoints/notes/delete.ts
@@ -21,14 +21,17 @@ export default (params: any, user: ILocalUser) => new Promise(async (res, rej) =
 
 	// Fetch note
 	const note = await Note.findOne({
-		_id: noteId,
-		userId: user._id
+		_id: noteId
 	});
 
 	if (note === null) {
 		return rej('note not found');
 	}
 
+	if (!user.isAdmin && !note.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	await deleteNote(user, note);
 
 	res();
-- 
cgit v1.2.3-freya


From ecc235c545542c4083566d074a97ba0e97da701d Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Fri, 21 Sep 2018 16:43:46 +0900
Subject: Fix bug

---
 src/server/api/endpoints/notes/delete.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/server/api/endpoints/notes/delete.ts')

diff --git a/src/server/api/endpoints/notes/delete.ts b/src/server/api/endpoints/notes/delete.ts
index 741a8a1dc0..2fe36897c0 100644
--- a/src/server/api/endpoints/notes/delete.ts
+++ b/src/server/api/endpoints/notes/delete.ts
@@ -1,7 +1,7 @@
 import $ from 'cafy'; import ID from '../../../../misc/cafy-id';
 import Note from '../../../../models/note';
 import deleteNote from '../../../../services/note/delete';
-import { ILocalUser } from '../../../../models/user';
+import User, { ILocalUser } from '../../../../models/user';
 
 export const meta = {
 	desc: {
@@ -32,7 +32,7 @@ export default (params: any, user: ILocalUser) => new Promise(async (res, rej) =
 		return rej('access denied');
 	}
 
-	await deleteNote(user, note);
+	await deleteNote(await User.findOne({ _id: note.userId }), note);
 
 	res();
 });
-- 
cgit v1.2.3-freya