[Client] Resolve #3658

author: syuilo <syuilotan@yahoo.co.jp> 2018-12-19 00:57:28 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2018-12-19 00:57:28 +0900
commit: 7f77517fc80f43253a33055b64d30e6d7b751dfd (patch)
tree: f4ce4b91c0cc3873c8f396df4cfdbf8fb649388e /src/server/api/endpoints/drive/files
parent: [Client] Fix #3657 (diff)
download: sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.tar.gz
sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.tar.bz2
sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/server/api/endpoints/drive/files/update.ts b/src/server/api/endpoints/drive/files/update.ts
index 7f9eb7bad3..a17ff2bf34 100644
--- a/src/server/api/endpoints/drive/files/update.ts
+++ b/src/server/api/endpoints/drive/files/update.ts
@@ -57,14 +57,17 @@ export default define(meta, (ps, user) => new Promise(async (res, rej) => {
 	// Fetch file
 	const file = await DriveFile
 		.findOne({
-			_id: ps.fileId,
-			'metadata.userId': user._id
+			_id: ps.fileId
 		});
 
 	if (file === null) {
 		return rej('file-not-found');
 	}
 
+	if (!user.isAdmin && !user.isModerator && !file.metadata.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	if (ps.name) file.filename = ps.name;
 
 	if (ps.isSensitive !== undefined) file.metadata.isSensitive = ps.isSensitive;
author	syuilo <syuilotan@yahoo.co.jp>	2018-12-19 00:57:28 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2018-12-19 00:57:28 +0900
commit	7f77517fc80f43253a33055b64d30e6d7b751dfd (patch)
tree	f4ce4b91c0cc3873c8f396df4cfdbf8fb649388e /src/server/api/endpoints/drive/files
parent	[Client] Fix #3657 (diff)
download	sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.tar.gz sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.tar.bz2 sharkey-7f77517fc80f43253a33055b64d30e6d7b751dfd.zip