Make admin can delete any note

author: syuilo <syuilotan@yahoo.co.jp> 2018-09-19 17:29:03 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2018-09-19 17:29:03 +0900
commit: faf29b768f0d774401b234a40eb227bf33cbe034 (patch)
tree: 655556765848e62e32da76b89514f1464800dd39 /src/server
parent: 8.56.0 (diff)
download: sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.tar.gz
sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.tar.bz2
sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/server/api/endpoints/notes/delete.ts b/src/server/api/endpoints/notes/delete.ts
index 6d9826cf7b..741a8a1dc0 100644
--- a/src/server/api/endpoints/notes/delete.ts
+++ b/src/server/api/endpoints/notes/delete.ts
@@ -21,14 +21,17 @@ export default (params: any, user: ILocalUser) => new Promise(async (res, rej) =
 
 	// Fetch note
 	const note = await Note.findOne({
-		_id: noteId,
-		userId: user._id
+		_id: noteId
 	});
 
 	if (note === null) {
 		return rej('note not found');
 	}
 
+	if (!user.isAdmin && !note.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	await deleteNote(user, note);
 
 	res();
author	syuilo <syuilotan@yahoo.co.jp>	2018-09-19 17:29:03 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2018-09-19 17:29:03 +0900
commit	faf29b768f0d774401b234a40eb227bf33cbe034 (patch)
tree	655556765848e62e32da76b89514f1464800dd39 /src/server
parent	8.56.0 (diff)
download	sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.tar.gz sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.tar.bz2 sharkey-faf29b768f0d774401b234a40eb227bf33cbe034.zip