2 files changed, 22 insertions, 6 deletions

diff --git a/src/client/app/admin/views/drive.vue b/src/client/app/admin/views/drive.vue
index c3a3a40644..0ebb50fb92 100644
--- a/src/client/app/admin/views/drive.vue
+++ b/src/client/app/admin/views/drive.vue
@@ -39,7 +39,11 @@
 						</div>
 					</div>
 					<div v-show="file._open">
-						<ui-button @click="del(file)"><fa :icon="faTrashAlt"/> {{ $t('delete') }}</ui-button>
+						<ui-horizon-group>
+							<ui-button @click="toggleSensitive(file)" v-if="file.isSensitive"><fa :icon="faEye"/> {{ $t('unmark-as-sensitive') }}</ui-button>
+							<ui-button @click="toggleSensitive(file)" v-else><fa :icon="faEyeSlash"/> {{ $t('mark-as-sensitive') }}</ui-button>
+							<ui-button @click="del(file)"><fa :icon="faTrashAlt"/> {{ $t('delete') }}</ui-button>
+						</ui-horizon-group>
 					</div>
 				</div>
 			</sequential-entrance>
@@ -53,7 +57,7 @@
 import Vue from 'vue';
 import i18n from '../../i18n';
 import { faCloud } from '@fortawesome/free-solid-svg-icons';
-import { faTrashAlt } from '@fortawesome/free-regular-svg-icons';
+import { faTrashAlt, faEye, faEyeSlash } from '@fortawesome/free-regular-svg-icons';
 
 export default Vue.extend({
 	i18n: i18n('admin/views/drive.vue'),
@@ -66,7 +70,7 @@ export default Vue.extend({
 			offset: 0,
 			files: [],
 			existMore: false,
-			faCloud, faTrashAlt
+			faCloud, faTrashAlt, faEye, faEyeSlash
 		};
 	},
 
@@ -132,7 +136,16 @@ export default Vue.extend({
 					text: e.toString()
 				});
 			});
-		}
+		},
+
+		toggleSensitive(file: any) {
+			this.$root.api('drive/files/update', {
+				fileId: file.id,
+				isSensitive: !file.isSensitive
+			});
+
+			file.isSensitive = !file.isSensitive;
+		},
 	}
 });
 </script>
diff --git a/src/server/api/endpoints/drive/files/update.ts b/src/server/api/endpoints/drive/files/update.ts
index 7f9eb7bad3..a17ff2bf34 100644
--- a/src/server/api/endpoints/drive/files/update.ts
+++ b/src/server/api/endpoints/drive/files/update.ts
@@ -57,14 +57,17 @@ export default define(meta, (ps, user) => new Promise(async (res, rej) => {
 	// Fetch file
 	const file = await DriveFile
 		.findOne({
-			_id: ps.fileId,
-			'metadata.userId': user._id
+			_id: ps.fileId
 		});
 
 	if (file === null) {
 		return rej('file-not-found');
 	}
 
+	if (!user.isAdmin && !user.isModerator && !file.metadata.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	if (ps.name) file.filename = ps.name;
 
 	if (ps.isSensitive !== undefined) file.metadata.isSensitive = ps.isSensitive;