From ebceffba1eb3d762fe164a10ee58fc78547a0a27 Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Sat, 15 Dec 2018 00:09:04 +0900
Subject: Resolve #2165

---
 src/server/api/endpoints/drive/files/delete.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/server/api/endpoints/drive')

diff --git a/src/server/api/endpoints/drive/files/delete.ts b/src/server/api/endpoints/drive/files/delete.ts
index 7367c8fbb6..0c2799c708 100644
--- a/src/server/api/endpoints/drive/files/delete.ts
+++ b/src/server/api/endpoints/drive/files/delete.ts
@@ -32,14 +32,17 @@ export default define(meta, (ps, user) => new Promise(async (res, rej) => {
 	// Fetch file
 	const file = await DriveFile
 		.findOne({
-			_id: ps.fileId,
-			'metadata.userId': user._id
+			_id: ps.fileId
 		});
 
 	if (file === null) {
 		return rej('file-not-found');
 	}
 
+	if (!user.isAdmin && !user.isModerator && !file.metadata.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	// Delete
 	await del(file);
 
-- 
cgit v1.2.3-freya