[PLUGIN][DeleteNote] Ensure permissions properly
This commit is contained in:
parent
5c2b46a71d
commit
b7c82b9dcb
@ -30,6 +30,7 @@ use App\Core\Router\Router;
|
||||
use App\Entity\Activity;
|
||||
use App\Entity\Actor;
|
||||
use App\Entity\Note;
|
||||
use App\Util\Common;
|
||||
use App\Util\Exception\ClientException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -48,9 +49,8 @@ class DeleteNote extends NoteHandlerPlugin
|
||||
{
|
||||
private static function undertaker(Actor $actor, Note $note): Activity
|
||||
{
|
||||
// Only let the original actor delete it
|
||||
// TODO: Let actors of appropriate role do this as well
|
||||
if ($note->getActor()->getId() !== $actor->getId()) {
|
||||
// Check permissions
|
||||
if (!$actor->canAdmin($note->getActor())) {
|
||||
throw new ClientException(_m('You don\'t have permissions to delete this note.'), 401);
|
||||
}
|
||||
|
||||
@ -82,8 +82,13 @@ class DeleteNote extends NoteHandlerPlugin
|
||||
|
||||
public function onAddExtraNoteActions(Request $request, Note $note, array &$actions)
|
||||
{
|
||||
if (\is_null($actor = Common::actor())) {
|
||||
return Event::next;
|
||||
}
|
||||
// Only add action if note wasn't already deleted!
|
||||
if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))) {
|
||||
if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))
|
||||
// And has permissions
|
||||
&& $actor->canAdmin($note->getActor())) {
|
||||
$delete_action_url = Router::url('delete_note_action', ['note_id' => $note->getId()]);
|
||||
$query_string = $request->getQueryString();
|
||||
$delete_action_url .= '?from=' . mb_substr($query_string, 2);
|
||||
|
Loading…
Reference in New Issue
Block a user