diff options
author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2021-03-04 16:34:17 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-04 16:34:17 +0300 |
commit | 582656131472788b419d948bcc05032180fb184f (patch) | |
tree | 900039c2538cf8d1d05a33a5b88e584d223102b7 | |
parent | 59f4f69ba5916e78a3f82377c64691a1737038b3 (diff) | |
parent | 6cbe15c503058c9ef3a0525f0d9d6612fa354a88 (diff) |
Merge pull request #5313 from nextcloud/backport/5310/stable21
[stable21] don't allow to delete other persons chats in 1-1 chats
-rw-r--r-- | lib/Controller/ChatController.php | 8 | ||||
-rw-r--r-- | src/components/MessagesList/MessagesGroup/Message/Message.vue | 7 | ||||
-rw-r--r-- | tests/integration/features/chat/delete.feature | 31 |
3 files changed, 40 insertions, 6 deletions
diff --git a/lib/Controller/ChatController.php b/lib/Controller/ChatController.php index 49257cbca..f8e0f19a6 100644 --- a/lib/Controller/ChatController.php +++ b/lib/Controller/ChatController.php @@ -563,9 +563,11 @@ class ChatController extends AEnvironmentAwareController { } $attendee = $this->participant->getAttendee(); - if (!$this->participant->hasModeratorPermissions(false) - && ($message->getActorType() !== $attendee->getActorType() - || $message->getActorId() !== $attendee->getActorId())) { + $isOwnMessage = $message->getActorType() === $attendee->getActorType() + && $message->getActorId() === $attendee->getActorId(); + if (!$isOwnMessage + && (!$this->participant->hasModeratorPermissions(false) + || $this->room->getType() === Room::ONE_TO_ONE_CALL)) { // Actor is not a moderator or not the owner of the message return new DataResponse([], Http::STATUS_FORBIDDEN); } diff --git a/src/components/MessagesList/MessagesGroup/Message/Message.vue b/src/components/MessagesList/MessagesGroup/Message/Message.vue index aab55b106..c41d55837 100644 --- a/src/components/MessagesList/MessagesGroup/Message/Message.vue +++ b/src/components/MessagesList/MessagesGroup/Message/Message.vue @@ -489,9 +489,10 @@ export default { && this.messageType === 'comment' && !this.isDeleting && !isFileShare - && (this.participant.participantType === PARTICIPANT.TYPE.OWNER - || this.participant.participantType === PARTICIPANT.TYPE.MODERATOR - || this.isMyMsg) + && (this.isMyMsg + || (this.conversation.type !== CONVERSATION.TYPE.ONE_TO_ONE + && (this.participant.participantType === PARTICIPANT.TYPE.OWNER + || this.participant.participantType === PARTICIPANT.TYPE.MODERATOR))) }, messageActions() { diff --git a/tests/integration/features/chat/delete.feature b/tests/integration/features/chat/delete.feature index 388ceee91..189a89ff0 100644 --- a/tests/integration/features/chat/delete.feature +++ b/tests/integration/features/chat/delete.feature @@ -146,3 +146,34 @@ Feature: chat/reply | group room | users | participant2 | participant2-displayname | Message deleted by {actor} | {"actor":{"type":"user","id":"participant1","name":"participant1-displayname"}} | | Then user "participant1" received a system messages in room "group room" to delete "Message 1" Then user "participant2" received a system messages in room "group room" to delete "Message 1" + + Scenario: Can only delete own messages in one-to-one + Given user "participant1" creates room "room1" + | roomType | 1 | + | invite | participant2 | + And user "participant1" sends message "Message 1" to room "room1" with 201 + And user "participant2" sends message "Message 2" to room "room1" with 201 + Then user "participant1" sees the following messages in room "room1" with 200 + | room | actorType | actorId | actorDisplayName | message | messageParameters | + | room1 | users | participant2 | participant2-displayname | Message 2 | [] | + | room1 | users | participant1 | participant1-displayname | Message 1 | [] | + Then user "participant2" sees the following messages in room "room1" with 200 + | room | actorType | actorId | actorDisplayName | message | messageParameters | + | room1 | users | participant2 | participant2-displayname | Message 2 | [] | + | room1 | users | participant1 | participant1-displayname | Message 1 | [] | + And user "participant1" deletes message "Message 2" from room "room1" with 403 + And user "participant2" deletes message "Message 1" from room "room1" with 403 + Then user "participant1" sees the following messages in room "room1" with 200 + | room | actorType | actorId | actorDisplayName | message | messageParameters | + | room1 | users | participant2 | participant2-displayname | Message 2 | [] | + | room1 | users | participant1 | participant1-displayname | Message 1 | [] | + And user "participant1" deletes message "Message 1" from room "room1" with 200 + And user "participant2" deletes message "Message 2" from room "room1" with 200 + Then user "participant1" sees the following messages in room "room1" with 200 + | room | actorType | actorId | actorDisplayName | message | messageParameters | + | room1 | users | participant2 | participant2-displayname | Message deleted by author | {"actor":{"type":"user","id":"participant2","name":"participant2-displayname"}} | + | room1 | users | participant1 | participant1-displayname | Message deleted by you | {"actor":{"type":"user","id":"participant1","name":"participant1-displayname"}} | + Then user "participant2" sees the following messages in room "room1" with 200 + | room | actorType | actorId | actorDisplayName | message | messageParameters | + | room1 | users | participant2 | participant2-displayname | Message deleted by you | {"actor":{"type":"user","id":"participant2","name":"participant2-displayname"}} | + | room1 | users | participant1 | participant1-displayname | Message deleted by author | {"actor":{"type":"user","id":"participant1","name":"participant1-displayname"}} | |