Restrict deletion to deleting your own messages.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/message/app.rs b/src/message/app.rs
index eed6ba4..137a27d 100644
--- a/src/message/app.rs
+++ b/src/message/app.rs
@@ -45,16 +45,24 @@ impl<'a> Messages<'a> {
         Ok(message.as_sent())
     }
 
-    pub async fn delete(&self, message: &Id, deleted_at: &DateTime) -> Result<(), DeleteError> {
+    pub async fn delete(
+        &self,
+        deleted_by: &Login,
+        message: &Id,
+        deleted_at: &DateTime,
+    ) -> Result<(), DeleteError> {
         let mut tx = self.db.begin().await?;
         let message = tx
             .messages()
             .by_id(message)
             .await
             .not_found(|| DeleteError::NotFound(message.clone()))?;
-        message
+        let snapshot = message
             .as_snapshot()
             .ok_or_else(|| DeleteError::Deleted(message.id().clone()))?;
+        if snapshot.sender != deleted_by.id {
+            return Err(DeleteError::NotSender(deleted_by.clone()));
+        }
 
         let deleted = tx.sequence().next(deleted_at).await?;
         let message = tx.messages().delete(&message, &deleted).await?;
@@ -138,6 +146,8 @@ impl From<channel::repo::LoadError> for SendError {
 pub enum DeleteError {
     #[error("message {0} not found")]
     NotFound(Id),
+    #[error("login {} not the message's sender", .0.id)]
+    NotSender(Login),
     #[error("message {0} deleted")]
     Deleted(Id),
     #[error(transparent)]