From 5ab329dfdd8e9224f66afe937b0f5c6a3f49818d Mon Sep 17 00:00:00 2001
From: Paul Makles <paulmakles@gmail.com>
Date: Tue, 19 Jan 2021 19:54:37 +0000
Subject: [PATCH] Prevent fetching messages from other channels. Change channel
 tag to channel_type.

---
 src/database/entities/channel.rs      | 2 +-
 src/database/guards/reference.rs      | 9 +++++++--
 src/routes/channels/message_delete.rs | 2 +-
 src/routes/channels/message_edit.rs   | 2 +-
 src/routes/channels/message_fetch.rs  | 2 +-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/database/entities/channel.rs b/src/database/entities/channel.rs
index 5138793..4c8d69e 100644
--- a/src/database/entities/channel.rs
+++ b/src/database/entities/channel.rs
@@ -6,7 +6,7 @@ use rocket_contrib::json::JsonValue;
 use serde::{Deserialize, Serialize};
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
-#[serde(tag = "type")]
+#[serde(tag = "channel_type")]
 pub enum Channel {
     SavedMessages {
         #[serde(rename = "_id")]
diff --git a/src/database/guards/reference.rs b/src/database/guards/reference.rs
index 829ff24..65e0dfb 100644
--- a/src/database/guards/reference.rs
+++ b/src/database/guards/reference.rs
@@ -47,8 +47,13 @@ impl Ref {
         self.fetch("channels").await
     }
 
-    pub async fn fetch_message(&self) -> Result<Message> {
-        self.fetch("messages").await
+    pub async fn fetch_message(&self, channel: &Channel) -> Result<Message> {
+        let message: Message = self.fetch("messages").await?;
+        if &message.channel != channel.id() {
+            Err(Error::InvalidOperation)
+        } else {
+            Ok(message)
+        }
     }
 }
 
diff --git a/src/routes/channels/message_delete.rs b/src/routes/channels/message_delete.rs
index f47c635..67b88dc 100644
--- a/src/routes/channels/message_delete.rs
+++ b/src/routes/channels/message_delete.rs
@@ -12,7 +12,7 @@ pub async fn req(user: User, target: Ref, msg: Ref) -> Result<()> {
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     if message.author != user.id && !perm.get_manage_messages() {
         match channel {
             Channel::SavedMessages { .. } => unreachable!(),
diff --git a/src/routes/channels/message_edit.rs b/src/routes/channels/message_edit.rs
index 10bed64..5f170cd 100644
--- a/src/routes/channels/message_edit.rs
+++ b/src/routes/channels/message_edit.rs
@@ -25,7 +25,7 @@ pub async fn req(user: User, target: Ref, msg: Ref, edit: Json<Data>) -> Result<
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     if message.author != user.id {
         Err(Error::CannotEditMessage)?
     }
diff --git a/src/routes/channels/message_fetch.rs b/src/routes/channels/message_fetch.rs
index 887a68a..7b4ff93 100644
--- a/src/routes/channels/message_fetch.rs
+++ b/src/routes/channels/message_fetch.rs
@@ -12,6 +12,6 @@ pub async fn req(user: User, target: Ref, msg: Ref) -> Result<JsonValue> {
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     Ok(json!(message))
 }
-- 
GitLab