Prevent fetching messages from other channels. Change channel tag to channel_type.

src/database/entities/channel.rs

@@ -6,7 +6,7 @@ use rocket_contrib::json::JsonValue;
 use serde::{Deserialize, Serialize};
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
-#[serde(tag = "type")]
+#[serde(tag = "channel_type")]
 pub enum Channel {
     SavedMessages {
         #[serde(rename = "_id")]

src/database/guards/reference.rs

@@ -47,8 +47,13 @@ impl Ref {
         self.fetch("channels").await
     }
 
-    pub async fn fetch_message(&self) -> Result<Message> {
-        self.fetch("messages").await
+    pub async fn fetch_message(&self, channel: &Channel) -> Result<Message> {
+        let message: Message = self.fetch("messages").await?;
+        if &message.channel != channel.id() {
+            Err(Error::InvalidOperation)
+        } else {
+            Ok(message)
+        }
     }
 }
 

src/routes/channels/message_delete.rs

@@ -12,7 +12,7 @@ pub async fn req(user: User, target: Ref, msg: Ref) -> Result<()> {
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     if message.author != user.id && !perm.get_manage_messages() {
         match channel {
             Channel::SavedMessages { .. } => unreachable!(),

src/routes/channels/message_edit.rs

@@ -25,7 +25,7 @@ pub async fn req(user: User, target: Ref, msg: Ref, edit: Json<Data>) -> Result<
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     if message.author != user.id {
         Err(Error::CannotEditMessage)?
     }

src/routes/channels/message_fetch.rs

@@ -12,6 +12,6 @@ pub async fn req(user: User, target: Ref, msg: Ref) -> Result<JsonValue> {
         Err(Error::LabelMe)?
     }
 
-    let message = msg.fetch_message().await?;
+    let message = msg.fetch_message(&channel).await?;
     Ok(json!(message))
 }