coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: Allow deleting attachments not linked to documents when owned by user

Browse Source 
closes #1729
This commit is contained in:
Tom Moor
2020-12-20 11:39:09 -08:00
parent 117d278d16
commit decbe4f643
4 changed files with 93 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
server/api/attachments.js
View File

@ -98,11 +98,18 @@ router.post("attachments.delete", auth(), async (ctx) => {
const user = ctx.state.user;
const attachment = await Attachment.findByPk(id);
const document = await Document.findByPk(attachment.documentId, {
userId: user.id,
});
authorize(user, "update", document);
if (!attachment) {
throw new NotFoundError();
}
if (attachment.documentId) {
const document = await Document.findByPk(attachment.documentId, {
userId: user.id,
});
authorize(user, "update", document);
}
authorize(user, "delete", attachment);
await attachment.destroy();
await Event.create({