fix: toMid to posts you cant see

src/messaging/create.js

@@ -42,8 +42,13 @@ module.exports = function (Messaging) {
 		if (!roomData) {
 			throw new Error('[[error:no-room]]');
 		}
-		if (data.toMid && !utils.isNumber(data.toMid)) {
+		if (data.toMid) {
-			throw new Error('[[error:invalid-mid]]');
+			if (!utils.isNumber(data.toMid)) {
+				throw new Error('[[error:invalid-mid]]');
+			}
+			if (!await Messaging.canViewMessage(data.toMid, roomId, uid)) {
+				throw new Error('[[error:no-privileges]]');
+			}
 		}
 		const mid = await db.incrObjectField('global', 'nextMid');
 		const timestamp = data.timestamp || Date.now();

src/messaging/data.js

@@ -132,6 +132,9 @@ module.exports = function (Messaging) {
 			return;
 		}
 		parentMids = _.uniq(parentMids);
+		const canView = await Messaging.canViewMessage(parentMids, roomId, uid);
+		parentMids = parentMids.filter((mid, idx) => canView[idx]);
+
 		const parentMessages = await Messaging.getMessagesFields(parentMids, [
 			'fromuid', 'content', 'timestamp', 'deleted',
 		]);

test/messaging.js

@@ -1,7 +1,6 @@
 'use strict';
 
 const assert = require('assert');
-const async = require('async');
 const request = require('request-promise-native');
 const nconf = require('nconf');
 const util = require('util');
@@ -369,7 +368,6 @@ describe('Messaging Library', () => {
 		});
 
 		it('should fail to send second message due to rate limit', async () => {
-			const socketMock = { uid: mocks.users.foo.uid };
 			const oldValue = meta.config.chatMessageDelay;
 			meta.config.chatMessageDelay = 1000;
 
@@ -572,6 +570,55 @@ describe('Messaging Library', () => {
 		});
 	});
 
+	describe('toMid', () => {
+		let roomId;
+		let firstMid;
+		before(async () => {
+			// create room
+			const { body } = await callv3API('post', `/chats`, {
+				uids: [mocks.users.bar.uid],
+			}, 'foo');
+			roomId = body.response.roomId;
+			// send message
+			const result = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'first chat message',
+			}, 'foo');
+
+			firstMid = result.body.response.mid;
+		});
+
+		it('should fail if toMid is not a number', async () => {
+			const result = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: 'osmaosd',
+			}, 'foo');
+			assert.strictEqual(result.body.status.message, 'Invalid Chat Message ID');
+		});
+
+		it('should reply to firstMid using toMid', async () => {
+			const { body } = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: firstMid,
+			}, 'bar');
+			assert(body.response.mid);
+		});
+
+		it('should fail if user can not view toMid', async () => {
+			// add new user
+			await callv3API('post', `/chats/${roomId}/users`, { uids: [mocks.users.herp.uid] }, 'foo');
+			// try to reply to firstMid that this user cant see
+			const { body } = await callv3API('post', `/chats/${roomId}`, {
+				roomId: roomId,
+				message: 'invalid',
+				toMid: firstMid,
+			}, 'herp');
+			assert.strictEqual(body.status.message, 'You do not have enough privileges for this action.');
+		});
+	});
+
 	describe('edit/delete', () => {
 		const socketModules = require('../src/socket.io/modules');
 		let mid;