fix: assertion check to ensure messages are in the room when editing/deleting, etc

src/messaging/index.js

@@ -277,4 +277,15 @@ Messaging.hasPrivateChat = async (uid, withUid) => {
 	return roomId;
 };
 
+Messaging.canViewMessage = async (mids, roomId, uid) => {
+	let single = false;
+	if (!Array.isArray(mids) && isFinite(mids)) {
+		mids = [mids];
+		single = true;
+	}
+
+	const canView = await db.isSortedSetMembers(`uid:${uid}:chat:room:${roomId}:mids`, mids);
+	return single ? canView.pop() : canView;
+};
+
 require('../promisify')(Messaging);

src/middleware/assert.js

@@ -128,7 +128,11 @@ Assert.room = helpers.try(async (req, res, next) => {
 });
 
 Assert.message = helpers.try(async (req, res, next) => {
-	if (!isFinite(req.params.mid) || !(await messaging.messageExists(req.params.mid))) {
+	if (
+		!isFinite(req.params.mid) ||
+		!(await messaging.messageExists(req.params.mid)) ||
+		!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
+	) {
 		return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
 	}
 

test/messaging.js

@@ -628,6 +628,12 @@ describe('Messaging Library', () => {
 			assert.strictEqual(body.status.message, await translator.translate('[[error:cant-edit-chat-message]]'));
 		});
 
+		it('should fail to edit message if message not in room', async () => {
+			const { statusCode, body } = await callv3API('put', `/chats/${roomId}/messages/1014`, { message: 'message edited' }, 'herp');
+			assert.strictEqual(statusCode, 400);
+			assert.strictEqual(body.status.message, await translator.translate('[[error:invalid-mid]]'));
+		});
+
 		it('should edit message', async () => {
 			let { statusCode, body } = await callv3API('put', `/chats/${roomId}/messages/${mid}`, { message: 'message edited' }, 'foo');
 			assert.strictEqual(statusCode, 200);