fix: allow admin to delete bleet post

SnailyCAD · Nov 18, 2023 · 7180dac · 7180dac
1 parent e7f63fa
commit 7180dac
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/apps/api/src/controllers/bleeter/bleeter-controller.ts b/apps/api/src/controllers/bleeter/bleeter-controller.ts
@@ -12,7 +12,7 @@ import {
   type PlatformMulterFile,
   MultipartFile,
 } from "@tsed/common";
-import { BadRequest, NotFound } from "@tsed/exceptions";
+import { BadRequest, Forbidden, NotFound } from "@tsed/exceptions";
 import { ContentType, Delete, Description, Put } from "@tsed/schema";
 import { prisma } from "lib/data/prisma";
 import { IsAuth } from "middlewares/auth/is-auth";
@@ -27,6 +27,7 @@ import { type BleeterPost, type BleeterProfile } from "@snailycad/types";
 import { type Descendant, slateDataToString } from "@snailycad/utils/editor";
 import { getAPIUrl } from "@snailycad/utils/api-url";
 import { sendDiscordWebhook } from "~/lib/discord/webhooks";
+import { defaultPermissions, hasPermission } from "@snailycad/permissions";
 
 @UseBeforeEach(IsAuth)
 @Controller("/bleeter")
@@ -204,10 +205,19 @@ export class BleeterController {
       },
     });
 
-    if (!post || post.userId !== user.id) {
+    const hasAdminPermissions = hasPermission({
+      userToCheck: user,
+      permissionsToCheck: defaultPermissions.allDefaultAdminPermissions,
+    });
+
+    if (!post) {
       throw new NotFound("notFound");
     }
 
+    if (post.userId !== user.id || !hasAdminPermissions) {
+      throw new Forbidden("notAllowedToDelete");
+    }
+
     await prisma.bleeterPost.delete({
       where: {
         id: post.id,