From 3c8308bb8d42eec6456e54ce536ec01c033542ff Mon Sep 17 00:00:00 2001
From: Christophe Romain <christophe.romain@process-one.net>
Date: Wed, 27 Sep 2017 17:37:38 +0200
Subject: PubSub: enforce controls on publish and delete

---
 src/node_flat_sql.erl | 51 ++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 38 insertions(+), 13 deletions(-)

(limited to 'src/node_flat_sql.erl')

diff --git a/src/node_flat_sql.erl b/src/node_flat_sql.erl
index 97f49c92c..2ea5b0bab 100644
--- a/src/node_flat_sql.erl
+++ b/src/node_flat_sql.erl
@@ -243,20 +243,31 @@ publish_item(Nidx, Publisher, PublishModel, MaxItems, ItemId, Payload,
     if not ((PublishModel == open) or
 		    (PublishModel == publishers) and
 		    ((Affiliation == owner)
-			 or (Affiliation == publisher)
-			 or (Affiliation == publish_only))
+			or (Affiliation == publisher)
+			or (Affiliation == publish_only))
 		    or (Subscribed == true)) ->
 	    {error, xmpp:err_forbidden()};
 	true ->
 	    if MaxItems > 0 ->
-		    PubId = {p1_time_compat:timestamp(), SubKey},
-		    set_item(#pubsub_item{itemid = {ItemId, Nidx},
-			    creation = {p1_time_compat:timestamp(), GenKey},
-			    modification = PubId,
-			    payload = Payload}),
-		    Items = [ItemId | itemids(Nidx, GenKey) -- [ItemId]],
-		    {result, {_, OI}} = remove_extra_items(Nidx, MaxItems, Items),
-		    {result, {default, broadcast, OI}};
+		    Now = p1_time_compat:timestamp(),
+		    case get_item(Nidx, ItemId) of
+			{result, #pubsub_item{creation = {_, GenKey}} = OldItem} ->
+			    set_item(OldItem#pubsub_item{
+					modification = {Now, SubKey},
+					payload = Payload}),
+			    {result, {default, broadcast, []}};
+			{result, _} ->
+			    {error, xmpp:err_forbidden()};
+			_ ->
+			    Items = [ItemId | itemids(Nidx, GenKey)],
+			    {result, {_NI, OI}} = remove_extra_items(Nidx, MaxItems, Items),
+			    set_item(#pubsub_item{
+					itemid = {ItemId, Nidx},
+					creation = {Now, GenKey},
+					modification = {Now, SubKey},
+					payload = Payload}),
+			    {result, {default, broadcast, OI}}
+		    end;
 		true ->
 		    {result, {default, broadcast, []}}
 	    end
@@ -284,9 +295,23 @@ delete_item(Nidx, Publisher, PublishModel, ItemId) ->
     if not Allowed ->
 	    {error, xmpp:err_forbidden()};
 	true ->
-	    case del_item(Nidx, ItemId) of
-		{updated, 1} -> {result, {default, broadcast}};
-		_ -> {error, xmpp:err_item_not_found()}
+	    Items = itemids(Nidx, GenKey),
+	    case lists:member(ItemId, Items) of
+		true ->
+		    case del_item(Nidx, ItemId) of
+			{updated, 1} -> {result, {default, broadcast}};
+			_ -> {error, xmpp:err_item_not_found()}
+		    end;
+		false ->
+		    case Affiliation of
+			owner ->
+			    case del_item(Nidx, ItemId) of
+				{updated, 1} -> {result, {default, broadcast}};
+				_ -> {error, xmpp:err_item_not_found()}
+			    end;
+			_ ->
+			    {error, xmpp:err_forbidden()}
+		    end
 	    end
     end.
 
-- 
cgit v1.2.3