happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add owner checks to setting memo relations

This commit is contained in:
Florian Dewald 2025-11-03 09:46:23 +00:00
parent 14cf21d191
commit 16c8a8cbcf
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
server/router/api/v1/memo_relation_service.go
View File

@ -14,6 +14,13 @@ import (
) )
func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMemoRelationsRequest) (*emptypb.Empty, error) { func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMemoRelationsRequest) (*emptypb.Empty, error) {
user, err := s.GetCurrentUser(ctx)
if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
}
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
memoUID, err := ExtractMemoUIDFromName(request.Name) memoUID, err := ExtractMemoUIDFromName(request.Name)
if err != nil { if err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid memo name: %v", err) return nil, status.Errorf(codes.InvalidArgument, "invalid memo name: %v", err)
@ -22,6 +29,9 @@ func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMe
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get memo") return nil, status.Errorf(codes.Internal, "failed to get memo")
} }
if memo.CreatorID != user.ID && !isSuperUser(user) {
return nil, status.Errorf(codes.PermissionDenied, "permission denied")
}
referenceType := store.MemoRelationReference referenceType := store.MemoRelationReference
// Delete all reference relations first. // Delete all reference relations first.
if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{ if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{