From faf29b768f0d774401b234a40eb227bf33cbe034 Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Wed, 19 Sep 2018 17:29:03 +0900
Subject: [PATCH] Make admin can delete any note

---
 src/client/app/common/views/components/note-menu.vue | 5 +++++
 src/server/api/endpoints/notes/delete.ts             | 7 +++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/client/app/common/views/components/note-menu.vue b/src/client/app/common/views/components/note-menu.vue
index c9912fb1e..08fae46dd 100644
--- a/src/client/app/common/views/components/note-menu.vue
+++ b/src/client/app/common/views/components/note-menu.vue
@@ -33,12 +33,16 @@ export default Vue.extend({
 					text: '%i18n:@pin%',
 					action: this.pin
 				});
+			}
+
+			if (this.note.userId == this.$store.state.i.id || this.$store.state.i.isAdmin) {
 				items.push({
 					icon: '%fa:trash-alt R%',
 					text: '%i18n:@delete%',
 					action: this.del
 				});
 			}
+
 			if (this.note.uri) {
 				items.push({
 					icon: '%fa:external-link-square-alt%',
@@ -48,6 +52,7 @@ export default Vue.extend({
 					}
 				});
 			}
+
 			return items;
 		}
 	},
diff --git a/src/server/api/endpoints/notes/delete.ts b/src/server/api/endpoints/notes/delete.ts
index 6d9826cf7..741a8a1dc 100644
--- a/src/server/api/endpoints/notes/delete.ts
+++ b/src/server/api/endpoints/notes/delete.ts
@@ -21,14 +21,17 @@ export default (params: any, user: ILocalUser) => new Promise(async (res, rej) =
 
 	// Fetch note
 	const note = await Note.findOne({
-		_id: noteId,
-		userId: user._id
+		_id: noteId
 	});
 
 	if (note === null) {
 		return rej('note not found');
 	}
 
+	if (!user.isAdmin && !note.userId.equals(user._id)) {
+		return rej('access denied');
+	}
+
 	await deleteNote(user, note);
 
 	res();