From 74809e733037412081de691b4b4f7f7b4576bb0f Mon Sep 17 00:00:00 2001 From: "Timothy J. Baek" Date: Sat, 2 Mar 2024 00:07:50 -0800 Subject: [PATCH] fix: user chat delete loophole --- backend/apps/web/routers/chats.py | 12 +++++++++++- src/lib/apis/chats/index.ts | 2 +- src/lib/components/chat/Settings/Chats.svelte | 4 +++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/backend/apps/web/routers/chats.py b/backend/apps/web/routers/chats.py index 1ce537ec..0c0ac1ce 100644 --- a/backend/apps/web/routers/chats.py +++ b/backend/apps/web/routers/chats.py @@ -271,6 +271,16 @@ async def delete_all_chat_tags_by_id(id: str, user=Depends(get_current_user)): @router.delete("/", response_model=bool) -async def delete_all_user_chats(user=Depends(get_current_user)): +async def delete_all_user_chats(request: Request, user=Depends(get_current_user)): + + if ( + user.role == "user" + and not request.app.state.USER_PERMISSIONS["chat"]["deletion"] + ): + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) + result = Chats.delete_chats_by_user_id(user.id) return result diff --git a/src/lib/apis/chats/index.ts b/src/lib/apis/chats/index.ts index aadf3769..35b259d5 100644 --- a/src/lib/apis/chats/index.ts +++ b/src/lib/apis/chats/index.ts @@ -439,7 +439,7 @@ export const deleteAllChats = async (token: string) => { return json; }) .catch((err) => { - error = err; + error = err.detail; console.log(err); return null; diff --git a/src/lib/components/chat/Settings/Chats.svelte b/src/lib/components/chat/Settings/Chats.svelte index bab3acc7..e13689f5 100644 --- a/src/lib/components/chat/Settings/Chats.svelte +++ b/src/lib/components/chat/Settings/Chats.svelte @@ -75,7 +75,9 @@ const deleteChats = async () => { await goto('/'); - await deleteAllChats(localStorage.token); + await deleteAllChats(localStorage.token).catch((error) => { + toast.error(error); + }); await chats.set(await getChatList(localStorage.token)); };