fix: user chat delete loophole

2024-03-02 00:07:50 -08:00 · 2024-03-02 00:07:50 -08:00 · 74809e7330
commit 74809e7330
parent a4c6a8d5a4
3 changed files with 15 additions and 3 deletions
--- a/backend/apps/web/routers/chats.py
+++ b/backend/apps/web/routers/chats.py
@ -271,6 +271,16 @@ async def delete_all_chat_tags_by_id(id: str, user=Depends(get_current_user)):


@router.delete("/", response_model=bool)
-async def delete_all_user_chats(user=Depends(get_current_user)):
+async def delete_all_user_chats(request: Request, user=Depends(get_current_user)):
+
+    if (
+        user.role == "user"
+        and not request.app.state.USER_PERMISSIONS["chat"]["deletion"]
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
    result = Chats.delete_chats_by_user_id(user.id)
    return result