#49 Non-Sysop users can only delete a message when they are the sender of that message, but not the recipient
Hello, MBSE Developer Team,
I have found and fixed a bug related to the Delete_Msg and Delete_MsgNum functions found in mail.c where a user can only delete own messages if he is the sender, but not if he is the recipient of a message. But both should be valid criteria to allow deletion.
1.) Steps to reproduce:
- Enter a message in a message board with, "Private Only", "Users may delete their messages" options enabled and send it to another (test) user.
- Log in as the test user and read the message you sent, then try to delete it.
- Deleting the message is not possible although the (test) user is the recipient.
2.) Root cause analysis:
- There's a check missing in the if.. condition at lines 1577 and 2008 of mail.c - it only checks if the user who wants to delete a message is the sender, but not if he is the recipient of the message.
3.) Solution:
- I have added the missing condition check ( IsMe(Msg.To) ) to lines 1577 and 2008:
Line 1577 of mail.c:
if ((msgs.UsrDelete && (IsMe(Msg.From) || IsMe(Msg.To))) || (exitinfo.Security.level >= CFG.sysop_access) ||
Access(exitinfo.Security, msgs.SYSec)) {
Line 2008 of mail.c:
if ( (msgs.UsrDelete && (IsMe(Msg.From) || IsMe(Msg.To))) || (exitinfo.Security.level >= CFG.sysop_access) ||
Access(exitinfo.Security, msgs.SYSec)) {
fixed in svn and vers -> 1.0.8.6