From 67f08fc60fb71d01611e1ea0c46b9c61a6e61f92 Mon Sep 17 00:00:00 2001
From: Thaum <stefanzermatten@gmail.com>
Date: Tue, 7 Apr 2015 11:40:11 +0000
Subject: [PATCH] Added permission check to soft removes

---
 rpg-docs/lib/functions/parenting.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/rpg-docs/lib/functions/parenting.js b/rpg-docs/lib/functions/parenting.js
index 3ccb2889..57d9ea5a 100644
--- a/rpg-docs/lib/functions/parenting.js
+++ b/rpg-docs/lib/functions/parenting.js
@@ -129,13 +129,24 @@ var cascadeSoftRemove = function(id, removedWithId){
 	});
 };
 
+var checkRemovePermission = function(collectionName, id, self){
+	check(collectionName, String);
+	check(id, String);
+	var collection = Mongo.Collection.get(collectionName);
+	var node = collection.findOne(id);
+	var charId = node && node.charId;
+	checkPermission(self.userId, charId);
+};
+
 Meteor.methods({
 	softRemoveNode: function(collectionName, id){
+		checkRemovePermission(collectionName, id, this);
 		var collection = Mongo.Collection.get(collectionName);
 		collection.softRemove(id);
 		cascadeSoftRemove(id, id);
 	},
 	restoreNode: function(collectionName, id){
+		checkRemovePermission(collectionName, id, this);
 		var collection = Mongo.Collection.get(collectionName);
 		collection.restore(id);
 		_.each(childCollections, function(treeCollection){