Fix superuser's ability to manually delete an internal file via deleteFile

edemaine · edemaine · commit 9b22e5857434 · 2025-02-10T13:20:17.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ To see every change with descriptions aimed at developers, see
 As a continuously updated web app, Coauthor uses dates
 instead of version numbers.
 
+## 2025-02-10
+
+* Fix superuser's ability to manually delete an internal file via `deleteFile`
+  [[#279](https://github.com/edemaine/coauthor/issues/279)]
+
 ## 2025-02-06
 
 * Remove duplicate file description in unrendered files (non-images/videos/PDFs)
diff --git a/lib/files.coffee b/lib/files.coffee
@@ -141,6 +141,10 @@ if Meteor.isServer
       #file.metadata?.uploader == userId or
       fileRoleCheck file, 'read', userId
     remove: (userId, file) ->
+      ## Support `deleteFile` which calls `Files.remove` which goes over socket.
+      ## This sets Meteor.userId but meteor-file-collection
+      ## just checks X-Auth-Token
+      userId ?= Meteor.user()
       #file.metadata?.uploader == userId
       fileRoleCheck file, 'super', userId
 else
