From d137a564e9cef75d779a57364f8e71c0282557e9 Mon Sep 17 00:00:00 2001
From: Alex Eftimie <alex@eftimie.ro>
Date: Fri, 27 Sep 2013 12:19:00 -0400
Subject: [PATCH] [messaging] Security fix: do not allow random message
 deletion.

---
 wouso/interface/apps/messaging/views.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wouso/interface/apps/messaging/views.py b/wouso/interface/apps/messaging/views.py
index 2aa1c577..ac4d8bfe 100644
--- a/wouso/interface/apps/messaging/views.py
+++ b/wouso/interface/apps/messaging/views.py
@@ -76,7 +76,6 @@ def create(request, to=None, reply_to=None):
 @login_required
 def message(request, mid):
     message = get_object_or_404(Message, pk=mid)
-
     me = request.user.get_profile().get_extension(MessagingUser)
 
     if message.sender == me or message.receiver == me:
@@ -88,10 +87,16 @@ def message(request, mid):
                                   context_instance=RequestContext(request))
     raise Http404
 
+
 @login_required
 def delete(request, id):
     message = get_object_or_404(Message, pk=id)
-    message.delete()
+    me = request.user.get_profile().get_extension(MessagingUser)
+
+    if message.sender == me or message.receiver == me:
+        message.delete()
+    else:
+        raise Http404
     go_back = request.META.get('HTTP_REFERER', None)
     if not go_back:
         go_back = reverse('wouso.interface.messaging.views.home')