From 246edcd5f084eaf5c95a60882558e98566c948f6 Mon Sep 17 00:00:00 2001
From: John Burwell <john@b-wells.us>
Date: Sat, 29 Apr 2023 20:24:30 -0500
Subject: [PATCH] prevent deleting others' messages

---
 rsbbs/plugins/delete/plugin.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/rsbbs/plugins/delete/plugin.py b/rsbbs/plugins/delete/plugin.py
index 6d08691..d6b0290 100644
--- a/rsbbs/plugins/delete/plugin.py
+++ b/rsbbs/plugins/delete/plugin.py
@@ -44,11 +44,23 @@ class Plugin():
     def delete(self, number) -> None:
         with self.api.controller.session() as session:
             try:
-                message = session.get(Message, number)
-                session.delete(message)
+                statement = sqlalchemy.delete(Message).where(
+                    sqlalchemy.and_(
+                        Message.recipient == self.api.config.calling_station,
+                        Message.id == number,
+                    )).returning(Message)
+                result = session.execute(
+                    statement,
+                    execution_options={"prebuffer_rows": True})
                 session.commit()
-                self.api.write_output(f"Deleted message #{number}")
-                logging.info(f"deleted message {number}")
+                results = result.all()
+                count = len(results)
+                if count > 0:
+                    self.api.write_output(f"Deleted message #{number}")
+                    logging.info(f"deleted message {number}")
+                else:
+                    self.api.write_output("A message with that ID addressed "
+                                          "to you was not found.")
             except sqlalchemy.exc.NoResultFound:
                 self.api.write_output(f"Message not found.")
             except Exception as e: