From d713a28fcf3063cf588b4e604b1e7220eb0bcc90 Mon Sep 17 00:00:00 2001
From: ClaraCrazy <clara@cynthialabs.net>
Date: Thu, 2 Nov 2023 06:27:28 +0100
Subject: [PATCH] Prevent malicious deletes

---
 application/mail-processing-service.js |  7 ++++---
 domain/mail-repository.js              | 15 +++++++++++++++
 infrastructure/web/routes/inbox.js     |  2 +-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/application/mail-processing-service.js b/application/mail-processing-service.js
index 9a4d0df..bcb2100 100644
--- a/application/mail-processing-service.js
+++ b/application/mail-processing-service.js
@@ -31,9 +31,10 @@ class MailProcessingService extends EventEmitter {
 		return this.mailRepository.getForRecipient(address)
 	}
 
-	deleteSpecificEmail(uid) {
-		this.imapService.deleteSpecificEmail(uid)
-		this.mailRepository.removeUid(uid)
+	deleteSpecificEmail(adress, uid) {
+		if (this.mailRepository.UserRemoveUid(adress, uid) == true) {
+			this.imapService.deleteSpecificEmail(uid)
+		}
 	}
 
 	getOneFullMail(address, uid) {
diff --git a/domain/mail-repository.js b/domain/mail-repository.js
index ad0a7f5..5b154ac 100644
--- a/domain/mail-repository.js
+++ b/domain/mail-repository.js
@@ -22,6 +22,21 @@ class MailRepository {
 		this.mailSummaries.set(to.toLowerCase(), mailSummary)
 	}
 
+	UserRemoveUid(address, uid) {
+		var deleted = false
+		// TODO: make this more efficient, looping through each email is not cool.
+		this.mailSummaries.forEachAssociation((mails, to) => {
+			mails
+				.filter(mail => mail.uid === parseInt(uid) & to == address)
+				.forEach(mail => {
+					this.mailSummaries.remove(to, mail)
+					debug('removed ', mail.date, to, mail.subject)
+					deleted = true
+				})
+		})
+		return deleted
+	}
+
 	removeUid(uid) {
 		// TODO: make this more efficient, looping through each email is not cool.
 		this.mailSummaries.forEachAssociation((mails, to) => {
diff --git a/infrastructure/web/routes/inbox.js b/infrastructure/web/routes/inbox.js
index fd90112..43dbf83 100644
--- a/infrastructure/web/routes/inbox.js
+++ b/infrastructure/web/routes/inbox.js
@@ -59,7 +59,7 @@ router.get(
 	async (req, res, next) => {
 		try {
 			const mailProcessingService = req.app.get('mailProcessingService')
-			await mailProcessingService.deleteSpecificEmail(req.params.uid)
+			await mailProcessingService.deleteSpecificEmail(req.params.address, req.params.uid)
 			res.redirect(`/${req.params.address}`)
 		} catch (error) {
 			console.error('error while deleting email', error)