Prevent malicious deletes

application/mail-processing-service.js

@@ -31,9 +31,10 @@ class MailProcessingService extends EventEmitter {
 		return this.mailRepository.getForRecipient(address)
 	}
 
-	deleteSpecificEmail(uid) {
+	deleteSpecificEmail(adress, uid) {
+		if (this.mailRepository.UserRemoveUid(adress, uid) == true) {
 			this.imapService.deleteSpecificEmail(uid)
-		this.mailRepository.removeUid(uid)
+		}
 	}
 
 	getOneFullMail(address, uid) {

domain/mail-repository.js

@@ -22,6 +22,21 @@ class MailRepository {
 		this.mailSummaries.set(to.toLowerCase(), mailSummary)
 	}
 
+	UserRemoveUid(address, uid) {
+		var deleted = false
+		// TODO: make this more efficient, looping through each email is not cool.
+		this.mailSummaries.forEachAssociation((mails, to) => {
+			mails
+				.filter(mail => mail.uid === parseInt(uid) & to == address)
+				.forEach(mail => {
+					this.mailSummaries.remove(to, mail)
+					debug('removed ', mail.date, to, mail.subject)
+					deleted = true
+				})
+		})
+		return deleted
+	}
+
 	removeUid(uid) {
 		// TODO: make this more efficient, looping through each email is not cool.
 		this.mailSummaries.forEachAssociation((mails, to) => {

infrastructure/web/routes/inbox.js

@@ -59,7 +59,7 @@ router.get(
 	async (req, res, next) => {
 		try {
 			const mailProcessingService = req.app.get('mailProcessingService')
-			await mailProcessingService.deleteSpecificEmail(req.params.uid)
+			await mailProcessingService.deleteSpecificEmail(req.params.address, req.params.uid)
 			res.redirect(`/${req.params.address}`)
 		} catch (error) {
 			console.error('error while deleting email', error)