From b03eb84bb640fd5afbff0a899b3afbce34df3ed9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 29 Jun 2024 00:14:42 +0100
Subject: [PATCH] Only the sender of a message should be able to mark it as
 read/unread

---
 app/controllers/messages_controller.rb       |  2 +-
 test/controllers/messages_controller_test.rb | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 779174e25..e4d6c70d9 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -117,7 +117,7 @@ class MessagesController < ApplicationController
 
   # Set the message as being read or unread.
   def mark
-    @message = Message.where(:recipient => current_user).or(Message.where(:sender => current_user)).find(params[:message_id])
+    @message = current_user.messages.find(params[:message_id])
     if params[:mark] == "unread"
       message_read = false
       notice = t ".as_unread"
diff --git a/test/controllers/messages_controller_test.rb b/test/controllers/messages_controller_test.rb
index db3a200b6..3f19b5819 100644
--- a/test/controllers/messages_controller_test.rb
+++ b/test/controllers/messages_controller_test.rb
@@ -369,10 +369,10 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest
   ##
   # test the mark action
   def test_mark
-    user = create(:user)
+    sender_user = create(:user)
     recipient_user = create(:user)
     other_user = create(:user)
-    message = create(:message, :unread, :sender => user, :recipient => recipient_user)
+    message = create(:message, :unread, :sender => sender_user, :recipient => recipient_user)
 
     # Check that the marking a message requires us to login
     post message_mark_path(message)
@@ -386,6 +386,14 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest
     assert_response :not_found
     assert_template "no_such_message"
 
+    # Login as the message sender_user
+    session_for(sender_user)
+
+    # Check that marking a message we sent fails
+    post message_mark_path(message)
+    assert_response :not_found
+    assert_template "no_such_message"
+
     # Login as the message recipient_user
     session_for(recipient_user)
 
-- 
2.39.5