From 7c7bb45c0dc6163c99a9db959bb104654acd7374 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 4 Aug 2019 20:28:21 +0100
Subject: [PATCH] Only show delete icon on posts which can be deleted

---
 daemon.py       | 5 +++++
 webinterface.py | 8 +++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/daemon.py b/daemon.py
index d2a4a2a5..101179ce 100644
--- a/daemon.py
+++ b/daemon.py
@@ -795,6 +795,11 @@ class PubServer(BaseHTTPRequestHandler):
         if authorized and '?delete=' in self.path:
             deleteUrl=self.path.split('?delete=')[1]
             actor=self.path.split('?delete=')[0]
+            if actor not in deleteUrl:
+                # You can only delete your own posts
+                self.server.GETbusy=False
+                self._redirect_headers(actor+'/inbox',cookie)
+                return
             self.postToNickname=getNicknameFromActor(actor)
             if not self.server.session:
                 self.server.session= \
diff --git a/webinterface.py b/webinterface.py
index d2042ff0..5d47030c 100644
--- a/webinterface.py
+++ b/webinterface.py
@@ -693,9 +693,11 @@ def individualPostAsHtml(baseDir: str, \
     likeStr= \
         '<a href="/users/'+nickname+'?'+likeLink+'='+postJsonObject['object']['id']+'" title="'+likeTitle+'">' \
         '<img src="/icons/'+likeIcon+'"/></a>'
-    deleteStr= \
-        '<a href="/users/'+nickname+'?delete='+postJsonObject['object']['id']+'" title="Delete this post">' \
-        '<img src="/icons/delete.png"/></a>'
+    deleteStr=''
+    if '/users/'+nickname+'/' in postJsonObject['object']['id']:
+        deleteStr= \
+            '<a href="/users/'+nickname+'?delete='+postJsonObject['object']['id']+'" title="Delete this post">' \
+            '<img src="/icons/delete.png"/></a>'
 
     if showIcons:
         footerStr='<div class="'+containerClassIcons+'">'