From de62b155d9c629f9e4147d9dd5c9026952da2554 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 19 Oct 2020 11:33:02 +0100
Subject: [PATCH] Removing posts

---
 daemon.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/daemon.py b/daemon.py
index 08c8ae61..37c2fefb 100644
--- a/daemon.py
+++ b/daemon.py
@@ -11456,7 +11456,14 @@ class PubServer(BaseHTTPRequestHandler):
 
         self._benchmarkPOSTtimings(POSTstartTime, POSTtimings, 7)
 
-        if authorized:
+        if not authorized:
+            if self.path.endswith('/rmpost'):
+                print('ERROR: attempt to remove post was not authorized. ' +
+                      self.path)
+                self._400()
+                self.server.POSTbusy = False
+                return
+        else:
             # a vote/question/poll is posted
             if self.path.endswith('/question') or \
                '/question?page=' in self.path:
@@ -11488,11 +11495,12 @@ class PubServer(BaseHTTPRequestHandler):
 
             # removes a post
             if self.path.endswith('/rmpost'):
-                print('ERROR: attempt to remove post was not authorized. ' +
-                      self.path)
-                self._400()
-                self.server.POSTbusy = False
-                return
+                if '/users/' not in self.path:
+                    print('ERROR: attempt to remove post was not authorized. ' +
+                          self.path)
+                    self._400()
+                    self.server.POSTbusy = False
+                    return
             if self.path.endswith('/rmpost'):
                 self._removePost(callingDomain, cookie,
                                  authorized, self.path,