Merge pull request #22 from piranha32/dont_snoop_on_mail

Block users from reading mail for other nodes

command_handlers.py

@@ -258,10 +258,19 @@ def handle_mail_steps(sender_id, message, step, state, interface, bbs_nodes):
 
     elif step == 2:
         mail_id = int(message)
-        sender, date, subject, content, unique_id = get_mail_content(mail_id)
-        send_message(f"Date: {date}\nFrom: {sender}\nSubject: {subject}\n{content}", sender_id, interface)
-        send_message("Would you like to delete this message now that you've viewed it? Y/N", sender_id, interface)
-        update_user_state(sender_id, {'command': 'MAIL', 'step': 4, 'mail_id': mail_id, 'unique_id': unique_id})
+        try:
+            
+            # ERROR: sender_id is not what is stored in the DB
+            sender_node_id = get_node_id_from_num(sender_id, interface)
+            sender, date, subject, content, unique_id = get_mail_content(mail_id, sender_node_id)
+            send_message(f"Date: {date}\nFrom: {sender}\nSubject: {subject}\n{content}", sender_id, interface)
+            send_message("Would you like to delete this message now that you've viewed it? Y/N", sender_id, interface)
+            update_user_state(sender_id, {'command': 'MAIL', 'step': 4, 'mail_id': mail_id, 'unique_id': unique_id})
+        except TypeError:
+            # get_main_content returned None. Node tried to access somebody's else mail message
+            logging.info(f"Node {sender_id} tried to access non-existent message")
+            send_message(f"Mail not found", sender_id, interface)
+            update_user_state(sender_id, None)
 
     elif step == 3:
         short_name = message
@@ -283,7 +292,8 @@ def handle_mail_steps(sender_id, message, step, state, interface, bbs_nodes):
     elif step == 4:
         if message.lower() == "y":
             unique_id = state['unique_id']
-            delete_mail(unique_id, bbs_nodes, interface)
+            sender_node_id = get_node_id_from_num(sender_id, interface)
+            delete_mail(unique_id, sender_node_id, bbs_nodes, interface)
             send_message("The message has been deleted 🗑️", sender_id, interface)
         else:
             send_message("The message has been kept in your inbox.✉️\nJust don't let it get as messy as your regular email inbox (ಠ_ಠ)", sender_id, interface)

db_operations.py

@@ -123,24 +123,26 @@ def get_mail(recipient_id):
     c.execute("SELECT id, sender_short_name, subject, date, unique_id FROM mail WHERE recipient = ?", (recipient_id,))
     return c.fetchall()
 
-def get_mail_content(mail_id):
+def get_mail_content(mail_id, recipient_id):
+    # TODO: ensure only recipient can read mail
     conn = get_db_connection()
     c = conn.cursor()
-    c.execute("SELECT sender_short_name, date, subject, content, unique_id FROM mail WHERE id = ?", (mail_id,))
+    c.execute("SELECT sender_short_name, date, subject, content, unique_id FROM mail WHERE id = ? and recipient = ?", (mail_id, recipient_id,))
     return c.fetchone()
 
-def delete_mail(unique_id, bbs_nodes, interface):
-    logging.info(f"Attempting to delete mail with unique_id: {unique_id}")
+def delete_mail(unique_id, recipient_id, bbs_nodes, interface):
+    # TODO: ensure only recipient can delete mail
+    logging.info(f"Attempting to delete mail with unique_id: {unique_id} by {recipient_id}")
     conn = get_db_connection()
     c = conn.cursor()
     try:
-        c.execute("SELECT unique_id FROM mail WHERE unique_id = ?", (unique_id,))
+        c.execute("SELECT unique_id FROM mail WHERE unique_id = ? and recipient = ?", (unique_id, recipient_id,))
         result = c.fetchone()
         logging.debug(f"Fetch result for unique_id {unique_id}: {result}")
         if result is None:
             logging.error(f"No mail found with unique_id: {unique_id}")
             return  # Early exit if no matching mail found
-        c.execute("DELETE FROM mail WHERE unique_id = ?", (unique_id,))
+        c.execute("DELETE FROM mail WHERE unique_id = ? and recipient = ?", (unique_id, recipient_id,))
         conn.commit()
         send_delete_mail_to_bbs_nodes(unique_id, bbs_nodes, interface)
         logging.info(f"Mail with unique_id: {unique_id} deleted and sync message sent.")