Preventing messages from being edited based on settings (should close #…

…44)

client/lib/chatMessages.coffee

@@ -48,6 +48,12 @@ class @ChatMessages
 
 		return unless hasPermission or (editAllowed and editOwn)
 		return if element.classList.contains("system")
+
+		msgTs = moment(message.ts) if message.ts?
+		currentTsDiff = moment().diff(msgTs, 'minutes') if msgTs?
+		if currentTsDiff > RocketChat.settings.get 'Message_AllowEditing_BlockEditInMinutes'
+			return
+
 		this.clearEditing()
 		this.input.value = message.msg
 		this.editing.element = element

client/methods/updateMessage.coffee

@@ -10,8 +10,16 @@ Meteor.methods
 		editOwn = originalMessage?.u?._id is Meteor.userId()
 
 		unless hasPermission or (editAllowed and editOwn)
+			toastr.error t('Message_editing_not_allowed')
 			throw new Meteor.Error 'message-editing-not-allowed', t('Message_editing_not_allowed')
 
+		msgTs = moment(originalMessage.ts) if originalMessage.ts?
+		currentTsDiff = moment().diff(msgTs, 'minutes') if msgTs?
+
+		if currentTsDiff > RocketChat.settings.get 'Message_AllowEditing_BlockEditInMinutes'
+			toastr.error t('Message_editing_blocked')
+			throw new Meteor.Error 'message-editing-blocked'
+
 		Tracker.nonreactive ->
 
 			message.ets = new Date(Date.now() + TimeSync.serverOffset())

client/views/app/message.coffee

@@ -42,10 +42,16 @@ Template.message.helpers
 	pinned: ->
 		return this.pinned
 	canEdit: ->
-		if RocketChat.authz.hasAtLeastOnePermission('edit-message', this.rid )
-			return true
+		hasPermission = RocketChat.authz.hasAtLeastOnePermission('edit-message', this.rid)
+		isEditAllowed = RocketChat.settings.get 'Message_AllowEditing'
+		editOwn = this.u?._id is Meteor.userId()
+
+		return unless hasPermission or (isEditAllowed and editOwn)
+
+		msgTs = moment(this.ts) if this.ts?
+		currentTsDiff = moment().diff(msgTs, 'minutes') if msgTs?
 
-		return RocketChat.settings.get('Message_AllowEditing') and this.u?._id is Meteor.userId()
+		return currentTsDiff < RocketChat.settings.get 'Message_AllowEditing_BlockEditInMinutes'
 
 	canDelete: ->
 		if RocketChat.authz.hasAtLeastOnePermission('delete-message', this.rid )

packages/rocketchat-lib/client/MessageAction.coffee

@@ -68,7 +68,16 @@ Meteor.startup ->
 				input.focus()
 			, 200
 		validation: (message) ->
-			return RocketChat.authz.hasAtLeastOnePermission('edit-message', message.rid ) or RocketChat.settings.get('Message_AllowEditing') and message.u?._id is Meteor.userId()
+			hasPermission = RocketChat.authz.hasAtLeastOnePermission('edit-message', message.rid)
+			isEditAllowed = RocketChat.settings.get 'Message_AllowEditing'
+			editOwn = message.u?._id is Meteor.userId()
+
+			return unless hasPermission or (isEditAllowed and editOwn)
+
+			msgTs = moment(message.ts) if message.ts?
+			currentTsDiff = moment().diff(msgTs, 'minutes') if msgTs?
+
+			return currentTsDiff < RocketChat.settings.get 'Message_AllowEditing_BlockEditInMinutes'
 		order: 1
 
 	RocketChat.MessageAction.addButton

server/methods/updateMessage.coffee

@@ -12,6 +12,12 @@ Meteor.methods
 		unless hasPermission or (editAllowed and editOwn)
 			throw new Meteor.Error 'message-editing-not-allowed', "[methods] updateMessage -> Message editing not allowed"
 
+		msgTs = moment(originalMessage.ts) if originalMessage.ts?
+		currentTsDiff = moment().diff(msgTs, 'minutes') if msgTs?
+
+		if currentTsDiff > RocketChat.settings.get 'Message_AllowEditing_BlockEditInMinutes'
+			throw new Meteor.Error 'message-editing-blocked', "[methods] updateMessage -> Message editing blocked"
+
 		console.log '[methods] updateMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments
 
 		# If we keep history of edits, insert a new message to store history information