]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/message_controller.rb
use h() to avoid XSS in usernames
[rails.git] / app / controllers / message_controller.rb
index ba9e9f1e2171d16d41a6c844fc7f4d95356c53fa..db40cc03f7922b33625eb7ed9f17391e3b86b6a0 100644 (file)
@@ -110,10 +110,16 @@ class MessageController < ApplicationController
     if params[:message_id]
       id = params[:message_id]
       message = Message.find_by_id(id)
     if params[:message_id]
       id = params[:message_id]
       message = Message.find_by_id(id)
-      message.visible = false
+      message.from_user_visible = false if message.sender == @user
+      message.to_user_visible = false if message.recipient == @user
       if message.save
         flash[:notice] = t 'message.delete.deleted'
       if message.save
         flash[:notice] = t 'message.delete.deleted'
-        redirect_to :controller => 'message', :action => 'inbox', :display_name => @user.display_name
+
+        if params[:referer]
+          redirect_to params[:referer]
+        else
+          redirect_to :controller => 'message', :action => 'inbox', :display_name => @user.display_name
+        end
       end
     end
   rescue ActiveRecord::RecordNotFound
       end
     end
   rescue ActiveRecord::RecordNotFound