@actual-app/sync-server 26.1.0-nightly.20251229 → 26.1.0-nightly.20251231

package/build/src/app-sync.js

@@ -5,7 +5,7 @@ import { resolve } from 'node:path';
 import { SyncProtoBuf } from '@actual-app/crdt';
 import express from 'express';
 import { v4 as uuidv4 } from 'uuid';
-import { getAccountDb } from './account-db.js';
+import { getAccountDb, isAdmin } from './account-db.js';
 import { FileNotFound } from './app-sync/errors.js';
 import { File, FilesService, FileUpdate, } from './app-sync/services/files-service.js';
 import { validateSyncedFile, validateUploadedFile, } from './app-sync/validation.js';
@@ -308,7 +308,20 @@ app.post('/delete-user-file', (req, res) => {
         return;
     }
     const filesService = new FilesService(getAccountDb());
-    if (!verifyFileExists(fileId, filesService, res, 'file-not-found')) {
+    const file = verifyFileExists(fileId, filesService, res, 'file-not-found');
+    if (!file) {
+        return;
+    }
+    // Check if user has permission to delete the file
+    const { user_id: userId } = res.locals;
+    const isOwner = file.owner === userId;
+    const isServerAdmin = isAdmin(userId);
+    if (!isOwner && !isServerAdmin) {
+        res.status(403).send({
+            status: 'error',
+            reason: 'forbidden',
+            details: 'file-delete-not-allowed',
+        });
         return;
     }
     filesService.update(fileId, new FileUpdate({ deleted: true }));

package/build/src/app-sync.test.js

@@ -10,6 +10,9 @@ const ADMIN_ROLE = 'ADMIN';
 const createUser = (userId, userName, role, owner = 0, enabled = 1) => {
     getAccountDb().mutate('INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, ?, ?, ?)', [userId, userName, `${userName} display`, enabled, owner, role]);
 };
+const deleteUser = (userId) => {
+    getAccountDb().mutate('DELETE FROM users WHERE id = ?', [userId]);
+};
 describe('/user-get-key', () => {
     it('returns 401 if the user is not authenticated', async () => {
         const res = await request(app).post('/user-get-key');
@@ -402,6 +405,7 @@ describe('/list-user-files', () => {
     });
     it('returns a list of user files for an authenticated user', async () => {
         createUser('fileListAdminId', 'admin', ADMIN_ROLE, 1);
+        onTestFinished(() => deleteUser('fileListAdminId'));
         const fileId1 = crypto.randomBytes(16).toString('hex');
         const fileId2 = crypto.randomBytes(16).toString('hex');
         const fileName1 = 'file1.txt';
@@ -537,6 +541,64 @@ describe('/delete-user-file', () => {
         ]);
         expect(rows[0].deleted).toBe(1);
     });
+    it('returns 403 if the user is not the owner and not an admin', async () => {
+        const accountDb = getAccountDb();
+        const fileId = crypto.randomBytes(16).toString('hex');
+        // Insert a file owned by another user
+        accountDb.mutate('INSERT OR IGNORE INTO files (id, deleted, owner) VALUES (?, FALSE, ?)', [fileId, 'differentUser']);
+        // Try to delete with a non-admin, non-owner user
+        const res = await request(app)
+            .post('/delete-user-file')
+            .set('x-actual-token', 'valid-token-user')
+            .send({ fileId });
+        expect(res.statusCode).toEqual(403);
+        expect(res.body).toEqual({
+            status: 'error',
+            reason: 'forbidden',
+            details: 'file-delete-not-allowed',
+        });
+        // Verify that the file is NOT deleted
+        const rows = accountDb.all('SELECT deleted FROM files WHERE id = ?', [
+            fileId,
+        ]);
+        expect(rows[0].deleted).toBe(0);
+    });
+    it('allows the file owner to delete the file', async () => {
+        const accountDb = getAccountDb();
+        const fileId = crypto.randomBytes(16).toString('hex');
+        // Insert a file owned by genericUser
+        accountDb.mutate('INSERT OR IGNORE INTO files (id, deleted, owner) VALUES (?, FALSE, ?)', [fileId, 'genericUser']);
+        // Delete with the owner user
+        const res = await request(app)
+            .post('/delete-user-file')
+            .set('x-actual-token', 'valid-token-user')
+            .send({ fileId });
+        expect(res.statusCode).toEqual(200);
+        expect(res.body).toEqual({ status: 'ok' });
+        // Verify that the file is deleted
+        const rows = accountDb.all('SELECT deleted FROM files WHERE id = ?', [
+            fileId,
+        ]);
+        expect(rows[0].deleted).toBe(1);
+    });
+    it('allows an admin to delete any file', async () => {
+        const accountDb = getAccountDb();
+        const fileId = crypto.randomBytes(16).toString('hex');
+        // Insert a file owned by another user
+        accountDb.mutate('INSERT OR IGNORE INTO files (id, deleted, owner) VALUES (?, FALSE, ?)', [fileId, 'someOtherUser']);
+        // Delete with an admin user
+        const res = await request(app)
+            .post('/delete-user-file')
+            .set('x-actual-token', 'valid-token-admin')
+            .send({ fileId });
+        expect(res.statusCode).toEqual(200);
+        expect(res.body).toEqual({ status: 'ok' });
+        // Verify that the file is deleted
+        const rows = accountDb.all('SELECT deleted FROM files WHERE id = ?', [
+            fileId,
+        ]);
+        expect(rows[0].deleted).toBe(1);
+    });
 });
 describe('/sync', () => {
     it('returns 401 if the user is not authenticated', async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actual-app/sync-server",
-  "version": "26.1.0-nightly.20251229",
+  "version": "26.1.0-nightly.20251231",
   "license": "MIT",
   "description": "actual syncing server",
   "bin": {
@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "@actual-app/crdt": "2.1.0",
-    "@actual-app/web": "26.1.0-nightly.20251229",
+    "@actual-app/web": "26.1.0-nightly.20251231",
     "bcrypt": "^6.0.0",
     "better-sqlite3": "^12.4.1",
     "convict": "^6.2.4",