diff --git a/src/api/endpoints/messaging/messages/create.js b/src/api/endpoints/messaging/messages/create.js index 498883057b..47bc1a9968 100644 --- a/src/api/endpoints/messaging/messages/create.js +++ b/src/api/endpoints/messaging/messages/create.js @@ -31,6 +31,16 @@ module.exports = (params, user) => // Get 'user_id' parameter let recipient = params.user_id; if (recipient !== undefined && recipient !== null) { + // Validate id + if (!mongo.ObjectID.isValid(recipient)) { + return rej('incorrect user_id'); + } + + // Myself + if (new mongo.ObjectID(recipient).equals(user._id)) { + return rej('-need-translate-'); + } + recipient = await User.findOne({ _id: new mongo.ObjectID(recipient) }, {