From 4671e6de512c2eb2192fbf42d03ba1641f891da2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20V=C3=B6gele?= <develop@manuel-voegele.de>
Date: Thu, 29 Apr 2021 00:20:24 +0200
Subject: [PATCH] Only allow users to update the movement history for tokens
 they own

---
 src/socket.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/socket.js b/src/socket.js
index 6a8d460..cfef48e 100644
--- a/src/socket.js
+++ b/src/socket.js
@@ -11,7 +11,18 @@ export function updateCombatantDragRulerFlags(combat, updates) {
 }
 
 async function _socketUpdateCombatantDragRulerFlags(combatId, updates) {
+	const user = game.users.get(this.socketdata.userId);
 	const combat = game.combats.get(combatId);
+	const requestedUpdates = updates.length;
+	updates = updates.filter(update => {
+		const actor = combat.getCombatant(update._id).actor;
+		if (!actor)
+			return false;
+		return actor.hasPerm(user, "OWNER");
+	});
+	if (updates.length !== requestedUpdates) {
+		console.warn(`Some of the movement history updates requested by user '${game.users.get(this.socketdata.userId).name}' were not performed because the user lacks owner permissions for those tokens`);
+	}
 	updates = updates.map(update => {
 		return {_id: update._id, flags: {dragRuler: update.dragRulerFlags}};
 	});