Commit 28728e91 authored by Rene Saarsoo's avatar Rene Saarsoo
Browse files

Refactor checks for comment ownership. 

Create a validator that checks if user is allowed to edit current
comment, use it for such a check when updating, deleting and undoing
deletes.
parent be5af754

opt/comments-server-side/app.js

+19 −48
Original line number Diff line number Diff line
@@ -263,13 +263,7 @@ app.namespace('/auth/:sdk/:version', function(){ 
        if (req.body.vote) {

            util.vote(req, res, comment);

        } else {

            var canUpdate = _.include(req.session.user.membergroupids, 7) || req.session.user.username == comment.author;



            if (!canUpdate) {

                res.json({success: false, reason: 'Forbidden'}, 403);

                return;

            }



            util.requireOwner(req, res, function() {

                comment.content = req.body.content;

                comment.contentHtml = util.markdown(req.body.content);
@@ -282,27 +276,16 @@ app.namespace('/auth/:sdk/:version', function(){ 
                comment.save(function(err, response) {

                    res.json({ success: true, content: comment.contentHtml });

                });

            });

        }

    });



    /**

     * Deletes a comment

     */

    app.post('/comments/:commentId/delete', util.requireLoggedInUser, util.findComment, function(req, res) {



        var canDelete = false,

            comment = req.comment;



        canDelete = _.include(req.session.user.membergroupids, 7) || req.session.user.username == req.comment.author;



        if (!canDelete) {

            res.json({ success: false, reason: 'Forbidden' }, 403);

            return;

        }



        comment.deleted = true;



        comment.save(function(err, response) {

    app.post('/comments/:commentId/delete', util.requireLoggedInUser, util.findComment, util.requireOwner, function(req, res) {

        req.comment.deleted = true;

        req.comment.save(function(err, response) {

            res.send({ success: true });

        });

    });
@@ -310,22 +293,10 @@ app.namespace('/auth/:sdk/:version', function(){ 
    /**

     * Restores deleted comment

     */

    app.post('/comments/:commentId/undo_delete', util.requireLoggedInUser, util.findComment, function(req, res) {



        var canUndoDelete = false,

            comment = req.comment;



        canUndoDelete = _.include(req.session.user.membergroupids, 7) || req.session.user.username == req.comment.author;



        if (!canUndoDelete) {

            res.json({ success: false, reason: 'Forbidden' }, 403);

            return;

        }



        comment.deleted = false;



        comment.save(function(err, response) {

            res.send({ success: true, comment: util.scoreComments([comment], req)[0] });

    app.post('/comments/:commentId/undo_delete', util.requireLoggedInUser, util.findComment, util.requireOwner, function(req, res) {

        req.comment.deleted = false;

        req.comment.save(function(err, response) {

            res.send({ success: true, comment: util.scoreComments([req.comment], req)[0] });

        });

    });

opt/comments-server-side/util.js

+20 −0
Original line number Diff line number Diff line
@@ -140,6 +140,26 @@ exports.findComment = function(req, res, next) { 
    }

};



/**

 * Ensures that user is allowed to modify/delete the comment,

 * that is, he is the owner of the comment or a moderator.

 *

 * @param {Object} req

 * @param {Object} res

 * @param {Function} next

 */

exports.requireOwner = function(req, res, next) {

    var isModerator = _.include(req.session.user.membergroupids, 7);

    var isAuthor = req.session.user.username == req.comment.author;



    if (isModerator || isAuthor) {

        next();

    }

    else {

        res.json({ success: false, reason: 'Forbidden' }, 403);

    }

};



/**

 * Sends e-mail updates when comment is posted to a thread that has

 * subscribers.