From f67f7a886339c1402b31984ea220c2b9d0120ef7 Mon Sep 17 00:00:00 2001 From: srgooglo Date: Fri, 30 Sep 2022 23:20:45 +0200 Subject: [PATCH] check if user has permission to delete comments --- .../src/controllers/CommentsController/index.js | 1 + .../CommentsController/methods/deleteComment.js | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/packages/server/src/controllers/CommentsController/index.js b/packages/server/src/controllers/CommentsController/index.js index bb93f7ec..8e5b0613 100644 --- a/packages/server/src/controllers/CommentsController/index.js +++ b/packages/server/src/controllers/CommentsController/index.js @@ -62,6 +62,7 @@ export default class CommentsController extends Controller { fn: async (req, res) => { const result = await deleteComment({ comment_id: req.params.comment_id, + issuer_id: req.user._id.toString(), }).catch((err) => { res.status(500).json({ message: err.message }) diff --git a/packages/server/src/controllers/CommentsController/methods/deleteComment.js b/packages/server/src/controllers/CommentsController/methods/deleteComment.js index c6a8130d..3dc371d6 100644 --- a/packages/server/src/controllers/CommentsController/methods/deleteComment.js +++ b/packages/server/src/controllers/CommentsController/methods/deleteComment.js @@ -1,18 +1,29 @@ import { Comment } from "../../../models" +import CheckUserAdmin from "../../../lib/checkUserAdmin" export default async (payload) => { - const { comment_id } = payload + const { issuer_id, comment_id } = payload + + if (!issuer_id) { + throw new Error("Missing issuer_id") + } if (!comment_id) { throw new Error("Missing comment_id") } + const isAdmin = await CheckUserAdmin(issuer_id) + const comment = await Comment.findById(comment_id) if (!comment) { throw new Error("Comment not found") } + if (comment.user_id !== issuer_id && !isAdmin) { + throw new Error("You can't delete this comment, cause you are not the owner.") + } + await comment.delete() global.wsInterface.io.emit(`comment.delete.${comment_id}`)