check if user has permission to delete comments

packages/server/src/controllers/CommentsController/index.js

@@ -62,6 +62,7 @@ export default class CommentsController extends Controller {
             fn: async (req, res) => {
                 const result = await deleteComment({
                     comment_id: req.params.comment_id,
+                    issuer_id: req.user._id.toString(),
                 }).catch((err) => {
                     res.status(500).json({ message: err.message })
 

packages/server/src/controllers/CommentsController/methods/deleteComment.js

@@ -1,18 +1,29 @@
 import { Comment } from "../../../models"
+import CheckUserAdmin from "../../../lib/checkUserAdmin"
 
 export default async (payload) => {
-    const { comment_id } = payload
+    const { issuer_id, comment_id } = payload
+
+    if (!issuer_id) {
+        throw new Error("Missing issuer_id")
+    }
 
     if (!comment_id) {
         throw new Error("Missing comment_id")
     }
 
+    const isAdmin = await CheckUserAdmin(issuer_id)
+
     const comment = await Comment.findById(comment_id)
 
     if (!comment) {
         throw new Error("Comment not found")
     }
 
+    if (comment.user_id !== issuer_id && !isAdmin) {
+        throw new Error("You can't delete this comment, cause you are not the owner.")
+    }
+
     await comment.delete()
 
     global.wsInterface.io.emit(`comment.delete.${comment_id}`)