From cb064358f86a236941c13b9e9283abe9f97b5303 Mon Sep 17 00:00:00 2001
From: Alejandro Alonso <alejandroalonsofernandez@gmail.com>
Date: Wed, 24 Aug 2022 10:26:08 +0200
Subject: [PATCH] :bug: Fix permissions when moving comments

---
 backend/src/app/rpc/commands/comments.clj | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/backend/src/app/rpc/commands/comments.clj b/backend/src/app/rpc/commands/comments.clj
index f7bf9e521..576f6599c 100644
--- a/backend/src/app/rpc/commands/comments.clj
+++ b/backend/src/app/rpc/commands/comments.clj
@@ -496,16 +496,14 @@
 ;; --- COMMAND: Update comment thread position
 
 (s/def ::update-comment-thread-position
-  (s/keys :req-un [::profile-id ::id ::position ::frame-id]))
+  (s/keys :req-un [::profile-id ::id ::position ::frame-id ::share-id]))
 
 (sv/defmethod ::update-comment-thread-position
   {::doc/added "1.15"}
-  [{:keys [pool] :as cfg} {:keys [profile-id id position frame-id] :as params}]
+  [{:keys [pool] :as cfg} {:keys [profile-id id position frame-id share-id] :as params}]
   (db/with-atomic [conn pool]
     (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
-      (when-not (= (:owner-id thread) profile-id)
-        (ex/raise :type :validation
-                  :code :not-allowed))
+      (files/check-comment-permissions! conn profile-id (:file-id thread) share-id)
       (db/update! conn :comment-thread
                   {:modified-at (dt/now)
                    :position (db/pgpoint position)
@@ -516,16 +514,14 @@
 ;; --- COMMAND: Update comment frame
 
 (s/def ::update-comment-thread-frame
-  (s/keys :req-un [::profile-id ::id ::frame-id]))
+  (s/keys :req-un [::profile-id ::id ::frame-id ::share-id]))
 
 (sv/defmethod ::update-comment-thread-frame
   {::doc/added "1.15"}
-  [{:keys [pool] :as cfg} {:keys [profile-id id frame-id] :as params}]
+  [{:keys [pool] :as cfg} {:keys [profile-id id frame-id share-id] :as params}]
   (db/with-atomic [conn pool]
     (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
-      (when-not (= (:owner-id thread) profile-id)
-        (ex/raise :type :validation
-                  :code :not-allowed))
+      (files/check-comment-permissions! conn profile-id (:file-id thread) share-id)
       (db/update! conn :comment-thread
                   {:modified-at (dt/now)
                    :frame-id frame-id}