🐛 Don't show/allow update or delete comments to not owners.

2025-03-15 17:21:17 -05:00 · 2020-11-23 11:32:59 +01:00 · 2020-11-23 11:32:59 +01:00 · d862406b44
commit d862406b44
parent 17de1414ef
2 changed files with 17 additions and 11 deletions
--- a/backend/src/app/services/mutations/comments.clj
+++ b/backend/src/app/services/mutations/comments.clj
@ -233,6 +233,11 @@

      (files/check-read-permissions! conn profile-id (:file-id thread))

+      ;; Don't allow edit comments to not owners
+      (when-not (= (:owner-id thread) profile-id)
+        (ex/raise :type :validation
+                  :code :not-allowed))
+
      (db/update! conn :comment
                  {:content content
                   :modified-at (dt/now)}
@ -253,8 +258,8 @@
 (sm/defmutation ::delete-comment-thread
  [{:keys [profile-id id] :as params}]
  (db/with-atomic [conn db/pool]
-    (let [cthr (db/get-by-id conn :comment-thread id {:for-update true})]
-      (when-not (= (:owner-id cthr) profile-id)
+    (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
+      (when-not (= (:owner-id thread) profile-id)
        (ex/raise :type :validation
                  :code :not-allowed))
      (db/delete! conn :comment-thread {:id id})
--- a/frontend/src/app/main/ui/comments.cljs
+++ b/frontend/src/app/main/ui/comments.cljs
@ -184,7 +184,8 @@

 (mf/defc comment-item
  [{:keys [comment thread users] :as props}]
-  (let [profile  (get (or users @refs/workspace-users) (:owner-id comment))
+  (let [owner    (get (or users @refs/workspace-users) (:owner-id comment))
+        profile  (mf/use-state refs/profile)
        options  (mf/use-state false)
        edition? (mf/use-state false)

@ -243,9 +244,9 @@
     [:div.comment
      [:div.author
       [:div.avatar
-        [:img {:src (cfg/resolve-media-path (:photo profile))}]]
+        [:img {:src (cfg/resolve-media-path (:photo owner))}]]
       [:div.name
-        [:div.fullname (:fullname profile)]
+        [:div.fullname (:fullname owner)]
        [:div.timeago (dt/timeago (:modified-at comment))]]

       (when (some? thread)
@ -253,9 +254,9 @@
          (if (:is-resolved thread)
            [:span i/checkbox-checked]
            [:span i/checkbox-unchecked])])
-
-       [:div.options
-        [:div.options-icon {:on-click on-show-options} i/actions]]]
+       (when (= (:id profile) (:id owner))
+         [:div.options
+          [:div.options-icon {:on-click on-show-options} i/actions]])]

      [:div.content
       (if @edition?
@ -342,7 +343,7 @@

 (mf/defc comment-thread
  [{:keys [item users on-click] :as props}]
-  (let [profile (get users (:owner-id item))
+  (let [owner (get users (:owner-id item))

        on-click*
        (mf/use-callback
@ -361,9 +362,9 @@
                :unread (pos? (:count-unread-comments item)))}
       (:seqn item)]
      [:div.avatar
-       [:img {:src (cfg/resolve-media-path (:photo profile))}]]
+       [:img {:src (cfg/resolve-media-path (:photo owner))}]]
      [:div.name
-       [:div.fullname (:fullname profile) ", "]
+       [:div.fullname (:fullname owner) ", "]
       [:div.timeago (dt/timeago (:modified-at item))]]]
     [:div.content
      [:span.text (:content item)]]