3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-05-18 21:26:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

🐛 Fix permissions when moving comments

Browse source
This commit is contained in:
Alejandro Alonso 2022-08-24 10:26:08 +02:00
parent 8d8e4c5e22
commit cb064358f8
1 changed files with 6 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

16
backend/src/app/rpc/commands/comments.clj
View file

@ -496,16 +496,14 @@
;; --- COMMAND: Update comment thread position ;; --- COMMAND: Update comment thread position
(s/def ::update-comment-thread-position (s/def ::update-comment-thread-position
(s/keys :req-un [::profile-id ::id ::position ::frame-id])) (s/keys :req-un [::profile-id ::id ::position ::frame-id ::share-id]))
(sv/defmethod ::update-comment-thread-position (sv/defmethod ::update-comment-thread-position
{::doc/added "1.15"} {::doc/added "1.15"}
[{:keys [pool] :as cfg} {:keys [profile-id id position frame-id] :as params}] [{:keys [pool] :as cfg} {:keys [profile-id id position frame-id share-id] :as params}]
(db/with-atomic [conn pool] (db/with-atomic [conn pool]
(let [thread (db/get-by-id conn :comment-thread id {:for-update true})] (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
(when-not (= (:owner-id thread) profile-id) (files/check-comment-permissions! conn profile-id (:file-id thread) share-id)
(ex/raise :type :validation
:code :not-allowed))
(db/update! conn :comment-thread (db/update! conn :comment-thread
{:modified-at (dt/now) {:modified-at (dt/now)
:position (db/pgpoint position) :position (db/pgpoint position)
@ -516,16 +514,14 @@
;; --- COMMAND: Update comment frame ;; --- COMMAND: Update comment frame
(s/def ::update-comment-thread-frame (s/def ::update-comment-thread-frame
(s/keys :req-un [::profile-id ::id ::frame-id])) (s/keys :req-un [::profile-id ::id ::frame-id ::share-id]))
(sv/defmethod ::update-comment-thread-frame (sv/defmethod ::update-comment-thread-frame
{::doc/added "1.15"} {::doc/added "1.15"}
[{:keys [pool] :as cfg} {:keys [profile-id id frame-id] :as params}] [{:keys [pool] :as cfg} {:keys [profile-id id frame-id share-id] :as params}]
(db/with-atomic [conn pool] (db/with-atomic [conn pool]
(let [thread (db/get-by-id conn :comment-thread id {:for-update true})] (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
(when-not (= (:owner-id thread) profile-id) (files/check-comment-permissions! conn profile-id (:file-id thread) share-id)
(ex/raise :type :validation
:code :not-allowed))
(db/update! conn :comment-thread (db/update! conn :comment-thread
{:modified-at (dt/now) {:modified-at (dt/now)
:frame-id frame-id} :frame-id frame-id}