3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-07-19 21:27:21 +02:00
Code Issues Projects Releases Packages Wiki Activity

🐛 Don't show/allow update or delete comments to not owners.

Browse source
This commit is contained in:
Andrey Antukh 2020-11-23 11:32:59 +01:00 committed by Alonso Torres
parent 17de1414ef
commit d862406b44
2 changed files with 17 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

9
backend/src/app/services/mutations/comments.clj
View file

@ -233,6 +233,11 @@
(files/check-read-permissions! conn profile-id (:file-id thread))
;; Don't allow edit comments to not owners
(when-not (= (:owner-id thread) profile-id)
(ex/raise :type :validation
:code :not-allowed))
(db/update! conn :comment
{:content content
:modified-at (dt/now)}
@ -253,8 +258,8 @@
(sm/defmutation ::delete-comment-thread
[{:keys [profile-id id] :as params}]
(db/with-atomic [conn db/pool]
(let [cthr (db/get-by-id conn :comment-thread id {:for-update true})]
(when-not (= (:owner-id cthr) profile-id)
(let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
(when-not (= (:owner-id thread) profile-id)
(ex/raise :type :validation
:code :not-allowed))
(db/delete! conn :comment-thread {:id id})