3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-07-22 00:57:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

🐛 Don't show/allow update or delete comments to not owners.

Browse source
This commit is contained in:
Andrey Antukh 2020-11-23 11:32:59 +01:00 committed by Alonso Torres
parent 17de1414ef
commit d862406b44
2 changed files with 17 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

9
backend/src/app/services/mutations/comments.clj
View file

@ -233,6 +233,11 @@
(files/check-read-permissions! conn profile-id (:file-id thread)) (files/check-read-permissions! conn profile-id (:file-id thread))
;; Don't allow edit comments to not owners
(when-not (= (:owner-id thread) profile-id)
(ex/raise :type :validation
:code :not-allowed))
(db/update! conn :comment (db/update! conn :comment
{:content content {:content content
:modified-at (dt/now)} :modified-at (dt/now)}
@ -253,8 +258,8 @@
(sm/defmutation ::delete-comment-thread (sm/defmutation ::delete-comment-thread
[{:keys [profile-id id] :as params}] [{:keys [profile-id id] :as params}]
(db/with-atomic [conn db/pool] (db/with-atomic [conn db/pool]
(let [cthr (db/get-by-id conn :comment-thread id {:for-update true})] (let [thread (db/get-by-id conn :comment-thread id {:for-update true})]
(when-not (= (:owner-id cthr) profile-id) (when-not (= (:owner-id thread) profile-id)
(ex/raise :type :validation (ex/raise :type :validation
:code :not-allowed)) :code :not-allowed))
(db/delete! conn :comment-thread {:id id}) (db/delete! conn :comment-thread {:id id})

17
frontend/src/app/main/ui/comments.cljs
View file

@ -184,7 +184,8 @@
(mf/defc comment-item (mf/defc comment-item
[{:keys [comment thread users] :as props}] [{:keys [comment thread users] :as props}]
(let [profile (get (or users @refs/workspace-users) (:owner-id comment)) (let [owner (get (or users @refs/workspace-users) (:owner-id comment))
profile (mf/use-state refs/profile)
options (mf/use-state false) options (mf/use-state false)
edition? (mf/use-state false) edition? (mf/use-state false)
@ -243,9 +244,9 @@
[:div.comment [:div.comment
[:div.author [:div.author
[:div.avatar [:div.avatar
[:img {:src (cfg/resolve-media-path (:photo profile))}]] [:img {:src (cfg/resolve-media-path (:photo owner))}]]
[:div.name [:div.name
[:div.fullname (:fullname profile)] [:div.fullname (:fullname owner)]
[:div.timeago (dt/timeago (:modified-at comment))]] [:div.timeago (dt/timeago (:modified-at comment))]]
(when (some? thread) (when (some? thread)
@ -253,9 +254,9 @@
(if (:is-resolved thread) (if (:is-resolved thread)
[:span i/checkbox-checked] [:span i/checkbox-checked]
[:span i/checkbox-unchecked])]) [:span i/checkbox-unchecked])])
(when (= (:id profile) (:id owner))
[:div.options [:div.options
[:div.options-icon {:on-click on-show-options} i/actions]]] [:div.options-icon {:on-click on-show-options} i/actions]])]
[:div.content [:div.content
(if @edition? (if @edition?
@ -342,7 +343,7 @@
(mf/defc comment-thread (mf/defc comment-thread
[{:keys [item users on-click] :as props}] [{:keys [item users on-click] :as props}]
(let [profile (get users (:owner-id item)) (let [owner (get users (:owner-id item))
on-click* on-click*
(mf/use-callback (mf/use-callback
@ -361,9 +362,9 @@
:unread (pos? (:count-unread-comments item)))} :unread (pos? (:count-unread-comments item)))}
(:seqn item)] (:seqn item)]
[:div.avatar [:div.avatar
[:img {:src (cfg/resolve-media-path (:photo profile))}]] [:img {:src (cfg/resolve-media-path (:photo owner))}]]
[:div.name [:div.name
[:div.fullname (:fullname profile) ", "] [:div.fullname (:fullname owner) ", "]
[:div.timeago (dt/timeago (:modified-at item))]]] [:div.timeago (dt/timeago (:modified-at item))]]]
[:div.content [:div.content
[:span.text (:content item)]] [:span.text (:content item)]]