diff --git a/client/coral-admin/src/actions/comments.js b/client/coral-admin/src/actions/comments.js
index f37c79b4f..fe4895ed3 100644
--- a/client/coral-admin/src/actions/comments.js
+++ b/client/coral-admin/src/actions/comments.js
@@ -55,9 +55,9 @@ export const fetchFlaggedQueue = () => {
dispatch({type: commentTypes.COMMENTS_MODERATION_QUEUE_FETCH_REQUEST});
return coralApi('/queue/comments/flagged')
- .then(comments => {
- comments.forEach(comment => comment.flagged = true);
- return comments;
+ .then(results => {
+ results.comments.forEach(comment => comment.flagged = true);
+ return results;
})
.then(addUsersCommentsActions.bind(this, dispatch));
};
diff --git a/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js b/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js
index d46a9b35d..6121ca307 100644
--- a/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js
+++ b/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js
@@ -22,49 +22,61 @@ export default ({onTabClick, ...props}) => (
className={`mdl-tabs__tab ${styles.tab}`}>{lang.t('modqueue.flagged')}
-
-
+ {
+ props.activeTab === 'pending'
+ ?
+
+
+
+ : null
+ }
-
+ {
+ props.activeTab === 'rejected'
+ ?
+ : null
+ }
-
-
+ {
+ props.activeTab === 'flagged'
+ ?
+ : null
+ }
+
diff --git a/models/comment.js b/models/comment.js
index 3f8156b24..99eaec069 100644
--- a/models/comment.js
+++ b/models/comment.js
@@ -266,8 +266,16 @@ CommentSchema.statics.all = () => Comment.find();
* probably to be paginated at some point in the future
* @return {Promise} array resolves to an array of comments by that user
*/
-CommentSchema.statics.findByUserId = function (author_id) {
- return Comment.find({author_id});
+CommentSchema.statics.findByUserId = function (author_id, admin = false) {
+
+ // do not return un-published comments for non-admins
+ let query = {author_id};
+
+ if (!admin) {
+ query.$nor = [{status: 'premod'}, {status: 'rejected'}];
+ }
+
+ return Comment.find(query);
};
// Comment model.
diff --git a/routes/api/comments/index.js b/routes/api/comments/index.js
index 8bf3616eb..1d5d73ea0 100644
--- a/routes/api/comments/index.js
+++ b/routes/api/comments/index.js
@@ -48,7 +48,7 @@ router.get('/', (req, res, next) => {
// otherwise this will be a vulnerability if you pass user_id and something else,
// the app will return admin-level data without the proper checks
if (user_id) {
- query = Comment.findByUserId(user_id);
+ query = Comment.findByUserId(user_id, authorization.has(req.user, 'admin'));
} else if (status) {
query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status));
} else if (action_type) {
diff --git a/tests/models/comment.js b/tests/models/comment.js
index 455b937f3..83a081da5 100644
--- a/tests/models/comment.js
+++ b/tests/models/comment.js
@@ -187,6 +187,23 @@ describe('models.Comment', () => {
});
});
+ describe('#findByUserId', () => {
+ it('should return all comments if admin', () => {
+ return Comment.findByUserId('456', true)
+ .then(comments => {
+ expect(comments).to.have.length(4);
+ });
+ });
+
+ it('should not return premod and rejected comments if not admin', () => {
+ return Comment.findByUserId('456')
+ .then(comments => {
+ expect(comments).to.have.length(1);
+ });
+ });
+
+ });
+
describe('#changeStatus', () => {
it('should change the status of a comment from no status', () => {
diff --git a/tests/routes/api/comments/index.js b/tests/routes/api/comments/index.js
index 7a3a2c592..e905f273d 100644
--- a/tests/routes/api/comments/index.js
+++ b/tests/routes/api/comments/index.js
@@ -83,15 +83,14 @@ describe('/api/v1/comments', () => {
]);
});
- it('should return only the owner’s comments if the user is not an admin', () => {
+ it('should return only the owner’s published comments if the user is not an admin', () => {
return chai.request(app)
.get('/api/v1/comments?user_id=456')
.set(passport.inject({id: '456', roles: []}))
.then(res => {
expect(res).to.have.status(200);
- expect(res.body.comments).to.have.length(2);
+ expect(res.body.comments).to.have.length(1);
expect(res.body.comments[0]).to.have.property('author_id', '456');
- expect(res.body.comments[1]).to.have.property('author_id', '456');
});
});