From ad0f530fd3c68b7b8d53b02c68575f5394494c3e Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 12 Jan 2017 17:07:35 -0700 Subject: [PATCH 1/2] don't return unpublished comments in My Comments section. add tests --- models/comment.js | 12 ++++++++++-- routes/api/comments/index.js | 2 +- tests/models/comment.js | 17 +++++++++++++++++ tests/routes/api/comments/index.js | 5 ++--- 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/models/comment.js b/models/comment.js index 9bd9163c4..d99cbed06 100644 --- a/models/comment.js +++ b/models/comment.js @@ -282,8 +282,16 @@ CommentSchema.statics.all = () => Comment.find(); * probably to be paginated at some point in the future * @return {Promise} array resolves to an array of comments by that user */ -CommentSchema.statics.findByUserId = function (author_id) { - return Comment.find({author_id}); +CommentSchema.statics.findByUserId = function (author_id, admin = false) { + + // do not return un-published comments for non-admins + let query = {author_id}; + + if (!admin) { + query.$nor = [{status: 'premod'}, {status: 'rejected'}]; + } + + return Comment.find(query); }; // Comment model. diff --git a/routes/api/comments/index.js b/routes/api/comments/index.js index 8bf3616eb..1d5d73ea0 100644 --- a/routes/api/comments/index.js +++ b/routes/api/comments/index.js @@ -48,7 +48,7 @@ router.get('/', (req, res, next) => { // otherwise this will be a vulnerability if you pass user_id and something else, // the app will return admin-level data without the proper checks if (user_id) { - query = Comment.findByUserId(user_id); + query = Comment.findByUserId(user_id, authorization.has(req.user, 'admin')); } else if (status) { query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status)); } else if (action_type) { diff --git a/tests/models/comment.js b/tests/models/comment.js index 20590dc3d..419fb4d79 100644 --- a/tests/models/comment.js +++ b/tests/models/comment.js @@ -209,6 +209,23 @@ describe('models.Comment', () => { }); }); + describe('#findByUserId', () => { + it('should return all comments if admin', () => { + return Comment.findByUserId('456', true) + .then(comments => { + expect(comments).to.have.length(4); + }); + }); + + it('should not return premod and rejected comments if not admin', () => { + return Comment.findByUserId('456') + .then(comments => { + expect(comments).to.have.length(1); + }); + }); + + }); + describe('#changeStatus', () => { it('should change the status of a comment from no status', () => { diff --git a/tests/routes/api/comments/index.js b/tests/routes/api/comments/index.js index 5edb52099..ed1f3d22f 100644 --- a/tests/routes/api/comments/index.js +++ b/tests/routes/api/comments/index.js @@ -83,15 +83,14 @@ describe('/api/v1/comments', () => { ]); }); - it('should return only the owner’s comments if the user is not an admin', () => { + it('should return only the owner’s published comments if the user is not an admin', () => { return chai.request(app) .get('/api/v1/comments?user_id=456') .set(passport.inject({id: '456', roles: []})) .then(res => { expect(res).to.have.status(200); - expect(res.body.comments).to.have.length(2); + expect(res.body.comments).to.have.length(1); expect(res.body.comments[0]).to.have.property('author_id', '456'); - expect(res.body.comments[1]).to.have.property('author_id', '456'); }); }); From 44a06aef46c41f11ccb4251adb426d31c23a5241 Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Fri, 13 Jan 2017 14:33:01 -0700 Subject: [PATCH 2/2] do not render tab content unless they're active --- client/coral-admin/src/actions/comments.js | 6 +- .../ModerationQueue/ModerationQueue.js | 90 +++++++++++-------- 2 files changed, 54 insertions(+), 42 deletions(-) diff --git a/client/coral-admin/src/actions/comments.js b/client/coral-admin/src/actions/comments.js index f37c79b4f..fe4895ed3 100644 --- a/client/coral-admin/src/actions/comments.js +++ b/client/coral-admin/src/actions/comments.js @@ -55,9 +55,9 @@ export const fetchFlaggedQueue = () => { dispatch({type: commentTypes.COMMENTS_MODERATION_QUEUE_FETCH_REQUEST}); return coralApi('/queue/comments/flagged') - .then(comments => { - comments.forEach(comment => comment.flagged = true); - return comments; + .then(results => { + results.comments.forEach(comment => comment.flagged = true); + return results; }) .then(addUsersCommentsActions.bind(this, dispatch)); }; diff --git a/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js b/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js index d46a9b35d..6121ca307 100644 --- a/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js +++ b/client/coral-admin/src/containers/ModerationQueue/ModerationQueue.js @@ -22,49 +22,61 @@ export default ({onTabClick, ...props}) => ( className={`mdl-tabs__tab ${styles.tab}`}>{lang.t('modqueue.flagged')}
- - + { + props.activeTab === 'pending' + ?
+ + +
+ : null + }
- + { + props.activeTab === 'rejected' + ? + : null + }
- -
+ { + props.activeTab === 'flagged' + ? + : null + } +