Merge branch 'master' into fix-embed-pathing

This commit is contained in:
Gabriela Rodríguez Berón
2016-12-15 13:50:41 -08:00
committed by GitHub
4 changed files with 24 additions and 9 deletions
+1 -1
View File
@@ -32,7 +32,7 @@ export const saveBio = (user_id, formData) => dispatch => {
export const fetchCommentsByUserId = userId => {
return (dispatch) => {
dispatch({type: actions.COMMENTS_BY_USER_REQUEST});
return coralApi(`/comments?user_id${userId}`)
return coralApi(`/comments?user_id=${userId}`)
.then(({comments, assets}) => {
comments.forEach(comment => dispatch(addItem(comment, 'comments')));
+3 -3
View File
@@ -1,4 +1,4 @@
import {Map, fromJS} from 'immutable';
import {Map} from 'immutable';
import * as authActions from '../constants/auth';
import * as actions from '../constants/user';
import * as assetActions from '../constants/assets';
@@ -34,9 +34,9 @@ export default function user (state = initialState, action) {
return state
.set('settings', action.settings);
case actions.COMMENTS_BY_USER_SUCCESS:
return state.set('myComments', fromJS(action.comments));
return state.set('myComments', action.comments);
case assetActions.MULTIPLE_ASSETS_SUCCESS:
return state.set('myAssets', fromJS(action.assets));
return state.set('myAssets', action.assets);
default :
return state;
}
+1 -1
View File
@@ -6,7 +6,7 @@ const Comment = props => {
return (
<div>
<p className="myCommentAsset">
<a className={`${styles.assetURL} myCommentAnchor`} href={props.asset.url}>{props.asset.url}</a>
<a className={`${styles.assetURL} myCommentAnchor`} href={`${props.asset.url}#${props.comment.id}`}>{`${props.asset.url}#${props.comment.id}`}</a>
</p>
<p className={`${styles.commentBody} myCommentBody`}>{props.comment.body}</p>
</div>
+19 -4
View File
@@ -9,7 +9,7 @@ const _ = require('lodash');
const router = express.Router();
router.get('/', authorization.needed('admin'), (req, res, next) => {
router.get('/', (req, res, next) => {
const {
status = null,
@@ -18,6 +18,18 @@ router.get('/', authorization.needed('admin'), (req, res, next) => {
user_id = null
} = req.query;
// everything on this route requires admin privileges besides listing comments for owner of said comments
if (!authorization.has(req.user, 'admin') && !user_id) {
next(authorization.ErrNotAuthorized);
return;
}
// if the user is not an admin, only return comment list for the owner of the comments
if (req.user.id !== user_id && !authorization.has(req.user, 'admin')) {
next(authorization.ErrNotAuthorized);
return;
}
/**
* This adds the asset_id requirement to the query if the asset_id is defined.
*/
@@ -31,10 +43,13 @@ router.get('/', authorization.needed('admin'), (req, res, next) => {
let query;
if (status) {
query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status));
} else if (user_id) {
// the check for user_id MUST be first here.
// otherwise this will be a vulnerability if you pass user_id and something else,
// the app will return admin-level data without the proper checks
if (user_id) {
query = Comment.findByUserId(user_id);
} else if (status) {
query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status));
} else if (action_type) {
query = Comment
.findIdsByActionType(action_type)