allow non-admin folks to list their comments

This commit is contained in:
Riley Davis
2016-12-15 13:05:59 -07:00
parent d64c848baa
commit f4ee28c618
2 changed files with 20 additions and 5 deletions
+1 -1
View File
@@ -32,7 +32,7 @@ export const saveBio = (user_id, formData) => dispatch => {
export const fetchCommentsByUserId = userId => {
return (dispatch) => {
dispatch({type: actions.COMMENTS_BY_USER_REQUEST});
return coralApi(`/comments?user_id${userId}`)
return coralApi(`/comments?user_id=${userId}`)
.then(({comments, assets}) => {
comments.forEach(comment => dispatch(addItem(comment, 'comments')));
+19 -4
View File
@@ -9,7 +9,7 @@ const _ = require('lodash');
const router = express.Router();
router.get('/', authorization.needed('admin'), (req, res, next) => {
router.get('/', (req, res, next) => {
const {
status = null,
@@ -18,6 +18,18 @@ router.get('/', authorization.needed('admin'), (req, res, next) => {
user_id = null
} = req.query;
// everything on this route requires admin privileges besides listing comments for owner of said comments
if (!authorization.has(req.user, 'admin') && !user_id) {
next(authorization.ErrNotAuthorized);
return;
}
// only return comment lists for the owner of the comments
if (req.user.id !== user_id) {
next(authorization.ErrNotAuthorized);
return;
}
/**
* This adds the asset_id requirement to the query if the asset_id is defined.
*/
@@ -31,10 +43,13 @@ router.get('/', authorization.needed('admin'), (req, res, next) => {
let query;
if (status) {
query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status));
} else if (user_id) {
// the check for user_id MUST be first here.
// otherwise this will be a vulnerability if you pass user_id and something else,
// the app will return admin-level data without the proper checks
if (user_id) {
query = Comment.findByUserId(user_id);
} else if (status) {
query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status));
} else if (action_type) {
query = Comment
.findIdsByActionType(action_type)