Post updating permission check.
Moved validation action from internal_api to core. Updated form validation to delete unneeded data. Signed-off-by: Armored Dragon <publicmail@armoreddragon.com>pull/3/head
parent
59c3f4a333
commit
e76bb6c493
GPG Key ID:
C7207ACC3382AD8B
|
|
@ -6,6 +6,7 @@ const { getSignedUrl } = require("@aws-sdk/s3-request-presigner");
|
|||
let s3;
|
||||
const crypto = require("crypto");
|
||||
const validate = require("../form_validation");
|
||||
const permissions = require("../permissions");
|
||||
const md = require("markdown-it")()
|
||||
.use(require("markdown-it-underline"))
|
||||
.use(require("markdown-it-footnote"))
|
||||
|
|
@ -231,24 +232,20 @@ async function getPost({ requester_id, post_id, visibility = "PUBLISHED" } = {},
|
|||
async function editPost({ requester_id, post_id, post_content }) {
|
||||
let user = await getUser({ user_id: requester_id });
|
||||
let post = await getPost({ post_id: post_id });
|
||||
let publish_date = null;
|
||||
|
||||
if (!user.success) return _r(false, post.message || "User not found");
|
||||
user = user.data;
|
||||
if (!post.success) return _r(false, post.message || "Post not found");
|
||||
post = post.data;
|
||||
|
||||
// Check to see if the requester can update the post
|
||||
// TODO: Permissions
|
||||
let can_update = post.owner.id === user.id || user.role === "ADMIN";
|
||||
// Check if the user can preform the action
|
||||
const can_act = permissions.patchPost(post, user);
|
||||
if (!can_act.success) return _r(false, can_act.message);
|
||||
|
||||
// FIXME: Unsure if this actually works
|
||||
// Check if we already have a formatted publish date
|
||||
if (typeof post.publish_date !== "object") {
|
||||
const [year, month, day] = post.date.split("-");
|
||||
const [hour, minute] = post.time.split(":");
|
||||
publish_date = new Date(year, month - 1, day, hour, minute);
|
||||
}
|
||||
// Validate the post content
|
||||
let validated_post = validate.patchPost(post_content);
|
||||
if (!validated_post.success) return _r(false, can_act.message);
|
||||
validated_post = validated_post.data;
|
||||
|
||||
// Handle tags ----
|
||||
let database_tag_list = [];
|
||||
|
|
@ -266,12 +263,10 @@ async function editPost({ requester_id, post_id, post_content }) {
|
|||
|
||||
// Rebuild the post to save
|
||||
let post_formatted = {
|
||||
title: post_content.title,
|
||||
description: post_content.description,
|
||||
content: post_content.content,
|
||||
visibility: post_content.visibility || "PRIVATE",
|
||||
publish_date: publish_date || post_content.publish_date,
|
||||
...validated_post,
|
||||
// Handle tag changes
|
||||
tags: { disconnect: [...existing_tags], connect: [...database_tag_list] },
|
||||
// Handle media changes
|
||||
media: [...post.raw_media, ...post_content.media],
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -57,18 +57,7 @@ async function deleteBlog(req, res) {
|
|||
return res.json(await core.deletePost({ post_id: req.body.id, requester_id: req.session.user.id }));
|
||||
}
|
||||
async function patchBlog(req, res) {
|
||||
// FIXME: validate does not return post id
|
||||
// Can user change post?
|
||||
// User is admin, or user is author
|
||||
|
||||
// Validate blog info
|
||||
let valid = await validate.patchPost(req.body);
|
||||
|
||||
if (!valid.success) return { success: false, message: valid.message || "Post failed validation" };
|
||||
valid = valid.data;
|
||||
|
||||
// TODO: Permissions for updating blog
|
||||
return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: valid }));
|
||||
return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: req.body }));
|
||||
}
|
||||
async function patchBiography(request, response) {
|
||||
// TODO: Validate
|
||||
|
|
|
|||
|
|
@ -41,6 +41,9 @@ function patchPost(post_content) {
|
|||
if (tag.length !== 0) tags.push(tag);
|
||||
});
|
||||
|
||||
delete post_content.date;
|
||||
delete post_content.time;
|
||||
|
||||
// Format the post content
|
||||
post_formatted = {
|
||||
// Autofill the given data
|
||||
|
|
@ -62,7 +65,7 @@ function _isUrlSafe(str) {
|
|||
return pattern.test(str);
|
||||
}
|
||||
function _r(s, m, d) {
|
||||
return { success: s, m: m ? m || "Unknown error" : undefined, data: d };
|
||||
return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
|
||||
}
|
||||
|
||||
module.exports = { newUser, patchPost };
|
||||
|
|
|
|||
|
|
@ -1,3 +1,22 @@
|
|||
function postBlog(user) {}
|
||||
//
|
||||
// Permissions
|
||||
//
|
||||
// Check if a given user has permissions to preform an action
|
||||
//
|
||||
|
||||
module.exports = { postBlog };
|
||||
// Updating a blog post
|
||||
function patchPost(post_content, user) {
|
||||
// Admins can always update any post
|
||||
if (user.role === "ADMIN") return _r(true);
|
||||
|
||||
// User owns the post
|
||||
if (post_content.owner.id === user.id) return _r(true);
|
||||
|
||||
// User is not permitted
|
||||
return _r(false, "User is not permitted to preform action.");
|
||||
}
|
||||
|
||||
function _r(s, m, d) {
|
||||
return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
|
||||
}
|
||||
module.exports = { patchPost };
|
||||
|
|
|
|||
Loading…
Reference in New Issue