From bf1ba48031198b535eeb21abcd01d6f2e8890f82 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Thu, 4 Apr 2019 17:25:21 -0700 Subject: [PATCH] Verifying correct user for edits - Fixes #31 --- server/src/websocket_server/server.rs | 20 ++++++++++++++++++++ ui/src/components/post-form.tsx | 2 -- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/server/src/websocket_server/server.rs b/server/src/websocket_server/server.rs index 28b5832a..a0d12935 100644 --- a/server/src/websocket_server/server.rs +++ b/server/src/websocket_server/server.rs @@ -914,6 +914,12 @@ impl Perform for EditComment { let user_id = claims.id; + // Verify its the creator + let orig_comment = Comment::read(&conn, self.edit_id).unwrap(); + if user_id != orig_comment.creator_id { + return self.error("Incorrect creator."); + } + let comment_form = CommentForm { content: self.content.to_owned(), parent_id: self.parent_id, @@ -1149,6 +1155,12 @@ impl Perform for EditPost { let user_id = claims.id; + // Verify its the creator + let orig_post = Post::read(&conn, self.edit_id).unwrap(); + if user_id != orig_post.creator_id { + return self.error("Incorrect creator."); + } + let post_form = PostForm { name: self.name.to_owned(), url: self.url.to_owned(), @@ -1210,6 +1222,14 @@ impl Perform for EditCommunity { let user_id = claims.id; + + // Verify its a mod + let moderator_view = CommunityModeratorView::for_community(&conn, self.edit_id).unwrap(); + let mod_ids: Vec = moderator_view.into_iter().map(|m| m.user_id).collect(); + if !mod_ids.contains(&user_id) { + return self.error("Incorrect creator."); + }; + let community_form = CommunityForm { name: self.name.to_owned(), title: self.title.to_owned(), diff --git a/ui/src/components/post-form.tsx b/ui/src/components/post-form.tsx index 6967bf0d..c581ae03 100644 --- a/ui/src/components/post-form.tsx +++ b/ui/src/components/post-form.tsx @@ -133,10 +133,8 @@ export class PostForm extends Component { } parseMessage(msg: any) { - console.log(msg); let op: UserOperation = msgOp(msg); if (msg.error) { - alert(msg.error); return; } else if (op == UserOperation.ListCommunities) { let res: ListCommunitiesResponse = msg;