yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Comment fix

Browse Source 
- Workspace administrators will not be able to delete or edit comments within private collections for which they do not have permissions.
- Users will not be able to delete or modify their comments if they have been removed from a private collection.
This commit is contained in:
j0ok34n
2023-07-23 16:18:03 +07:00
committed by Tom Moor
parent 7bc37cb700
commit 72adcd10ef
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/routes/api/comments/comments.ts
View File

@@ -94,6 +94,10 @@ router.post(
of: Comment,
},
});
const document = await Document.findByPk(comment.documentId, {
userId: user.id
});
authorize(user, "comment", document);
authorize(user, "update", comment);
await commentUpdater({
@@ -124,6 +128,10 @@ router.post(
const comment = await Comment.findByPk(id, {
transaction,
});
const document = await Document.findByPk(comment.documentId, {
userId: user.id
});
authorize(user, "comment", document);
authorize(user, "delete", comment);
await commentDestroyer({