From 72adcd10ef7953fe715a61adc1e3382cfba4243d Mon Sep 17 00:00:00 2001
From: j0ok34n <103942268+j0ok34n@users.noreply.github.com>
Date: Sun, 23 Jul 2023 16:18:03 +0700
Subject: [PATCH] Comment fix

- Workspace administrators will not be able to delete or edit comments within private collections for which they do not have permissions.
- Users will not be able to delete or modify their comments if they have been removed from a private collection.
---
 server/routes/api/comments/comments.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/routes/api/comments/comments.ts b/server/routes/api/comments/comments.ts
index fd6b388d3..34143b017 100644
--- a/server/routes/api/comments/comments.ts
+++ b/server/routes/api/comments/comments.ts
@@ -94,6 +94,10 @@ router.post(
         of: Comment,
       },
     });
+    const document = await Document.findByPk(comment.documentId, {
+      userId: user.id
+    });
+    authorize(user, "comment", document);
     authorize(user, "update", comment);
 
     await commentUpdater({
@@ -124,6 +128,10 @@ router.post(
     const comment = await Comment.findByPk(id, {
       transaction,
     });
+    const document = await Document.findByPk(comment.documentId, {
+      userId: user.id
+    });
+    authorize(user, "comment", document);
     authorize(user, "delete", comment);
 
     await commentDestroyer({