preventing users deleting other users comments/posts

2025-04-01 20:24:18 +02:00 · 2021-03-18 18:23:03 +01:00 · 2021-03-18 18:23:03 +01:00 · 26d7288e91
commit 26d7288e91
parent b700bfba77
1 changed files with 84 additions and 62 deletions
--- a/src/modules/api/api.ts
+++ b/src/modules/api/api.ts
@ -704,44 +704,6 @@ function GetApp(): ModuleType {
    logger.Log('New feedback file', logger.GetColor('bluebg'))
  })

-  app.post('/rmPost', (req: Request, res) => {
-    logger.LogReq(req)
-    const user: User = req.session.user
-    const news: any = utils.ReadJSON(newsFile)
-    const { newsKey } = req.body
-
-    if (news[newsKey].user === user.id) {
-      delete news[newsKey]
-    } else {
-      res.json({ status: 'fail', msg: 'u cant delete other users posts!' })
-      return
-    }
-
-    utils.WriteFile(JSON.stringify(news, null, 2), newsFile)
-    res.json({ status: 'ok', news: news })
-  })
-
-  app.post('/addPost', (req: Request, res) => {
-    logger.LogReq(req)
-    const user: User = req.session.user
-    const news: any = utils.ReadJSON(newsFile)
-    const admins: any = utils.FileExists(adminUsersFile)
-      ? utils.ReadJSON(adminUsersFile)
-      : []
-    const { title, content } = req.body
-
-    news[uuidv4()] = {
-      date: utils.GetDateString(),
-      user: user.id,
-      title: title,
-      content: content,
-      admin: admins.includes(user.id),
-    }
-
-    utils.WriteFile(JSON.stringify(news, null, 2), newsFile)
-    res.json({ status: 'ok', news: news })
-  })
-
  app.post('/postfeedback', function(req: Request, res: any) {
    logger.LogReq(req)
    if (req.body.fromLogin) {
@ -1350,28 +1312,6 @@ function GetApp(): ModuleType {
    res.json({ msg: 'done' })
  })

-  function addComment(obj, path, comment) {
-    if (path.length === 0) {
-      obj.push(comment)
-    } else {
-      const i = path.pop()
-      if (!obj[i].subComments) {
-        obj[i].subComments = []
-      }
-      addComment(obj[i].subComments, path, comment)
-    }
-  }
-
-  function deleteComment(obj, path) {
-    if (path.length === 1) {
-      // TODO: check if its actually deleteable by user (deleting other users comments)
-      obj.splice(path[0], 1)
-    } else {
-      const i = path.pop()
-      deleteComment(obj[i].subComments, path)
-    }
-  }
-
  function addReaction(obj, path, { reaction, isDelete, uid }) {
    if (path.length === 1) {
      const index = path[0]
@ -1458,6 +1398,37 @@ function GetApp(): ModuleType {
    res.json({ status: 'ok', news: news })
  })

+  function addComment(obj, path, comment) {
+    if (path.length === 0) {
+      obj.push(comment)
+    } else {
+      const i = path.pop()
+      if (!obj[i].subComments) {
+        obj[i].subComments = []
+      }
+      addComment(obj[i].subComments, path, comment)
+    }
+  }
+
+  function deleteComment(
+    obj: any,
+    path: Array<number>,
+    userid: number
+  ): boolean {
+    if (path.length === 1) {
+      if (obj[path[0]].user === userid) {
+        obj.splice(path[0], 1)
+        return true
+      } else {
+        return false
+      }
+    } else {
+      const i = path.pop()
+      deleteComment(obj[i].subComments, path, userid)
+      return true
+    }
+  }
+
  app.post('/comment', (req: Request, res) => {
    logger.LogReq(req)

@ -1486,10 +1457,19 @@ function GetApp(): ModuleType {
      addComment(news[newsKey].comments, path, comment)
    } else if (type === 'delete') {
      if (news[newsKey].comments) {
-        deleteComment(news[newsKey].comments, path)
+        const success = deleteComment(news[newsKey].comments, path, user.id)
+        if (!success) {
+          res.json({
+            status: 'fail',
+            msg: 'you cant delete other users comments',
+            news: news,
+          })
+          return
+        }
      }
    } else {
-      res.json({ status: 'fail', msg: 'no such type' })
+      res.json({ status: 'fail', msg: 'no such type', news: news })
+      return
    }
    utils.WriteFile(JSON.stringify(news, null, 2), newsFile)
    res.json({ status: 'ok', news: news })
@ -1553,6 +1533,48 @@ function GetApp(): ModuleType {
    res.json({ msg: 'done' })
  })

+  app.post('/rmPost', (req: Request, res) => {
+    logger.LogReq(req)
+    const user: User = req.session.user
+    const news: any = utils.ReadJSON(newsFile)
+    const { newsKey } = req.body
+
+    if (news[newsKey].user === user.id) {
+      delete news[newsKey]
+    } else {
+      res.json({
+        status: 'fail',
+        msg: 'u cant delete other users posts!',
+        news: news,
+      })
+      return
+    }
+
+    utils.WriteFile(JSON.stringify(news, null, 2), newsFile)
+    res.json({ status: 'ok', news: news })
+  })
+
+  app.post('/addPost', (req: Request, res) => {
+    logger.LogReq(req)
+    const user: User = req.session.user
+    const news: any = utils.ReadJSON(newsFile)
+    const admins: any = utils.FileExists(adminUsersFile)
+      ? utils.ReadJSON(adminUsersFile)
+      : []
+    const { title, content } = req.body
+
+    news[uuidv4()] = {
+      date: utils.GetDateString(),
+      user: user.id,
+      title: title,
+      content: content,
+      admin: admins.includes(user.id),
+    }
+
+    utils.WriteFile(JSON.stringify(news, null, 2), newsFile)
+    res.json({ status: 'ok', news: news })
+  })
+
  app.get('/possibleAnswers', (req: Request, res: any) => {
    logger.LogReq(req)
    const files = utils.ReadDir(savedQuestionsDir)