From bba09d69c1bc55c2f35db5a7986e7c935cc9619c Mon Sep 17 00:00:00 2001 From: TheCatLady <52870424+TheCatLady@users.noreply.github.com> Date: Sat, 30 Oct 2021 19:54:01 -0400 Subject: [PATCH] fix(issues): only allow edit of own comments & do not allow non-admin delete of issues with comments (#2248) --- server/routes/issue.ts | 2 +- server/routes/issueComment.ts | 7 +- .../IssueDetails/IssueComment/index.tsx | 36 +++++----- .../IssueDetails/IssueDescription/index.tsx | 72 ++++++++++--------- src/components/IssueDetails/index.tsx | 5 +- 5 files changed, 63 insertions(+), 59 deletions(-) diff --git a/server/routes/issue.ts b/server/routes/issue.ts index d2774208d..06f8ef9d9 100644 --- a/server/routes/issue.ts +++ b/server/routes/issue.ts @@ -302,7 +302,7 @@ issueRoutes.delete('/:issueId', async (req, res, next) => { if ( !req.user?.hasPermission(Permission.MANAGE_ISSUES) && - issue.createdBy.id !== req.user?.id + (issue.createdBy.id !== req.user?.id || issue.comments.length > 1) ) { return next({ status: 401, diff --git a/server/routes/issueComment.ts b/server/routes/issueComment.ts index 9bc4e27b9..c54bce5b6 100644 --- a/server/routes/issueComment.ts +++ b/server/routes/issueComment.ts @@ -68,13 +68,10 @@ issueCommentRoutes.put< where: { id: Number(req.params.commentId) }, }); - if ( - !req.user?.hasPermission([Permission.MANAGE_ISSUES], { type: 'or' }) && - comment.user.id !== req.user?.id - ) { + if (comment.user.id !== req.user?.id) { return next({ status: 403, - message: 'You do not have permission to edit this comment.', + message: 'You can only edit your own comments.', }); } diff --git a/src/components/IssueDetails/IssueComment/index.tsx b/src/components/IssueDetails/IssueComment/index.tsx index 1b82ff6cf..28e94ee38 100644 --- a/src/components/IssueDetails/IssueComment/index.tsx +++ b/src/components/IssueDetails/IssueComment/index.tsx @@ -39,7 +39,7 @@ const IssueComment: React.FC = ({ const intl = useIntl(); const [showDeleteModal, setShowDeleteModal] = useState(false); const [isEditing, setIsEditing] = useState(false); - const { user, hasPermission } = useUser(); + const { hasPermission } = useUser(); const EditCommentSchema = Yup.object().shape({ newMessage: Yup.string().required( @@ -59,8 +59,6 @@ const IssueComment: React.FC = ({ } }; - const belongsToUser = comment.user.id === user?.id; - return (
= ({
- {(belongsToUser || hasPermission(Permission.MANAGE_ISSUES)) && ( + {(isActiveUser || hasPermission(Permission.MANAGE_ISSUES)) && ( = ({ className="absolute right-0 w-56 mt-2 origin-top-right bg-gray-700 rounded-md shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none" >
- - {({ active }) => ( - - )} - + {isActiveUser && ( + + {({ active }) => ( + + )} + + )} {({ active }) => ( - )} - - - - {({ active }) => ( - - )} - + {belongsToUser && ( + + {({ active }) => ( + + )} + + )} + {(hasPermission(Permission.MANAGE_ISSUES) || + !commentCount) && ( + + {({ active }) => ( + + )} + + )}
diff --git a/src/components/IssueDetails/index.tsx b/src/components/IssueDetails/index.tsx index 57f6838f3..b0c065150 100644 --- a/src/components/IssueDetails/index.tsx +++ b/src/components/IssueDetails/index.tsx @@ -260,7 +260,7 @@ const IssueDetails: React.FC = () => { username: ( {
{ editFirstComment(newMessage); }}