server: fix comment in public document

packages/server/src/services/comment.service.ts

@@ -6,6 +6,7 @@ import { InjectRepository } from '@nestjs/typeorm';
 import { DocumentService } from '@services/document.service';
 import { MessageService } from '@services/message.service';
 import { OutUser, UserService } from '@services/user.service';
+import { DocumentStatus } from '@think/domains';
 import { Repository } from 'typeorm';
 
 @Injectable()
@@ -46,14 +47,18 @@ export class CommentService {
   async create(user: OutUser, userAgent: string, dto: CommentDto) {
     const { documentId, html, replyUserId } = dto;
 
-    const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id);
+    const doc = await this.documentService.findById(documentId);
 
-    if (!docAuth) {
+    if (doc.status !== DocumentStatus.public) {
-      throw new HttpException('文档不存在', HttpStatus.NOT_FOUND);
+      const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id);
-    }
 
-    if (!docAuth.readable) {
+      if (!docAuth) {
-      throw new HttpException('权限不足，无法评论', HttpStatus.FORBIDDEN);
+        throw new HttpException('文档不存在', HttpStatus.NOT_FOUND);
+      }
+
+      if (!docAuth.readable) {
+        throw new HttpException('权限不足，无法评论', HttpStatus.FORBIDDEN);
+      }
     }
 
     const { text: uaText } = parseUserAgent(userAgent);
@@ -62,7 +67,6 @@ export class CommentService {
       documentId,
       parentCommentId: dto.parentCommentId,
       createUserId: user.id,
-      //   TODO: XSS 过滤
       html,
       replyUserId,
       userAgent: uaText,
@@ -71,8 +75,7 @@ export class CommentService {
     const res = await this.commentRepo.create(comment);
     const ret = await this.commentRepo.save(res);
 
-    const doc = await this.documentService.findById(documentId);
+    const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, documentId);
-    const wikiUsersAuth = await this.documentService.getDocUsers(user, documentId);
 
     await Promise.all(
       wikiUsersAuth.map(async (userAuth) => {
@@ -174,7 +177,7 @@ export class CommentService {
     const newData = await this.commentRepo.merge(old, { html: dto.html });
 
     const doc = await this.documentService.findById(old.documentId);
-    const wikiUsersAuth = await this.documentService.getDocUsers(user, old.documentId);
+    const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, old.documentId);
 
     await Promise.all(
       wikiUsersAuth.map(async (userAuth) => {

packages/server/src/services/document.service.ts

@@ -272,6 +272,29 @@ export class DocumentService {
     );
   }
 
+  /**
+   * 获取文档成员
+   * 忽略权限检查
+   * @param userId
+   * @param wikiId
+   */
+  async getDocUsersWithoutAuthCheck(user: OutUser, documentId) {
+    const doc = await this.documentRepo.findOne({ id: documentId });
+
+    if (!doc) {
+      throw new HttpException('文档不存在', HttpStatus.BAD_REQUEST);
+    }
+
+    const data = await this.documentAuthorityRepo.find({ documentId });
+
+    return await Promise.all(
+      data.map(async (auth) => {
+        const user = await this.userService.findById(auth.userId);
+        return { auth, user };
+      })
+    );
+  }
+
   /**
    * 创建文档
    * @param user