mirror of https://github.com/fantasticit/think.git
server: fix comment in public document
This commit is contained in:
parent
a56ff665c0
commit
a71a31046c
|
@ -6,6 +6,7 @@ import { InjectRepository } from '@nestjs/typeorm';
|
||||||
import { DocumentService } from '@services/document.service';
|
import { DocumentService } from '@services/document.service';
|
||||||
import { MessageService } from '@services/message.service';
|
import { MessageService } from '@services/message.service';
|
||||||
import { OutUser, UserService } from '@services/user.service';
|
import { OutUser, UserService } from '@services/user.service';
|
||||||
|
import { DocumentStatus } from '@think/domains';
|
||||||
import { Repository } from 'typeorm';
|
import { Repository } from 'typeorm';
|
||||||
|
|
||||||
@Injectable()
|
@Injectable()
|
||||||
|
@ -46,14 +47,18 @@ export class CommentService {
|
||||||
async create(user: OutUser, userAgent: string, dto: CommentDto) {
|
async create(user: OutUser, userAgent: string, dto: CommentDto) {
|
||||||
const { documentId, html, replyUserId } = dto;
|
const { documentId, html, replyUserId } = dto;
|
||||||
|
|
||||||
const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id);
|
const doc = await this.documentService.findById(documentId);
|
||||||
|
|
||||||
if (!docAuth) {
|
if (doc.status !== DocumentStatus.public) {
|
||||||
throw new HttpException('文档不存在', HttpStatus.NOT_FOUND);
|
const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id);
|
||||||
}
|
|
||||||
|
|
||||||
if (!docAuth.readable) {
|
if (!docAuth) {
|
||||||
throw new HttpException('权限不足,无法评论', HttpStatus.FORBIDDEN);
|
throw new HttpException('文档不存在', HttpStatus.NOT_FOUND);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!docAuth.readable) {
|
||||||
|
throw new HttpException('权限不足,无法评论', HttpStatus.FORBIDDEN);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const { text: uaText } = parseUserAgent(userAgent);
|
const { text: uaText } = parseUserAgent(userAgent);
|
||||||
|
@ -62,7 +67,6 @@ export class CommentService {
|
||||||
documentId,
|
documentId,
|
||||||
parentCommentId: dto.parentCommentId,
|
parentCommentId: dto.parentCommentId,
|
||||||
createUserId: user.id,
|
createUserId: user.id,
|
||||||
// TODO: XSS 过滤
|
|
||||||
html,
|
html,
|
||||||
replyUserId,
|
replyUserId,
|
||||||
userAgent: uaText,
|
userAgent: uaText,
|
||||||
|
@ -71,8 +75,7 @@ export class CommentService {
|
||||||
const res = await this.commentRepo.create(comment);
|
const res = await this.commentRepo.create(comment);
|
||||||
const ret = await this.commentRepo.save(res);
|
const ret = await this.commentRepo.save(res);
|
||||||
|
|
||||||
const doc = await this.documentService.findById(documentId);
|
const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, documentId);
|
||||||
const wikiUsersAuth = await this.documentService.getDocUsers(user, documentId);
|
|
||||||
|
|
||||||
await Promise.all(
|
await Promise.all(
|
||||||
wikiUsersAuth.map(async (userAuth) => {
|
wikiUsersAuth.map(async (userAuth) => {
|
||||||
|
@ -174,7 +177,7 @@ export class CommentService {
|
||||||
const newData = await this.commentRepo.merge(old, { html: dto.html });
|
const newData = await this.commentRepo.merge(old, { html: dto.html });
|
||||||
|
|
||||||
const doc = await this.documentService.findById(old.documentId);
|
const doc = await this.documentService.findById(old.documentId);
|
||||||
const wikiUsersAuth = await this.documentService.getDocUsers(user, old.documentId);
|
const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, old.documentId);
|
||||||
|
|
||||||
await Promise.all(
|
await Promise.all(
|
||||||
wikiUsersAuth.map(async (userAuth) => {
|
wikiUsersAuth.map(async (userAuth) => {
|
||||||
|
|
|
@ -272,6 +272,29 @@ export class DocumentService {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 获取文档成员
|
||||||
|
* 忽略权限检查
|
||||||
|
* @param userId
|
||||||
|
* @param wikiId
|
||||||
|
*/
|
||||||
|
async getDocUsersWithoutAuthCheck(user: OutUser, documentId) {
|
||||||
|
const doc = await this.documentRepo.findOne({ id: documentId });
|
||||||
|
|
||||||
|
if (!doc) {
|
||||||
|
throw new HttpException('文档不存在', HttpStatus.BAD_REQUEST);
|
||||||
|
}
|
||||||
|
|
||||||
|
const data = await this.documentAuthorityRepo.find({ documentId });
|
||||||
|
|
||||||
|
return await Promise.all(
|
||||||
|
data.map(async (auth) => {
|
||||||
|
const user = await this.userService.findById(auth.userId);
|
||||||
|
return { auth, user };
|
||||||
|
})
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 创建文档
|
* 创建文档
|
||||||
* @param user
|
* @param user
|
||||||
|
|
Loading…
Reference in New Issue