server: fix comment in public document

This commit is contained in:
fantasticit 2022-06-03 20:54:09 +08:00
parent a56ff665c0
commit a71a31046c
2 changed files with 36 additions and 10 deletions

View File

@ -6,6 +6,7 @@ import { InjectRepository } from '@nestjs/typeorm';
import { DocumentService } from '@services/document.service'; import { DocumentService } from '@services/document.service';
import { MessageService } from '@services/message.service'; import { MessageService } from '@services/message.service';
import { OutUser, UserService } from '@services/user.service'; import { OutUser, UserService } from '@services/user.service';
import { DocumentStatus } from '@think/domains';
import { Repository } from 'typeorm'; import { Repository } from 'typeorm';
@Injectable() @Injectable()
@ -46,14 +47,18 @@ export class CommentService {
async create(user: OutUser, userAgent: string, dto: CommentDto) { async create(user: OutUser, userAgent: string, dto: CommentDto) {
const { documentId, html, replyUserId } = dto; const { documentId, html, replyUserId } = dto;
const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id); const doc = await this.documentService.findById(documentId);
if (!docAuth) { if (doc.status !== DocumentStatus.public) {
throw new HttpException('文档不存在', HttpStatus.NOT_FOUND); const docAuth = await this.documentService.getDocumentAuthority(documentId, user.id);
}
if (!docAuth.readable) { if (!docAuth) {
throw new HttpException('权限不足,无法评论', HttpStatus.FORBIDDEN); throw new HttpException('文档不存在', HttpStatus.NOT_FOUND);
}
if (!docAuth.readable) {
throw new HttpException('权限不足,无法评论', HttpStatus.FORBIDDEN);
}
} }
const { text: uaText } = parseUserAgent(userAgent); const { text: uaText } = parseUserAgent(userAgent);
@ -62,7 +67,6 @@ export class CommentService {
documentId, documentId,
parentCommentId: dto.parentCommentId, parentCommentId: dto.parentCommentId,
createUserId: user.id, createUserId: user.id,
// TODO: XSS 过滤
html, html,
replyUserId, replyUserId,
userAgent: uaText, userAgent: uaText,
@ -71,8 +75,7 @@ export class CommentService {
const res = await this.commentRepo.create(comment); const res = await this.commentRepo.create(comment);
const ret = await this.commentRepo.save(res); const ret = await this.commentRepo.save(res);
const doc = await this.documentService.findById(documentId); const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, documentId);
const wikiUsersAuth = await this.documentService.getDocUsers(user, documentId);
await Promise.all( await Promise.all(
wikiUsersAuth.map(async (userAuth) => { wikiUsersAuth.map(async (userAuth) => {
@ -174,7 +177,7 @@ export class CommentService {
const newData = await this.commentRepo.merge(old, { html: dto.html }); const newData = await this.commentRepo.merge(old, { html: dto.html });
const doc = await this.documentService.findById(old.documentId); const doc = await this.documentService.findById(old.documentId);
const wikiUsersAuth = await this.documentService.getDocUsers(user, old.documentId); const wikiUsersAuth = await this.documentService.getDocUsersWithoutAuthCheck(user, old.documentId);
await Promise.all( await Promise.all(
wikiUsersAuth.map(async (userAuth) => { wikiUsersAuth.map(async (userAuth) => {

View File

@ -272,6 +272,29 @@ export class DocumentService {
); );
} }
/**
*
*
* @param userId
* @param wikiId
*/
async getDocUsersWithoutAuthCheck(user: OutUser, documentId) {
const doc = await this.documentRepo.findOne({ id: documentId });
if (!doc) {
throw new HttpException('文档不存在', HttpStatus.BAD_REQUEST);
}
const data = await this.documentAuthorityRepo.find({ documentId });
return await Promise.all(
data.map(async (auth) => {
const user = await this.userService.findById(auth.userId);
return { auth, user };
})
);
}
/** /**
* *
* @param user * @param user