Owner must not be able to approve its own comment
This commit is contained in:
parent
d5323a641b
commit
990266f149
|
@ -132,7 +132,7 @@ export class VideoCommentComponent implements OnInit, OnChanges {
|
|||
this.timestampClicked.emit(timestamp)
|
||||
}
|
||||
|
||||
canBeRemovedOrApprovedByUser () {
|
||||
canBeRemovedUser () {
|
||||
return this.comment.account && this.isUserLoggedIn() &&
|
||||
(
|
||||
this.user.account.id === this.comment.account.id ||
|
||||
|
@ -141,6 +141,14 @@ export class VideoCommentComponent implements OnInit, OnChanges {
|
|||
)
|
||||
}
|
||||
|
||||
canBeApprovedByUser () {
|
||||
return this.comment.account && this.isUserLoggedIn() &&
|
||||
(
|
||||
this.user.account.id === this.video.account.id ||
|
||||
this.user.hasRight(UserRight.MANAGE_ANY_VIDEO_COMMENT)
|
||||
)
|
||||
}
|
||||
|
||||
isRedraftableByUser () {
|
||||
return (
|
||||
this.comment.account &&
|
||||
|
@ -201,7 +209,7 @@ export class VideoCommentComponent implements OnInit, OnChanges {
|
|||
|
||||
this.prependModerationActions = []
|
||||
|
||||
if (this.canBeRemovedOrApprovedByUser() && this.comment.heldForReview) {
|
||||
if (this.canBeApprovedByUser() && this.comment.heldForReview) {
|
||||
this.prependModerationActions.push({
|
||||
label: $localize`Approve`,
|
||||
iconName: 'tick',
|
||||
|
@ -217,7 +225,7 @@ export class VideoCommentComponent implements OnInit, OnChanges {
|
|||
})
|
||||
}
|
||||
|
||||
if (this.canBeRemovedOrApprovedByUser()) {
|
||||
if (this.canBeRemovedUser()) {
|
||||
this.prependModerationActions.push({
|
||||
label: $localize`Remove`,
|
||||
iconName: 'delete',
|
||||
|
|
|
@ -502,10 +502,14 @@ describe('Test video comments API validator', function () {
|
|||
let videoId: string
|
||||
let commentId: number
|
||||
let deletedCommentId: number
|
||||
let userAccessToken3: string
|
||||
|
||||
before(async function () {
|
||||
userAccessToken3 = await server.users.generateUserAndToken('user3')
|
||||
|
||||
{
|
||||
const res = await server.videos.upload({
|
||||
token: userAccessToken,
|
||||
attributes: {
|
||||
name: 'review policy',
|
||||
commentsPolicy: VideoCommentPolicy.REQUIRES_APPROVAL
|
||||
|
@ -516,12 +520,12 @@ describe('Test video comments API validator', function () {
|
|||
}
|
||||
|
||||
{
|
||||
const res = await server.comments.createThread({ text: 'thread', videoId, token: userAccessToken })
|
||||
const res = await server.comments.createThread({ text: 'thread', videoId, token: userAccessToken2 })
|
||||
commentId = res.id
|
||||
}
|
||||
|
||||
{
|
||||
const res = await server.comments.createThread({ text: 'deleted', videoId, token: userAccessToken })
|
||||
const res = await server.comments.createThread({ text: 'deleted', videoId, token: userAccessToken2 })
|
||||
deletedCommentId = res.id
|
||||
|
||||
await server.comments.delete({ commentId: deletedCommentId, videoId })
|
||||
|
@ -533,15 +537,19 @@ describe('Test video comments API validator', function () {
|
|||
})
|
||||
|
||||
it('Should fail with another user', async function () {
|
||||
await server.comments.approve({ token: userAccessToken3, commentId, videoId, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
|
||||
})
|
||||
|
||||
it('Should fail with the owner', async function () {
|
||||
await server.comments.approve({ token: userAccessToken2, commentId, videoId, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
|
||||
})
|
||||
|
||||
it('Should fail with an incorrect video', async function () {
|
||||
await server.comments.approve({ token: userAccessToken2, commentId, videoId: 42, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
|
||||
await server.comments.approve({ token: userAccessToken, commentId, videoId: 42, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
|
||||
})
|
||||
|
||||
it('Should fail with an incorrect comment', async function () {
|
||||
await server.comments.approve({ token: userAccessToken2, commentId: 42, videoId, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
|
||||
await server.comments.approve({ token: userAccessToken, commentId: 42, videoId, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
|
||||
})
|
||||
|
||||
it('Should fail with a deleted comment', async function () {
|
||||
|
|
|
@ -237,7 +237,21 @@ function checkUserCanDeleteVideoComment (user: MUserAccountUrl, videoComment: MC
|
|||
return false
|
||||
}
|
||||
|
||||
return checkUserCanManageVideoComment(user, videoComment, res)
|
||||
const userAccount = user.Account
|
||||
|
||||
if (
|
||||
user.hasRight(UserRight.MANAGE_ANY_VIDEO_COMMENT) === false && // Not a moderator
|
||||
videoComment.accountId !== userAccount.id && // Not the comment owner
|
||||
videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
|
||||
) {
|
||||
res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot remove video comment of another user'
|
||||
})
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
function checkUserCanApproveVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
|
||||
|
@ -257,20 +271,15 @@ function checkUserCanApproveVideoComment (user: MUserAccountUrl, videoComment: M
|
|||
return false
|
||||
}
|
||||
|
||||
return checkUserCanManageVideoComment(user, videoComment, res)
|
||||
}
|
||||
|
||||
function checkUserCanManageVideoComment (user: MUserAccountUrl, videoComment: MCommentOwnerVideoReply, res: express.Response) {
|
||||
const userAccount = user.Account
|
||||
|
||||
if (
|
||||
user.hasRight(UserRight.MANAGE_ANY_VIDEO_COMMENT) === false && // Not a moderator
|
||||
videoComment.accountId !== userAccount.id && // Not the comment owner
|
||||
videoComment.Video.VideoChannel.accountId !== userAccount.id // Not the video owner
|
||||
) {
|
||||
res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot remove video comment of another user'
|
||||
message: 'Cannot approve video comment of another user'
|
||||
})
|
||||
return false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue