Fix #341

core/src/main/java/org/b3log/solo/processor/console/CommentConsole.java

@@ -43,7 +43,7 @@ import org.json.JSONObject;
  * Comment console request processing.
  *
  * @author <a href="http://88250.b3log.org">Liang Ding</a>
- * @version 1.0.0.0, Oct 28, 2011
+ * @version 1.0.0.1, Feb 28, 2014
  * @since 0.4.0
  */
 @RequestProcessor
@@ -80,7 +80,7 @@ public class CommentConsole {
 
     /**
      * Removes a comment of an article by the specified request.
-     * 
+     *
      * <p>
      * Renders the response with a json object, for example,
      * <pre>
@@ -108,28 +108,35 @@ public class CommentConsole {
 
         context.setRenderer(renderer);
 
-        final JSONObject jsonObject = new JSONObject();
+        final JSONObject ret = new JSONObject();
 
-        renderer.setJSONObject(jsonObject);
+        renderer.setJSONObject(ret);
 
         try {
             final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/page/comment/").length());
 
+            if (!commentQueryService.canAccessComment(commentId, request)) {
+                ret.put(Keys.STATUS_CODE, false);
+                ret.put(Keys.MSG, langPropsService.get("forbiddenLabel"));
+
+                return;
+            }
+
             commentMgmtService.removePageComment(commentId);
 
-            jsonObject.put(Keys.STATUS_CODE, true);
-            jsonObject.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
+            ret.put(Keys.STATUS_CODE, true);
+            ret.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
         } catch (final Exception e) {
             LOGGER.log(Level.ERROR, e.getMessage(), e);
 
-            jsonObject.put(Keys.STATUS_CODE, false);
-            jsonObject.put(Keys.MSG, langPropsService.get("removeFailLabel"));
+            ret.put(Keys.STATUS_CODE, false);
+            ret.put(Keys.MSG, langPropsService.get("removeFailLabel"));
         }
     }
 
     /**
      * Removes a comment of an article by the specified request.
-     * 
+     *
      * <p>
      * Renders the response with a json object, for example,
      * <pre>
@@ -157,34 +164,41 @@ public class CommentConsole {
 
         context.setRenderer(renderer);
 
-        final JSONObject jsonObject = new JSONObject();
+        final JSONObject ret = new JSONObject();
 
-        renderer.setJSONObject(jsonObject);
+        renderer.setJSONObject(ret);
 
         try {
             final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/article/comment/").length());
 
+            if (!commentQueryService.canAccessComment(commentId, request)) {
+                ret.put(Keys.STATUS_CODE, false);
+                ret.put(Keys.MSG, langPropsService.get("forbiddenLabel"));
+
+                return;
+            }
+
             commentMgmtService.removeArticleComment(commentId);
 
-            jsonObject.put(Keys.STATUS_CODE, true);
-            jsonObject.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
+            ret.put(Keys.STATUS_CODE, true);
+            ret.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
         } catch (final Exception e) {
             LOGGER.log(Level.ERROR, e.getMessage(), e);
 
-            jsonObject.put(Keys.STATUS_CODE, false);
-            jsonObject.put(Keys.MSG, langPropsService.get("removeFailLabel"));
+            ret.put(Keys.STATUS_CODE, false);
+            ret.put(Keys.MSG, langPropsService.get("removeFailLabel"));
         }
     }
 
     /**
      * Gets comments by the specified request.
-     * 
+     *
      * <p>
-     * The request URI contains the pagination arguments. For example, the 
+     * The request URI contains the pagination arguments. For example, the
      * request URI is /console/comments/1/10/20, means the current page is 1, the
      * page size is 10, and the window size is 20.
      * </p>
-     * 
+     *
      * <p>
      * Renders the response with a json object, for example,
      * <pre>
@@ -212,7 +226,7 @@ public class CommentConsole {
      * @param request the specified http servlet request
      * @param response the specified http servlet response
      * @param context the specified http request context
-     * @throws Exception exception 
+     * @throws Exception exception
      */
     @RequestProcessing(value = "/console/comments/*/*/*"/* Requests.PAGINATION_PATH_PATTERN */,
         method = HTTPRequestMethod.GET)
@@ -250,7 +264,7 @@ public class CommentConsole {
 
     /**
      * Gets comments of an article specified by the article id for administrator.
-     * 
+     *
      * <p>
      * Renders the response with a json object, for example,
      * <pre>
@@ -312,7 +326,7 @@ public class CommentConsole {
 
     /**
      * Gets comments of a page specified by the article id for administrator.
-     * 
+     *
      * <p>
      * Renders the response with a json object, for example,
      * <pre>

core/src/main/java/org/b3log/solo/service/CommentQueryService.java

@@ -20,11 +20,13 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.b3log.latke.Keys;
 import org.b3log.latke.logging.Level;
 import org.b3log.latke.logging.Logger;
 import org.b3log.latke.model.Pagination;
+import org.b3log.latke.model.User;
 import org.b3log.latke.repository.Query;
 import org.b3log.latke.repository.SortDirection;
 import org.b3log.latke.service.ServiceException;
@@ -47,7 +49,7 @@ import org.json.JSONObject;
  * Comment query service.
  *
  * @author <a href="http://88250.b3log.org">Liang Ding</a>
- * @version 1.0.0.4, Dec 20, 2011
+ * @version 1.0.0.5, Feb 28, 2014
  * @since 0.3.5
  */
 @Service
@@ -58,6 +60,12 @@ public class CommentQueryService {
      */
     private static final Logger LOGGER = Logger.getLogger(CommentQueryService.class.getName());
 
+    /**
+     * User service.
+     */
+    @Inject
+    private UserQueryService userQueryService;
+
     /**
      * Comment repository.
      */
@@ -76,9 +84,52 @@ public class CommentQueryService {
     @Inject
     private PageRepository pageRepository;
 
+    /**
+     * Can the current user access a comment specified by the given comment id?
+     *
+     * @param commentId the given comment id
+     * @param request the specified request
+     * @return {@code true} if the current user can access the comment, {@code false} otherwise
+     * @throws Exception exception
+     */
+    public boolean canAccessComment(final String commentId, final HttpServletRequest request) throws Exception {
+        if (Strings.isEmptyOrNull(commentId)) {
+            return false;
+        }
+
+        if (userQueryService.isAdminLoggedIn(request)) {
+            return true;
+        }
+        
+        // Here, you are not admin
+
+        final JSONObject comment = commentRepository.get(commentId);
+
+        if (null == comment) {
+            return false;
+        }
+        
+        final String onId = comment.optString(Comment.COMMENT_ON_ID);
+        final String onType = comment.optString(Comment.COMMENT_ON_TYPE);
+
+        if (Page.PAGE.equals(onType)) {
+            return false; // Only admin can access page comment
+        }
+        
+        final JSONObject article = articleRepository.get(onId);
+
+        if (null == article) {
+            return false;
+        }
+        
+        final String currentUserEmail = userQueryService.getCurrentUser(request).getString(User.USER_EMAIL);
+
+        return article.getString(Article.ARTICLE_AUTHOR_EMAIL).equals(currentUserEmail);
+    }
+
     /**
      * Gets comments with the specified request json object, request and response.
-     * 
+     *
      * @param requestJSONObject the specified request json object, for example,
      * <pre>
      * {
@@ -87,6 +138,7 @@ public class CommentQueryService {
      *     "paginationWindowSize": 10
      * }, see {@link Pagination} for more details
      * </pre>
+     *
      * @return for example,
      * <pre>
      * {
@@ -104,6 +156,7 @@ public class CommentQueryService {
      *     "sc": "GET_COMMENTS_SUCC"
      * }
      * </pre>
+     *
      * @throws ServiceException service exception
      * @see Pagination
      */
@@ -207,7 +260,7 @@ public class CommentQueryService {
 
     /**
      * Sets the article repository with the specified article repository.
-     * 
+     *
      * @param articleRepository the specified article repository
      */
     public void setArticleRepository(final ArticleRepository articleRepository) {
@@ -216,7 +269,7 @@ public class CommentQueryService {
 
     /**
      * Set the page repository with the specified page repository.
-     * 
+     *
      * @param pageRepository the specified page repository
      */
     public void setPageRepository(final PageRepository pageRepository) {
@@ -225,7 +278,7 @@ public class CommentQueryService {
 
     /**
      * Sets the comment repository with the specified comment repository.
-     * 
+     *
      * @param commentRepository the specified comment repository
      */
     public void setCommentRepository(final CommentRepository commentRepository) {