Skip to content

S
solo
Commit 4a28d673 authored by Liang Ding's avatar Liang Ding
Browse files
Options

Fix #341

parent 329ff577
Show whitespace changes
Inline Side-by-side
Showing with 93 additions and 26 deletions
core/src/main/java/org/b3log/solo/processor/console/CommentConsole.java
View file @ 4a28d673
...@@ -43,7 +43,7 @@ import org.json.JSONObject; ...@@ -43,7 +43,7 @@ import org.json.JSONObject;
* Comment console request processing. * Comment console request processing.
* *
* @author <a href="http://88250.b3log.org">Liang Ding</a> * @author <a href="http://88250.b3log.org">Liang Ding</a>
* @version 1.0.0.0, Oct 28, 2011 * @version 1.0.0.1, Feb 28, 2014
* @since 0.4.0 * @since 0.4.0
*/ */
@RequestProcessor @RequestProcessor
...@@ -108,22 +108,29 @@ public class CommentConsole { ...@@ -108,22 +108,29 @@ public class CommentConsole {
context.setRenderer(renderer); context.setRenderer(renderer);
final JSONObject jsonObject = new JSONObject(); final JSONObject ret = new JSONObject();
renderer.setJSONObject(jsonObject); renderer.setJSONObject(ret);
try { try {
final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/page/comment/").length()); final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/page/comment/").length());
if (!commentQueryService.canAccessComment(commentId, request)) {
ret.put(Keys.STATUS_CODE, false);
ret.put(Keys.MSG, langPropsService.get("forbiddenLabel"));
return;
}
commentMgmtService.removePageComment(commentId); commentMgmtService.removePageComment(commentId);
jsonObject.put(Keys.STATUS_CODE, true); ret.put(Keys.STATUS_CODE, true);
jsonObject.put(Keys.MSG, langPropsService.get("removeSuccLabel")); ret.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
} catch (final Exception e) { } catch (final Exception e) {
LOGGER.log(Level.ERROR, e.getMessage(), e); LOGGER.log(Level.ERROR, e.getMessage(), e);
jsonObject.put(Keys.STATUS_CODE, false); ret.put(Keys.STATUS_CODE, false);
jsonObject.put(Keys.MSG, langPropsService.get("removeFailLabel")); ret.put(Keys.MSG, langPropsService.get("removeFailLabel"));
} }
} }
...@@ -157,22 +164,29 @@ public class CommentConsole { ...@@ -157,22 +164,29 @@ public class CommentConsole {
context.setRenderer(renderer); context.setRenderer(renderer);
final JSONObject jsonObject = new JSONObject(); final JSONObject ret = new JSONObject();
renderer.setJSONObject(jsonObject); renderer.setJSONObject(ret);
try { try {
final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/article/comment/").length()); final String commentId = request.getRequestURI().substring((Latkes.getContextPath() + "/console/article/comment/").length());
if (!commentQueryService.canAccessComment(commentId, request)) {
ret.put(Keys.STATUS_CODE, false);
ret.put(Keys.MSG, langPropsService.get("forbiddenLabel"));
return;
}
commentMgmtService.removeArticleComment(commentId); commentMgmtService.removeArticleComment(commentId);
jsonObject.put(Keys.STATUS_CODE, true); ret.put(Keys.STATUS_CODE, true);
jsonObject.put(Keys.MSG, langPropsService.get("removeSuccLabel")); ret.put(Keys.MSG, langPropsService.get("removeSuccLabel"));
} catch (final Exception e) { } catch (final Exception e) {
LOGGER.log(Level.ERROR, e.getMessage(), e); LOGGER.log(Level.ERROR, e.getMessage(), e);
jsonObject.put(Keys.STATUS_CODE, false); ret.put(Keys.STATUS_CODE, false);
jsonObject.put(Keys.MSG, langPropsService.get("removeFailLabel")); ret.put(Keys.MSG, langPropsService.get("removeFailLabel"));
} }
} }
......
core/src/main/java/org/b3log/solo/service/CommentQueryService.java
View file @ 4a28d673
...@@ -20,11 +20,13 @@ import java.util.ArrayList; ...@@ -20,11 +20,13 @@ import java.util.ArrayList;
import java.util.Date; import java.util.Date;
import java.util.List; import java.util.List;
import javax.inject.Inject; import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringEscapeUtils;
import org.b3log.latke.Keys; import org.b3log.latke.Keys;
import org.b3log.latke.logging.Level; import org.b3log.latke.logging.Level;
import org.b3log.latke.logging.Logger; import org.b3log.latke.logging.Logger;
import org.b3log.latke.model.Pagination; import org.b3log.latke.model.Pagination;
import org.b3log.latke.model.User;
import org.b3log.latke.repository.Query; import org.b3log.latke.repository.Query;
import org.b3log.latke.repository.SortDirection; import org.b3log.latke.repository.SortDirection;
import org.b3log.latke.service.ServiceException; import org.b3log.latke.service.ServiceException;
...@@ -47,7 +49,7 @@ import org.json.JSONObject; ...@@ -47,7 +49,7 @@ import org.json.JSONObject;
* Comment query service. * Comment query service.
* *
* @author <a href="http://88250.b3log.org">Liang Ding</a> * @author <a href="http://88250.b3log.org">Liang Ding</a>
* @version 1.0.0.4, Dec 20, 2011 * @version 1.0.0.5, Feb 28, 2014
* @since 0.3.5 * @since 0.3.5
*/ */
@Service @Service
...@@ -58,6 +60,12 @@ public class CommentQueryService { ...@@ -58,6 +60,12 @@ public class CommentQueryService {
*/ */
private static final Logger LOGGER = Logger.getLogger(CommentQueryService.class.getName()); private static final Logger LOGGER = Logger.getLogger(CommentQueryService.class.getName());
/**
* User service.
*/
@Inject
private UserQueryService userQueryService;
/** /**
* Comment repository. * Comment repository.
*/ */
...@@ -76,6 +84,49 @@ public class CommentQueryService { ...@@ -76,6 +84,49 @@ public class CommentQueryService {
@Inject @Inject
private PageRepository pageRepository; private PageRepository pageRepository;
/**
* Can the current user access a comment specified by the given comment id?
*
* @param commentId the given comment id
* @param request the specified request
* @return {@code true} if the current user can access the comment, {@code false} otherwise
* @throws Exception exception
*/
public boolean canAccessComment(final String commentId, final HttpServletRequest request) throws Exception {
if (Strings.isEmptyOrNull(commentId)) {
return false;
}
if (userQueryService.isAdminLoggedIn(request)) {
return true;
}
// Here, you are not admin
final JSONObject comment = commentRepository.get(commentId);
if (null == comment) {
return false;
}
final String onId = comment.optString(Comment.COMMENT_ON_ID);
final String onType = comment.optString(Comment.COMMENT_ON_TYPE);
if (Page.PAGE.equals(onType)) {
return false; // Only admin can access page comment
}
final JSONObject article = articleRepository.get(onId);
if (null == article) {
return false;
}
final String currentUserEmail = userQueryService.getCurrentUser(request).getString(User.USER_EMAIL);
return article.getString(Article.ARTICLE_AUTHOR_EMAIL).equals(currentUserEmail);
}
/** /**
* Gets comments with the specified request json object, request and response. * Gets comments with the specified request json object, request and response.
* *
...@@ -87,6 +138,7 @@ public class CommentQueryService { ...@@ -87,6 +138,7 @@ public class CommentQueryService {
* "paginationWindowSize": 10 * "paginationWindowSize": 10
* }, see {@link Pagination} for more details * }, see {@link Pagination} for more details
* </pre> * </pre>
*
* @return for example, * @return for example,
* <pre> * <pre>
* { * {
...@@ -104,6 +156,7 @@ public class CommentQueryService { ...@@ -104,6 +156,7 @@ public class CommentQueryService {
* "sc": "GET_COMMENTS_SUCC" * "sc": "GET_COMMENTS_SUCC"
* } * }
* </pre> * </pre>
*
* @throws ServiceException service exception * @throws ServiceException service exception
* @see Pagination * @see Pagination
*/ */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment