Make sure only organizer actor can comment if event comments are

disabled Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-10-05 17:42:53 +02:00
parent efae6c3510
commit 8eca9d9702
4 changed files with 130 additions and 83 deletions
--- a/lib/graphql/resolvers/comment.ex
+++ b/lib/graphql/resolvers/comment.ex
@@ -3,9 +3,10 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do
  Handles the comment-related GraphQL calls.
  """

-  alias Mobilizon.{Actors, Admin, Discussions}
+  alias Mobilizon.{Actors, Admin, Discussions, Events}
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Discussions.Comment, as: CommentModel
+  alias Mobilizon.Events.{Event, EventOptions}
  alias Mobilizon.Users
  alias Mobilizon.Users.User
  import Mobilizon.Web.Gettext
@@ -20,7 +21,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do

  def create_comment(
        _parent,
-        %{actor_id: actor_id} = args,
+        %{actor_id: actor_id, event_id: event_id} = args,
        %{
          context: %{
            current_user: %User{} = user
@@ -28,10 +29,23 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do
        }
      ) do
    with {:is_owned, %Actor{} = _organizer_actor} <- User.owns_actor(user, actor_id),
+         {:find_event,
+          {:ok,
+           %Event{
+             options: %EventOptions{comment_moderation: comment_moderation},
+             organizer_actor_id: organizer_actor_id
+           }}} <-
+           {:find_event, Events.get_event(event_id)},
+         {actor_id, ""} <- Integer.parse(actor_id),
+         {:allowed, true} <-
+           {:allowed, comment_moderation != :closed || actor_id == organizer_actor_id},
         {:ok, _, %CommentModel{} = comment} <-
           Comments.create_comment(args) do
      {:ok, comment}
    else
+      {:allowed, false} ->
+        {:error, :unauthorized}
+
      {:is_owned, nil} ->
        {:error, dgettext("errors", "Profile is not owned by authenticated user")}
    end
--- a/lib/graphql/schema/discussions/comment.ex
+++ b/lib/graphql/schema/discussions/comment.ex
@@ -66,7 +66,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
    @desc "Create a comment"
    field :create_comment, type: :comment do
      arg(:text, non_null(:string))
-      arg(:event_id, :id)
+      arg(:event_id, non_null(:id))
      arg(:in_reply_to_comment_id, :id)
      arg(:actor_id, non_null(:id))