From b1053cd653a0b1fd2970476adc9253978cbf4f6c Mon Sep 17 00:00:00 2001
From: OldHawk <taobataoma@gmail.com>
Date: Sun, 16 Jul 2017 15:45:52 +0800
Subject: [PATCH] feat(forums): update/delete access check from server side.

---
 .../forums-topic.client.controller.js         |  30 ++---
 .../client/views/topic.client.view.html       |  16 +--
 .../controllers/forums.server.controller.js   | 104 +++++++++++++++++-
 3 files changed, 122 insertions(+), 28 deletions(-)

diff --git a/modules/forums/client/controllers/forums-topic.client.controller.js b/modules/forums/client/controllers/forums-topic.client.controller.js
index 0b8f0929..ab8f2ba7 100644
--- a/modules/forums/client/controllers/forums-topic.client.controller.js
+++ b/modules/forums/client/controllers/forums-topic.client.controller.js
@@ -76,17 +76,19 @@
     };
 
     /**
-     * isTopicOwner
-     * @param t
+     * isOwner
+     * @param o, topic or reply
      * @returns {boolean}
      */
-    vm.isOwner = function (t) {
-      if (t) {
-        if (t.user._id.str === vm.user._id) {
+    vm.isOwner = function (o) {
+      if (o) {
+        if (o.user._id.str === vm.user._id) {
           return true;
         } else {
           return false;
         }
+      } else {
+        return false;
       }
     };
 
@@ -104,22 +106,20 @@
           }
         });
       }
-
       return isM;
     };
 
     /**
-     * canEditTopic
-     * @param t
+     * canEdit
      * @returns {boolean}
      */
-    vm.canEdit = function (t) {
-      if (t) {
-        if (vm.isModerator() || vm.isOwner(t) || vm.user.isOper) {
-          return true;
-        } else {
-          return false;
-        }
+    vm.canEdit = function () {
+      if (vm.user.isOper) {
+        return true;
+      } else if (vm.isModerator()) {
+        return true;
+      } else {
+        return false;
       }
     };
 
diff --git a/modules/forums/client/views/topic.client.view.html b/modules/forums/client/views/topic.client.view.html
index 129194ec..1494c518 100644
--- a/modules/forums/client/views/topic.client.view.html
+++ b/modules/forums/client/views/topic.client.view.html
@@ -50,16 +50,16 @@
                             </ul>
                         </div>
                         <div class="box-post-btn">
-                            <div ng-if="!vm.topic.readOnly || vm.canEdit(vm.topic)">
+                            <div ng-if="!vm.topic.readOnly || vm.canEdit(vm.topic) || vm.isOwner(vm.topic)">
                                 <a class="btn btn-success btn-width-100"
                                    href="#" ng-click="vm.beginPostReply();">{{'FORUMS.BTN_POST_NEW_REPLY' | translate}}</a>
                                 <a class="btn btn-default btn-width-100"
-                                   href="#" ng-if="vm.canEdit(vm.topic)"
+                                   href="#" ng-if="vm.canEdit(vm.topic) || vm.isOwner(vm.topic)"
                                    ng-click="vm.toggleReadonly(vm.topic);">{{ vm.topic.readOnly ? 'FORUMS.BTN_UNSET_READONLY' : 'FORUMS.BTN_SET_READONLY' | translate}}</a>
                             </div>
 
                             <h5 class="text-danger text-uppercase" translate="FORUMS.READ_ONLY_REPLY"
-                                ng-if="vm.topic.readOnly && !vm.canEdit(vm.topic)"></h5>
+                                ng-if="vm.topic.readOnly && !vm.canEdit(vm.topic) && !vm.isOwner(vm.topic)"></h5>
                         </div>
                     </div>
                 </div>
@@ -109,15 +109,15 @@
                                                        ng-click="vm.quoteAndReply(vm.topic);"></i>
                                                     <i class="fa fa-pencil-square-o" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.TOPIC_EDIT' | translate}}"
-                                                       ng-show="vm.canEdit(vm.topic);"
+                                                       ng-show="vm.canEdit() || vm.isOwner(vm.topic)"
                                                        ng-click="vm.beginEditTopic(vm.topic)"></i>
                                                     <i class="fa fa-times" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.TOPIC_DELETE' | translate}}"
-                                                       ng-show="vm.canEdit(vm.topic);"
+                                                       ng-show="vm.canEdit() || vm.isOwner(vm.topic)"
                                                        ng-click="vm.beginDeleteTopic(vm.topic);"></i>
                                                     <i class="fa" ng-class="vm.topic.isTop ? 'fa-arrow-circle-down' : 'fa-arrow-circle-up'" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.TOPIC_TOP_TOPIC' | translate}}"
-                                                       ng-show="vm.canEdit(vm.topic);"
+                                                       ng-show="vm.canEdit()"
                                                        ng-click="vm.beginTopTopic(vm.topic);"></i>
                                                     <i class="fa" ng-class="vm.topic.isGlobal ? 'fa-download' : 'fa-upload'" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.TOPIC_GLOBAL_TOPIC' | translate}}"
@@ -182,11 +182,11 @@
                                                        ng-click="vm.quoteAndReply(rep);"></i>
                                                     <i class="fa fa-pencil-square-o" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.REPLY_EDIT' | translate}}"
-                                                       ng-show="vm.canEdit(rep);"
+                                                       ng-show="vm.canEdit() || vm.isOwner(rep)"
                                                        ng-click="vm.beginEditReply(rep)"></i>
                                                     <i class="fa fa-times" aria-hidden="true"
                                                        title="{{'FORUMS.TITLES.REPLY_DELETE' | translate}}"
-                                                       ng-show="vm.canEdit(rep);"
+                                                       ng-show="vm.canEdit() || vm.isOwner(rep)"
                                                        ng-click="vm.beginDeleteReply(rep);"></i>
                                                     <span ng-click="vm.beginThumbsUp($event, vm.topic, rep);">
                                                         <i id="thumbs_{{rep._id}}" class="fa fa-thumbs-up" aria-hidden="true"
diff --git a/modules/forums/server/controllers/forums.server.controller.js b/modules/forums/server/controllers/forums.server.controller.js
index be529cb4..31dc0d18 100644
--- a/modules/forums/server/controllers/forums.server.controller.js
+++ b/modules/forums/server/controllers/forums.server.controller.js
@@ -284,6 +284,12 @@ exports.updateTopic = function (req, res) {
   var forum = req.forum;
   var topic = req.topic;
 
+  if (!canEdit(req.user, forum) && !isOwner(req.user, topic)) {
+    return res.status(403).json({
+      message: 'ERROR: User is not authorized'
+    });
+  }
+
   topic.content = req.body.content;
   topic.updatedAt = Date.now();
   topic.updatedBy = req.user;
@@ -305,8 +311,15 @@ exports.updateTopic = function (req, res) {
  * @param res
  */
 exports.toggleTopicReadonly = function (req, res) {
+  var forum = req.forum;
   var topic = req.topic;
 
+  if (!canEdit(req.user, forum) && !isOwner(req.user, topic)) {
+    return res.status(403).json({
+      message: 'ERROR: User is not authorized'
+    });
+  }
+
   topic.readOnly = !topic.readOnly;
 
   topic.save(function (err) {
@@ -326,8 +339,15 @@ exports.toggleTopicReadonly = function (req, res) {
  * @param res
  */
 exports.toggleTopicTopStatus = function (req, res) {
+  var forum = req.forum;
   var topic = req.topic;
 
+  if (!canEdit(req.user, forum)) {
+    return res.status(403).json({
+      message: 'ERROR: User is not authorized'
+    });
+  }
+
   topic.isTop = !topic.isTop;
 
   topic.save(function (err) {
@@ -349,6 +369,12 @@ exports.toggleTopicTopStatus = function (req, res) {
 exports.toggleTopicGlobalStatus = function (req, res) {
   var topic = req.topic;
 
+  if (!req.user.isOper) {
+    return res.status(403).json({
+      message: 'ERROR: User is not authorized'
+    });
+  }
+
   topic.isGlobal = !topic.isGlobal;
 
   topic.save(function (err) {
@@ -458,6 +484,12 @@ exports.deleteTopic = function (req, res) {
   var topic = req.topic;
   var rcount = topic.replyCount;
 
+  if (!canEdit(req.user, forum) && !isOwner(req.user, topic)) {
+    return res.status(403).json({
+      message: 'ERROR: User is not authorized'
+    });
+  }
+
   topic._replies.forEach(function (r) {
     r.user.update({
       $inc: {replies: -1}
@@ -566,13 +598,21 @@ exports.postNewReply = function (req, res) {
  * @param res
  */
 exports.updateReply = function (req, res) {
+  var forum = req.forum;
   var topic = req.topic;
 
-  topic._replies.forEach(function (t) {
-    if (t._id.equals(req.params.replyId)) {
-      t.content = req.body.content;
-      t.updatedAt = Date.now();
-      t.updatedBy = req.user;
+  topic._replies.forEach(function (r) {
+    if (r._id.equals(req.params.replyId)) {
+
+      if (!canEdit(req.user, forum) && !isOwner(req.user, r)) {
+        return res.status(403).json({
+          message: 'ERROR: User is not authorized'
+        });
+      }
+
+      r.content = req.body.content;
+      r.updatedAt = Date.now();
+      r.updatedBy = req.user;
 
       topic.save(function (err) {
         if (err) {
@@ -599,6 +639,13 @@ exports.deleteReply = function (req, res) {
 
   topic._replies.forEach(function (r) {
     if (r._id.equals(req.params.replyId)) {
+
+      if (!canEdit(req.user, forum) && !isOwner(req.user, r)) {
+        return res.status(403).json({
+          message: 'ERROR: User is not authorized'
+        });
+      }
+
       topic._replies.pull(r);
       topic.replyCount--;
       topic.save(function (err) {
@@ -795,3 +842,50 @@ exports.topicById = function (req, res, next, id) {
       next();
     });
 };
+
+/**
+ * canEdit
+ * @param u, req.user
+ * @param f, forum
+ * @returns {boolean}
+ */
+function canEdit(u, f) {
+  if (u.isOper) {
+    return true;
+  } else if (isModerator(f)) {
+    return true;
+  } else {
+    return false;
+  }
+
+  function isModerator(f) {
+    if (f) {
+      var isM = false;
+      f.moderators.forEach(function (m) {
+        if (m._id === u._id) {
+          isM = true;
+        }
+      });
+      return isM;
+    } else {
+      return false;
+    }
+  }
+}
+
+/**
+ * isOwner
+ * @param o, topic or reply object
+ * @returns {boolean}
+ */
+function isOwner(u, o) {
+  if (o) {
+    if (o.user._id.str === u._id) {
+      return true;
+    } else {
+      return false;
+    }
+  } else {
+    return false;
+  }
+}