GC-1226 refactor comment

src/server/models/page.js

@@ -516,19 +516,38 @@ module.exports = function(crowi) {
     });
   };
 
+  /**
+   * return whether the user is accessible to the page
+   * @param {string} id ObjectId
+   * @param {User} user
+   */
+  pageSchema.statics.isAccessiblePageByViewer = async function(id, user) {
+    const baseQuery = this.count({_id: id});
+
+    let userGroups = [];
+    if (user != null) {
+      validateCrowi();
+      const UserGroupRelation = crowi.model('UserGroupRelation');
+      userGroups = await UserGroupRelation.findAllUserGroupIdsRelatedToUser(user);
+    }
+
+    const queryBuilder = new PageQueryBuilder(baseQuery);
+    queryBuilder.addConditionToFilteringByViewer(user, userGroups);
+
+    return await queryBuilder.query.exec();
+  };
+
   /**
    * @param {string} id ObjectId
    * @param {User} user User instance
    */
   pageSchema.statics.findByIdAndViewer = async function(id, user) {
-    validateCrowi();
-
-    // const Page = this;
     const baseQuery = this.findOne({_id: id});
 
-    const UserGroupRelation = crowi.model('UserGroupRelation');
     let userGroups = [];
     if (user != null) {
+      validateCrowi();
+      const UserGroupRelation = crowi.model('UserGroupRelation');
       userGroups = await UserGroupRelation.findAllUserGroupIdsRelatedToUser(user);
     }
 
@@ -547,8 +566,6 @@ module.exports = function(crowi) {
   };
 
   pageSchema.statics.findByPathAndViewer = async function(path, user) {
-    validateCrowi();
-
     if (path == null) {
       throw new Error('path is required.');
     }
@@ -558,6 +575,7 @@ module.exports = function(crowi) {
     const queryBuilder = new PageQueryBuilder(baseQuery);
 
     if (user != null) {
+      validateCrowi();
       const UserGroupRelation = crowi.model('UserGroupRelation');
       const userGroups = await UserGroupRelation.findAllUserGroupIdsRelatedToUser(user);
       queryBuilder.addConditionToFilteringByViewer(user, userGroups);

src/server/routes/comment.js

@@ -12,6 +12,7 @@ module.exports = function(crowi, app) {
 
   actions.api = api;
 
+
   /**
    * @api {get} /comments.get Get comments of the page of the revision
    * @apiName GetComments
@@ -24,6 +25,12 @@ module.exports = function(crowi, app) {
     const pageId = req.query.page_id;
     const revisionId = req.query.revision_id;
 
+    // check whether accessible
+    const isAccessible = await Page.isAccessiblePageByViewer(pageId, req.user);
+    if (!isAccessible) {
+      return res.json(ApiResponse.error('Current user is not accessible to this page.'));
+    }
+
     let comments = null;
 
     try {
@@ -66,6 +73,12 @@ module.exports = function(crowi, app) {
     const position = commentForm.comment_position || -1;
     const isMarkdown = commentForm.is_markdown;
 
+    // check whether accessible
+    const isAccessible = await Page.isAccessiblePageByViewer(pageId, req.user);
+    if (!isAccessible) {
+      return res.json(ApiResponse.error('Current user is not accessible to this page.'));
+    }
+
     const createdComment = await Comment.create(pageId, req.user._id, revisionId, comment, position, isMarkdown)
       .catch(function(err) {
         return res.json(ApiResponse.error(err));
@@ -121,6 +134,18 @@ module.exports = function(crowi, app) {
 
     try {
       const comment = await Comment.findById(commentId).exec();
+
+      if (comment == null) {
+        throw new Error('This comment does not exist.');
+      }
+
+      // check whether accessible
+      const pageId = comment.page;
+      const isAccessible = await Page.isAccessiblePageByViewer(pageId, req.user);
+      if (!isAccessible) {
+        throw new Error('Current user is not accessible to this page.');
+      }
+
       await comment.remove();
       await Page.updateCommentCount(comment.page);
     }