Merge pull request #1187 from weseek/restrict-to-author

Restrict to author

src/client/js/components/PageComment/Comment.jsx

@@ -62,6 +62,10 @@ class Comment extends React.Component {
     this.renderHtml(markdown);
   }
 
+  checkPermissionToControlComment() {
+    return this.props.appContainer.isAdmin || this.isCurrentUserEqualsToAuthor();
+  }
+
   isCurrentUserEqualsToAuthor() {
     return this.props.comment.creator.username === this.props.appContainer.me;
   }
@@ -280,15 +284,17 @@ class Comment extends React.Component {
                 </OverlayTrigger>
                 <span className="ml-2"><a className={revisionLavelClassName} href={revHref}>{revFirst8Letters}</a></span>
               </div>
-              <div className="page-comment-control">
-                {/* TODO GW-63 adjust layout */}
-                <button type="button" className="btn btn-link" onClick={() => { this.editBtnClickedHandler(commentId) }}>
-                  <i className="ti-pencil"></i>
-                </button>
-                <button type="button" className="btn btn-link" onClick={this.deleteBtnClickedHandler}>
-                  <i className="ti-close"></i>
-                </button>
-              </div>
+              { this.checkPermissionToControlComment() && (
+                <div className="page-comment-control">
+                  {/* TODO GW-63 adjust layout */}
+                  <button type="button" className="btn btn-link" onClick={() => { this.editBtnClickedHandler(commentId) }}>
+                    <i className="ti-pencil"></i>
+                  </button>
+                  <button type="button" className="btn btn-link" onClick={this.deleteBtnClickedHandler}>
+                    <i className="ti-close"></i>
+                  </button>
+                </div>
+              )}
             </div>
           </div>
         )

src/client/js/services/CommentContainer.js

@@ -113,6 +113,7 @@ export default class CommentContainer extends Container {
         revision_id: revisionId,
         is_markdown: isMarkdown,
         comment_id: commentId,
+        author: this.appContainer.me,
       },
     })
       .then((res) => {

src/server/routes/comment.js

@@ -161,6 +161,7 @@ module.exports = function(crowi, app) {
     const comment = commentForm.comment;
     const isMarkdown = commentForm.is_markdown;
     const commentId = commentForm.comment_id;
+    const author = commentForm.author;
 
     if (comment === '') {
       return res.json(ApiResponse.error('Comment text is required'));
@@ -170,6 +171,10 @@ module.exports = function(crowi, app) {
       return res.json(ApiResponse.error('\'comment_id\' is undefined'));
     }
 
+    if (author !== req.user.username) {
+      return res.json(ApiResponse.error('Only the author can edit'));
+    }
+
     // check whether accessible
     const isAccessible = await Page.isAccessiblePageByViewer(pageId, req.user._id, revisionId, comment, isMarkdown, req.user);
     if (!isAccessible) {